Home
Search results “Iso 27001 cryptographic controls policy definition”
Cryptography, Cryptographic Security Controls & Cryptography Security Techniques Explained
 
16:57
Thanks For Watching This Video, I Hope You Must Have Liked It. If yes then please hit the subscribe button as I will be uploading a lot of IT security related training videos on this channel and if you will be my subscriber then you my friend will be the first one who will be notified about all my new videos my friend. If you have any questions for the topic that I have discussed in this video then please feel free to comment my friend and I will be happy to respond back to your queries... Please note that - all ISO 27001 documents and standards are completely owned intellectual property & copyright of ISO. So in case if by any chance you are interested to study more about the standard that I have discussed here then please go to the official ISO website in order to purchase the standards. This channel is only created to generate awareness and best practices for Information Security in general and if by any chance you wish to implement any of the standards that I have discussed here then you have to first purchase them from official ISO website. This channel is only created to help anyone who is currently studying or planning to study about ISMS Information Security Management System ISO 27001 Implementation. I want to make my contribution in the information security community.This channel is only created to generate awareness and best practices for Information Security in general. Disclaimer: Since ISO 27001 is a very vast topic and the implementation varies for all organization's so I can't ever call myself an "expert" in this field, all the knowledge and information that I am sharing here is only based upon my past experience in information security field and may not be directly applicable within your organization as such. So please use your judgement before implementing anything based upon my suggestions. I request you not to rely on anything that I say here, I do my best to be as accurate and as complete information that I can provide you “but” only the published standards are definitive. Only the published ISO standards stand above any information that I have shared in any of my videos. Thanks, Your IT Security Friend Luv Johar Website : http://aajkatech.com/ iso 27001 explained, iso 27001 awareness trainings, iso 27001 free trainings online, Iso 27001 free tutorials, ISO 27001 training material free, lead auditor free training course, lead implementer free training course, ISMS training free, information security management system training free,
ISO 27002 - Control 18.1.5 - Regulation of Cryptographic Controls
 
01:09
This is control number 111 out of 114 controls of the ISO 27002 standard.
Views: 273 Ultimate Technology
ISO 27002 - Control 14.1.1 - Information Security Requirements Analysis and Specifications
 
01:47
This is control number 78 out of 114 controls of the ISO 27002 standard.
Views: 663 Ultimate Technology
03 - Security Fundamentals - Understanding Security Policies
 
27:57
03 - Hear about security policies and how they may work in an organization. See how policies provided by Group Policy can prevent unauthorized access to an organization's resources.
Views: 3407 RG Edu
1.3 Information Security Laws and Standards
 
10:20
Ethical hacker training course Module1 – Introduction to Hacking, Section 1.3 Information Security laws and standards Information security or InfoSec The practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. Information Security Laws and Standards • Payment Card Industry Data Security Standard (PCI-DSS) • ISO/IEC 27001:2013 • Health Insurance Portability and Accountability Act (HIPAA) 1996 • Sarbanes Oxley Act (SOX) 2002 • The Digital Millennium Copyright Act (DMCA) 1998 • Federal Info Security Management Act (FISMA) 2002 • Cyber Laws • IT Act 2000 in India. Payment Card Industry Data Security Standard (PCI-DSS) Information security standard for organizations that handle branded credit cards from the major card schemes. www.pcisecuritystandards.org The PCI Data Security Standard specifies - Twelve requirements for compliance, - Organized into six groups called control objectives. ISO/IEC 27001:2013 • Information security standard published by joint ISO and IEC sub committee. • It has 114 controls in 14 groups and 35 control objectives. • Specification for ISMS The Health Insurance Portability and Accountability Act of 1996 was enacted by the United States Congress in 1996. It has been known as the Kennedy–Kassebaum Act or Kassebaum–Kennedy Act after two of its leading sponsors. The Act consists of 5 Titles. Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. Title III sets guidelines for pre-tax medical spending accounts, Title IV sets guidelines for group health plans, and Title V governs company-owned life insurance policies. Sarbanes Oxley Act (SOX) 2002 More commonly called Sarbanes–Oxley, Sarbox or simply SOX • To prevent accounting fraud and to protect investors. • US Federal law • Named after Sarbanes and Oxley The Digital Millennium Copyright Act (DMCA) is a United States copyright law that implements two 1996 treaties of the World Intellectual Property Organization (WIPO), became law in 1998. • It criminalizes production and dissemination of technology, devices, or services intended to circumvent measures (commonly known as digital rights management or DRM) that control access to copyrighted works. The Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 • The act recognized the importance of information security to the economic and national security interests of the United States. Cyber Laws in India enforced by • Ministry of Electronics & Information Technology, Govt. of India • They provide legal recognition to electronic documents and a framework to support e-filing and e-commerce transactions and also provides a legal framework to mitigate, check cyber crimes. Resource links. • http://meity.gov.in/content/cyber-laws • Information Technology Act 2000(IT Act 2000) • http://164.100.94.102/writereaddata/files/downloads/National_cyber_security_policy-2013%281%29.pdf A cybersecurity regulation comprises directives that safeguard information technology and computer systems with the purpose of forcing companies and organizations to protect their systems and information from cyber-attacks. US Federal law and world wide IT age countries made strict laws to control fraud. Cyber-attacks include viruses, worms, Trojan horses, phishing, denial of service (DOS) attacks, unauthorized access (stealing intellectual property or confidential information) and control system attacks. There are numerous measures available to prevent cyber-attacks. - Cyber-security measures include firewalls, anti-virus software, intrusion detection and prevention systems, encryption and strong login passwords. There have been attempts to improve cybersecurity through regulation and collaborative efforts between government and the private-sector to encourage voluntary improvements to cybersecurity. UNCTAD.org | Cybercrime Legislation Worldwide http://unctad.org/en/Pages/DTL/STI_and_ICTs/ICT4D-Legislation/eCom-Cybercrime-Laws.aspx
Views: 1163 CBTUniversity
PCI Requirement 3.6.7 Prevention of Unauthorized Substitution of Cryptographic Keys
 
02:12
Do your due diligence to create strong keys and protect the unauthorized substitution of cryptographic keys. Your organization must have the appropriate controls in place to prevent unauthorized key substitution. PCI Requirement 3.6.7 requires, “Prevention of unauthorized substitution of cryptographic keys.” If your organization does not have policies, procedures, and standards documenting how your encryption solution does not accept substitution keys from unauthorized sources, you are giving malicious individuals an opportunity to decrypt your data. Assessors will examine your procedures to ensure that they outline a specific process to prevent unauthorized key substitution. The responsible personnel should also be interviewed to ensure they know and implement this process. If you store, process, or transmit cardholder data, interact with payment card data in any way, or have the ability to impact someone else’s cardholder information or the security of that information, you are subject to comply with the PCI DSS. This exclusive video series, PCI Demystified, was developed to assist your organization in understanding what the Payment Card Industry Data Security Standard (PCI DSS) is, who it applies to, what the specific requirements are, and what your organizations needs to know and do to become compliant. Learn more at https://kirkpatrickprice.com/video/pci-requirement-3-6-7-prevention-unauthorized-substitution-cryptographic-keys/ Video Transcription Within your encryption program, part of your key management program is doing your due diligence around creating a strong key (wherever you’re storing it), preventing individuals from getting unauthorized access to that, and rotating your key on a periodic basis that you’ve defined as your cryptoperiod. When we get to 3.6.7, we want to make sure that you have a process in place to prevent unauthorized key substitution. The reason for this is, let’s say I’m Hacker Joe and you have really great encryption processes and programs, but if I am able to implement my own key into your environment and encrypt the data with my key, when I get access to that data, I can surely decrypt it. It’s required that you have controls in place to prevent the unauthorized substitution of cryptographic keys. From an assessment perspective, we’re going to be once again looking at policies, procedures, and standards around this. We’re going to be looking at how you’ve actually implemented these controls, whether this be access controls or by any other means that you’re doing this. Understand that simply compiling the encryption keys into the source code does not necessarily mean that you’ve met this requirement. It might be a plethora of things. Protect the unauthorized substitution of your encryption keys. Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources PCI Demystified: https://kirkpatrickprice.com/pci-demystified/ Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Views: 174 KirkpatrickPrice
The Basic Information Security Policy
 
03:02
Most companies have, or should have, a basic Information Security Policy. It serves many purposes, whether it is in depth, full of rules, controls and standards or NOT. I'm going to share some of the purposes for the Basic Information Security Policy: 1.It serves as a baseline for all your other security policies, by establishing what you hold important for security rules or domains. 2. It is the first teaching tool for new employees, contractors and consultants. 3.In the Sales process, it is one of the most requested documents from potential customers looking to see how you practice security in your company (do you take the same things seriously that they do NOT the how but the WHAT you take seriously). 4. It is the 1st policy or group of policy instructions required by almost every compliance or regulatory organization. So, what do you need to do: 1. Establish the topics, domains, control families, or principles your company and its customers care about. Rank them 1 through 20 or so. These would be things like access controls, passwords, badges, firewalls, acceptable use of your laptop, etc. 2. Make a statement about WHAT you care about like "passwords shall be complex and not easily guessable or crack-able (you do know there are software and algorithms to crack passwords?) or Access, to our critical systems, shall only be granted on a need to know and approved basis." 3. Compare the statement to any regulations or compliance you or your customers care about, or have to be compliant with. 4. Update it appropriately. 5. Gain agreement with Senior staff. 6. Make it a policy. 7. Teach your employees that it's a policy and ensure they follow through! Now, anywhere along the way, if you need assistance or this doesn't make sense to you, reach out to ADHERE. We're experts on helping you establish policies that are appropriate! Rauchus by Twin Musicom is licensed under a Creative Commons Attribution license (https://creativecommons.org/licenses/...) Artist: http://www.twinmusicom.org/
Views: 350 ADHERE Inc.
ISO 27002 - Control 13.1.3 - Segregation in Networks
 
01:14
This is control number 73 out of 114 controls of the ISO 27002 standard.
Views: 478 Ultimate Technology
ISO 27002 - Control 8.3.2 - Disposal of Media
 
01:15
This is control number 24 out of 114 controls of the ISO 27002 standard.
Views: 524 Ultimate Technology
PCI Requirement 6.5.8 – Improper Access Control
 
01:14
Learn more at https://kirkpatrickprice.com/video/pci-requirement-6-5-8-improper-access-control/ PCI Requirement 6.5.8 states that your organization’s applications are protected from improper access control, such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions. PCI Requirement 6.5.8 applies to all of your organization’s web applications, internal application interfaces, and external application interfaces. Web applications, the PCI DSS states, have unique security risks as well as relative ease and occurrence of compromise. The PCI DSS outlines four types of improper access control. Insecure direct object references occur when a developer exposes a reference to an internal implementation object as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization. Failure to restrict URL access can prohibit an application from protecting sensitive functionality by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly. Directory traversal could be enumerated or navigated by an attacker, thus gaining access to unauthorized information as well as gaining further insight into the workings of the site for later exploitation. Failure to restrict user access to functions permits access to unauthorized functions, which could result in unauthorized individuals gaining access to privileged credentials or cardholder data. Only authorized users should be permitted to access direct object references to sensitive resources. In order to comply with PCI Requirement 6.5.8, your organization’s policies and procedures must address proper authentication of users, sanitizing input, not exposing internal object references to users, and user interfaces that do not permit access to unauthorized functions. To verify your compliance with PCI Requirement 6.5.8, an assessor review these policies and procedures and interview the responsible personnel to ensure that your development process protects your applications from improper access control. Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Views: 128 KirkpatrickPrice
Security policies and legal statements
 
02:01
In employment, we are all reminded of our security obligations, having to agree and sign up to various legal statements and confidentiality agreements. But do you find these of any use? Are they effective for anything other than when your boss wants to discipline you? www.j4vv4d.com Twitter: @j4vv4d Facebook Page: J4vv4D
Views: 586 J4vv4D
ISO 27001 Training ISO 27000 family of standards ISO 27000 series of standards explained
 
11:04
ISO 27001 Training ISO 27000 family of standards ISO 27000 series of standards explained ISO 27001 Training Videos & ISO 27001 Certification Videos ISO/IEC 27001 Thanks For Watching This Video, I Hope You Must Have Liked It. If yes then please hit the subscribe button as I will be uploading a lot of IT security related training videos on this channel and if you will be my subscriber then you my friend will be the first one who will be notified about all my new videos my friend. If you have any questions for the topic that I have discussed in this video then please feel free to comment my friend and I will be happy to respond back to your queries... Please note that - all ISO 27001 documents and standards are completely owned intellectual property & copyright of ISO. So in case if by any chance you are interested to study more about the standard that I have discussed here then please go to the official ISO website in order to purchase the standards. This channel is only created to generate awareness and best practices for Information Security in general and if by any chance you wish to implement any of the standards that I have discussed here then you have to first purchase them from official ISO website. This channel is only created to help anyone who is currently studying or planning to study about ISMS Information Security Management System ISO 27001 Implementation. I want to make my contribution in the information security community.This channel is only created to generate awareness and best practices for Information Security in general. Disclaimer: Since ISO 27001 is a very vast topic and the implementation varies for all organization's so I can't ever call myself an "expert" in this field, all the knowledge and information that I am sharing here is only based upon my past experience in information security field and may not be directly applicable within your organization as such. So please use your judgement before implementing anything based upon my suggestions. I request you not to rely on anything that I say here, I do my best to be as accurate and as complete information that I can provide you “but” only the published standards are definitive. Only the published ISO standards stand above any information that I have shared in any of my videos. Thanks, Your IT Security Friend Luv Johar Website : http://aajkatech.com/ iso 27001 explained, iso 27001 awareness trainings, iso 27001 free trainings online, Iso 27001 free tutorials, ISO 27001 training material free, lead auditor free training course, lead implementer free training course, ISMS training free, information security management system training free,
Risk Assessment - CompTIA Security+ SY0-501 - 5.3
 
09:29
Security+ Training Course Index: http://professormesser.link/sy0501 Professor Messer’s Course Notes: http://professormesser.link/501cn Frequently Asked Questions: http://professormesser.link/faq - - - - - What risks can affect your organization, and what kind of impact will they have? In this video, you’ll learn about the importance of risk assessment. - - - - - Subscribe to get the latest videos: http://professormesser.link/yt Calendar of live events: http://www.professormesser.com/calendar/ FOLLOW PROFESSOR MESSER: Professor Messer official website: http://www.professormesser.com/ Twitter: http://www.professormesser.com/twitter Facebook: http://www.professormesser.com/facebook Instagram: http://www.professormesser.com/instagram Google +: http://www.professormesser.com/googleplus
Views: 19505 Professor Messer
ISO 27002 - Control 9.3.1 - Use of Secret Authentication Information
 
02:02
This is control number 34 out of 114 controls of the ISO 27002 standard.
Views: 742 Ultimate Technology
PCI Requirement 3.6.6 Using Split Knowledge & Dual Control
 
03:02
PCI Requirement 3.6.6 is one requirement that both assessors and clients struggle to understand. PCI Requirement 3.6.6 states, “If manual clear-text cryptographic key-management operations are used, these operations must be managed using split knowledge and dual control.” What is split knowledge? The PCI DSS explains split knowledge as, “Split knowledge is a method in which two or more people separately have key components, where each person knows only their own key component, and the individual key components convey no knowledge of the original cryptographic key.” What is dual control? The PCI DSS defines dual control as, “Dual control requires two or more people to perform a function, and no single person can access or use the authentication materials of another.” Why use both? Although PCI Requirement 3.6.6 confuses many assessors and clients, both split knowledge and dual control must be used to comply with this requirement. The PCI DSS explains, “Split knowledge and dual control of keys are used to eliminate the possibility of one person having access to the whole key. This control is applicable for manual key-management operations, or where key management is not implemented by the encryption product.” If you store, process, or transmit cardholder data, interact with payment card data in any way, or have the ability to impact someone else’s cardholder information or the security of that information, you are subject to comply with the PCI DSS. This exclusive video series, PCI Demystified, was developed to assist your organization in understanding what the Payment Card Industry Data Security Standard (PCI DSS) is, who it applies to, what the specific requirements are, and what your organizations needs to know and do to become compliant. Learn more at https://kirkpatrickprice.com/video/pci-requirement-3-6-6-using-split-knowledge-dual-control/ Video Transcription If you’re using a clear text key management program in order to create your encryption keys, it’s required that you use split knowledge and dual control. This is one requirement that many assessors have gotten wrong for many years, including myself. This is one requirement that we see a lot of clients struggle to understand. Taking an encryption key and splitting it in half (giving half to one person and half to another), is not split knowledge and dual control. It might be dual control, but it’s not split knowledge. When we look at the definition of split knowledge and dual control, dual control means that it takes more than one individual to create this key rotation ceremony. When we look at split knowledge, it says that when we create the key, no one individual has any knowledge of the resulting key. Where you take these two key halves and one person gets one half and another person gets the other half, that one individual only knows what their half of that key is. If you are developing or using a clear text key management program, what we recommend that you do is have some “X, or…” process. You have Key Custodian A and Key Custodian B that has, if you’re going to create an 128 bit key, each individual has 128 bits of a key seed. Those two individuals come together and input their key into their application or their key seed into the application. The application then goes through a process of “X, or…” those two values together, then outputs the encryption key that nobody knows. If this is a struggle for you or you need a better understanding of what clear text management program looks like, give me a call or talk to your assessor – they’ll be more than happy to help you understand what a clear text management program really looks like. Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources PCI Demystified: https://kirkpatrickprice.com/pci-demystified/ Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Views: 641 KirkpatrickPrice
PCI Requirement 3.5 Document & implement procedures to protect keys
 
02:31
PCI Requirement 3.5 requires that your organization not only has a documented key management program, but that the key management program is implemented and in use. If an unauthorized individual were to gain access to your encryption/decryption keys, they will be able to decrypt your keys. To comply with PCI Requirement 3.5, your organization must have implemented documentation related to preventing unauthorized access to keys. The PCI DSS explains, “The requirement to protect keys from disclosure and misuse applies to both data-encrypting keys and key-encrypting keys. Because one key-encrypting key may grant access to many data-encrypting keys, the key-encrypting keys require strong protection measures.” If you store, process, or transmit cardholder data, interact with payment card data in any way, or have the ability to impact someone else’s cardholder information or the security of that information, you are subject to comply with the PCI DSS. This exclusive video series, PCI Demystified, was developed to assist your organization in understanding what the Payment Card Industry Data Security Standard (PCI DSS) is, who it applies to, what the specific requirements are, and what your organizations needs to know and do to become compliant. Learn more at https://kirkpatrickprice.com/video/pci-requirement-3-5-document-implement-procedures-protect-keys/ Video Transcription If your organization has implemented encryption as a means for rendering your cardholder data unreadable, we need to marry that with a program around managing your keys. So, we have to establish policies and procedures around that. Looking at Requirement 3.5, it states that you have to have a program in place that’s documented to prevent unauthorized access to these keys. Understand that if someone gains access to your encryption/decryption keys, they likely have keys to your kingdom. You see a lot of the hacks that have happened in years past, these organizations had encryption enabled (or at least they thought they had decent encryption enabled), and yet hackers were still able to remove the data from that environment. If you do not understand key management, one of the documents I would recommend that you view is the NIST 800-57 (there’s 3 documents - A, B, C) and have a read of those. That’ll help you to understand what are the merits and requirements around developing a good key management program. From an assessor’s perspective, we’re going to look at your key management program, everything that talks about your key rotation, your cryptoperiod, and the means and methods of how you protect unauthorized key substitution and everything that’s involved in that. So, we’re looking for documentation that supports that, we’re going to interview staff and make sure that those individuals that are defined as your “key custodian” understand that. We’re also going to look at the means and methods for how that’s actually implemented. Once again, whatever you’ve documented is what we expect to see in place and functioning. Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources PCI Demystified: https://kirkpatrickprice.com/pci-demystified/ Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Views: 161 KirkpatrickPrice
PCI Requirement 3.6.1 Generation of Strong Cryptographic Keys
 
01:50
PCI Requirement 3.6.1 requires, “Generation of strong cryptographic keys.” It also requires that, “The encryption solution must generate strong keys, as defined in the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms under ""Cryptographic Key Generation."" The intent of PCI Requirement 3.6.1, according to the PCI DSS, is to “significantly increases the level of security of encrypted cardholder data.” PCI Requirement 3.6.1 is part of the 8 sub-requirements of PCI Requirement 3.6, which is meant to build your organization’s key management program because, the PCI DSS states, “The manner in which cryptographic keys are managed is a critical part of the continued security of the encryption solution. A good key management process, whether it is manual or automated as part of the encryption product, is based on industry standards and addresses all key elements at 3.6.1 through 3.6.8.” We recommend that you perform a risk assessment around the generation of your cryptographic keys; this way, you can see if your keys become weakened or hold up. Industry standards, like NIST, should be used when determining how to manage and generate keys. If you store, process, or transmit cardholder data, interact with payment card data in any way, or have the ability to impact someone else’s cardholder information or the security of that information, you are subject to comply with the PCI DSS. This exclusive video series, PCI Demystified, was developed to assist your organization in understanding what the Payment Card Industry Data Security Standard (PCI DSS) is, who it applies to, what the specific requirements are, and what your organizations needs to know and do to become compliant. Learn more at https://kirkpatrickprice.com/video/pci-requirement-3-6-1-generation-strong-cryptographic-keys/ Video Transcription If you’re using encryption within your environment, you need to use strong encryption. What this effectively means is that you need to generate strong keys. Once again, you need to be using an industry best practice for this. One of the things that I would recommend that you do as part of your risk management program, just like the annual risk assessment that you’re required to do, is that you perform somewhat of a risk assessment around the generation of your keys. If during the period of time, your encryption keys become deprecated or weakened because of some change to the industry, you must have a process for generating a new key. We’ll be talking about that in a subsequent video. Specific to PCI Requirement 3.6.1, you have to have a process in place where you’re actually generating strong keys. IF you have an HSM, that’s kind of inherent in using the HSM itself. If you have a clear text process where you’re managing or developing these keys, it needs to be done securely. I would recommend that you look at industry best practices like NIST 800-57 for that information. Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources PCI Demystified: https://kirkpatrickprice.com/pci-demystified/ Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Views: 175 KirkpatrickPrice
ISO 27002 - Control 18.1.4 - Privacy and Protection of Personally Identifiable Information
 
01:18
This is control number 110 out of 114 controls of the ISO 27002 standard.
Views: 269 Ultimate Technology
What is NETWORK SECURITY POLICY? What does NETWORK SECURITY POLICY mean?
 
02:04
What is NETWORK SECURITY POLICY? What does NETWORK SECURITY POLICY mean? NETWORK SECURITY POLICY meaning - NETWORK SECURITY POLICY definition - NETWORK SECURITY POLICY explanation. Source: Wikipedia.org article, adapted under https://creativecommons.org/licenses/by-sa/3.0/ license. A network security policy, or NSP, is a generic document that outlines rules for computer network access, determines how policies are enforced and lays out some of the basic architecture of the company security/ network security environment. The document itself is usually several pages long and written by a committee. A security policy goes far beyond the simple idea of "keep the bad guys out". It's a very complex document, meant to govern data access, web-browsing habits, use of passwords and encryption, email attachments and more. It specifies these rules for individuals or groups of individuals throughout the company. Security policy should keep the malicious users out and also exert control over potential risky users within your organization. The first step in creating a policy is to understand what information and services are available (and to which users), what the potential is for damage and whether any protection is already in place to prevent misuse. In addition, the security policy should dictate a hierarchy of access permissions; that is, grant users access only to what is necessary for the completion of their work. While writing the security document can be a major undertaking, a good start can be achieved by using a template. National Institute for Standards and Technology provides a security-policy guideline. The policies could be expressed as a set of instructions that could be understood by special purpose network hardware dedicated for securing the network.
Views: 2114 The Audiopedia
ISO 27002 - Control 9.1.2 - Access To Networks And Network Services
 
01:49
This is control number 27 out of 114 controls of the ISO 27002 standard.
Views: 786 Ultimate Technology
Security Policy and Enterprise Key Management To centrally Manage Encryption Keys from Vormetric
 
03:33
This is an excerpt of Vormetric's whitepaper: Simplifying IT Operations Securing and Controlling Access to Data Across the Enterprise. http://www.Vormetric.com/key82 .The whitepaper outlines the challenges of enterprise key management and details ways to minimize the risk. This whitepaper from Vormetric on Key management strategy strives to provide the reader with an understanding, of the importance of encryption key management and of its evolution. Additionally, understanding that companies today require actionable information, the paper provides the reader with a set of criteria for encryption key management as well as an understanding of the challenges that may be faced. This is followed by a review of the recent industry initiatives and compliance regulations that are shaping the future of key management strategy. Lastly, the paper describes Vormetric's Key Management, a component of the Vormetric Data Security product family. According to the whitepaper, encryption key management should meet four primary criteria: 1. Security -- In implementing a comprehensive data security strategy, organizations are well - advised to consider the security of the encryption keys. Where are they stored and how are they protected? Improper key management means weak encryption, and that can translate into vulnerable data. 2. Availability -- In addition to being secure, the keys must ensure that the data is available when it is needed by the system or user. Key management practices that add complexity can decrease availability or add overhead to the network. That results in damage to the over efficiency of the network. 3. Scalability and Flexibility -- Growth and change are inevitable in an organization. The key management solution should be able to address heterogeneous, distributed environments so as not to hamper either growth or change. 4. Governance and Reporting -- Reporting is essential to proper institutional governance. Often, third party entities (be they customers or regulatory authorities) will request, and in some cases mandate, proper governance and reporting of key management. That means implementing and enforcing things like separation of duties, authorization process and key lifecycle management.
Views: 1701 Vormetric
PCI Requirement 3.6.4 Cryptographic Key Changes at Cryptoperiod Completion
 
04:31
Encryption keys have a lifespan. PCI Requirement 3.6.4 states, “Cryptographic key changes for keys that have reached the end of their cryptoperiod (for example, after a defined period of time has passed and/or after a certain amount of cipher-text has been produced by a given key), as defined by the associated application vendor or key owner, and based on industry best practices and guidelines.” Cryptoperiods are a major topic when discussing key management. So, what exactly is a cryptoperiod? A cryptoperiod is not period of time, like a month, week, or year. Rather, a cryptoperiod represents the number of transactions that a key is valid for. There are multiple factors that define a cryptoperiod. For example, key length, key strength, algorithms, exposure – all of these elements factor in. The result of these factors is the cryptoperiod. Watch this clip of Jeff Wilder explaining cryptoperiods to hear more about PCI Requirement 3.6.4. If you store, process, or transmit cardholder data, interact with payment card data in any way, or have the ability to impact someone else’s cardholder information or the security of that information, you are subject to comply with the PCI DSS. This exclusive video series, PCI Demystified, was developed to assist your organization in understanding what the Payment Card Industry Data Security Standard (PCI DSS) is, who it applies to, what the specific requirements are, and what your organizations needs to know and do to become compliant. Learn more at https://kirkpatrickprice.com/video/pci-requirement-3-6-4-cryptographic-key-changes-cryptoperiod-completion/ Video Transcription When developing these keys and put them into production, understand that the encryption keys that you’re using have a given lifespan. When we specifically look at the requirements within 3.6, it states that you must rotate the keys at the end of their defined cryptoperiod. So if you’re using encryption in your environment, your assessor should be asking what your defined cryptoperiod is. Once again, it’s not up to us as assessors to define what your cryptoperiod is, but it is up to us to determine if you’ve done your due diligence around the time period that you use your key. If I come in to assess your organization and I say, “Hey Johnny, what is your cryptoperiod?” and you say, “Well Jeff, our cryptoperiod is every year and we rotate the key then,” I might say then, “Fine, that’s great. How did you define your cryptoperiod to be a year?” If you answer, “Just because that’s what’s done,” or “That’s the way it’s always been done,” isn’t typically enough. Understand that a cryptoperiod does not necessarily define a period of length. A cryptoperiod is not a month, a week, a year, three years, six years, whatever. A cryptoperiod is typically a number of transactions that a key is good for. So as to give an example, you need to take in multiple factor. I would recommend that you do some Google-searching on defining a cryptoperiod. But effectively what we’re going is we’re taking the key strength, the key length, the encryption algorithm that we’re using, the exposure to the key – there’s multiple variables that go into defining what a cryptoperiod is. So, we kind of take all of these numbers and we crunch them and the output of that is not a month, a year – it’s a number of transactions. The output of your numbers might say, “This encryption algorithm key that we have is good for a thousand transactions,” or it might be good for one transaction, or it might be good for a million transactions. So now that we have the number of transactions that the key is good for, then we have to look at how many transactions you process in a year. Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources PCI Demystified: https://kirkpatrickprice.com/pci-demystified/ Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Views: 174 KirkpatrickPrice
ISO 27002 - Control 9.4.4 - Use of Privileged Utility Programs
 
00:55
This is control number 38 out of 114 controls of the ISO 27002 standard.
Views: 848 Ultimate Technology
what is encryption? and why would I need encryption? Importance Of Encryption ISO 27001 Training
 
03:20
Thanks For Watching This Video, I Hope You Must Have Liked It. If yes then please hit the subscribe button as I will be uploading a lot of IT security related training videos on this channel and if you will be my subscriber then you my friend will be the first one who will be notified about all my new videos my friend. If you have any questions for the topic that I have discussed in this video then please feel free to comment my friend and I will be happy to respond back to your queries... Please note that - all ISO 27001 documents and standards are completely owned intellectual property & copyright of ISO. So in case if by any chance you are interested to study more about the standard that I have discussed here then please go to the official ISO website in order to purchase the standards. This channel is only created to generate awareness and best practices for Information Security in general and if by any chance you wish to implement any of the standards that I have discussed here then you have to first purchase them from official ISO website. This channel is only created to help anyone who is currently studying or planning to study about ISMS Information Security Management System ISO 27001 Implementation. I want to make my contribution in the information security community.This channel is only created to generate awareness and best practices for Information Security in general. Disclaimer: Since ISO 27001 is a very vast topic and the implementation varies for all organization's so I can't ever call myself an "expert" in this field, all the knowledge and information that I am sharing here is only based upon my past experience in information security field and may not be directly applicable within your organization as such. So please use your judgement before implementing anything based upon my suggestions. I request you not to rely on anything that I say here, I do my best to be as accurate and as complete information that I can provide you “but” only the published standards are definitive. Only the published ISO standards stand above any information that I have shared in any of my videos. Thanks, Your IT Security Friend Luv Johar Website : http://aajkatech.com/ iso 27001 explained, iso 27001 awareness trainings, iso 27001 free trainings online, Iso 27001 free tutorials, ISO 27001 training material free, lead auditor free training course, lead implementer free training course, ISMS training free, information security management system training free,
ISO 27001 Checklist - Clause 10.1 - Nonconformity and corrective action - 53 checklist Questions
 
04:13
Prepared by Industry Experts, ISO 27001 Checklist on compliance of the requirements on ‘Nonconformity and corrective action’ covers Clause 10.1. To obtain your copy of the ISO 27001 Checklist, click on the url link below:- https://www.isocertificationtrainingcourse.org/online-store/ISO-27001-Checklist-ISO-27001-Audit-Checklist-ISO-27001-Compliance-checklist-c28241136
SOC 2 Academy: Access Controls for Remote Employees
 
02:18
Learn more at https://kirkpatrickprice.com/video/soc-2-academy-access-controls-remote-employees/ Complying with common criteria 6.7 means different things for different organizations depending on their environment. For instance, if your employees work in an office building, implementing and maintaining procedures for transmitting, moving, and removing data might be easier because of the lack of removable media in use. However, because so many organizations are opting to hire remote employees, implementing procedures for transmitting, moving, and removing data can be more difficult, which is why we suggest that organizations implement access controls, along with these five best practices for remote employees: 1. Use security awareness training 2. Establish thorough usage policies 3. Create effective password and encryption policies 4. Monitor Internet connections 5. Ensure devices and applications are updated Employing remote personnel has many benefits, but they also create additional threats that must be accounted for. When an organization is pursuing SOC 2 compliance, it’s critical that they mitigate these risks by using access controls in addition to these best practices for remote employees. Doing so allows organizations to safeguard their business from potential breaches, demonstrate to clients that their data is protected, and provides peace of mind that the procedures for transmitting, moving, and removing sensitive information remotely is secure. If you’re unsure if you’ve implemented access controls for remote employees, consider the following scenario. Let’s say that your remote employee leaves their laptop containing sensitive information in their rental car and is unable to recover the device. Do you have a GPS tracker on the device to locate it? Do you have the ability to wipe the device remotely? Are you able to restrict access to the device? It’s far too common for a situation like this to occur, which is why it’s necessary for SOC 2 compliance that organizations implement access controls for remote employees and their mobile devices. Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to clients in more than 48 states, Canada, Asia, and Europe. The firm has over 13 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Views: 43 KirkpatrickPrice
PCI Requirement 3.6.2 Secure Cryptographic Key Distribution
 
01:29
PCI Requirement 3.6.2 states, “Secure cryptographic key distribution.” Whether it’s placing tamper-proof or tamper-evident packaging on trackable packages or tracking data that you’ve transmitted electronically, any method that your organization is using to transmit keys needs to be done securely. Whether it’s moving keys from generations into production state or to backup, any method that your organization us using to transmit keys needs to be done securely. To further explain what it means to securely transmit keys, the PCI DSS also states, “The encryption solution must distribute keys securely, meaning the keys are distributed only to custodians identified in 3.5.1, and are never distributed in the clear.” If you store, process, or transmit cardholder data, interact with payment card data in any way, or have the ability to impact someone else’s cardholder information or the security of that information, you are subject to comply with the PCI DSS. This exclusive video series, PCI Demystified, was developed to assist your organization in understanding what the Payment Card Industry Data Security Standard (PCI DSS) is, who it applies to, what the specific requirements are, and what your organizations needs to know and do to become compliant. Learn more at https://kirkpatrickprice.com/video/pci-requirement-3-6-2-secure-cryptographic-key-distribution/ Video Transcription When moving the keys from the point of generation into a production state, or perhaps moving these keys to a place of redundancy or backup, the transmission of these keys needs to be done securely. This could be done on Sneakernet, where you physically walk them on a thumb drive. If you’re going to be transmitting them over mail, those particular packages need to be trackable and need to be tramper-proof or have tamper-evident packaging. If you’re going to be emailing them or transmitting them electronically, the data-encrypting key needs to be encrypted with a key-encrypting key that’s equally as strong. In short, 3.6.2 requires that you transmit keys securely, however you’re doing that. Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources PCI Demystified: https://kirkpatrickprice.com/pci-demystified/ Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Views: 124 KirkpatrickPrice
PCI Requirement 4.3 – Ensure Security Policies and Procedures are Known to all Affected Parties
 
01:12
Learn more at https://kirkpatrickprice.com/video/pci-requirement-4-3-ensure-security-policies-procedures-known-affected-parties/ PCI Requirement 4 states, “Encrypt transmission of cardholder data across open, public networks.” We’ve covered cryptography standards, wireless networks, end-user messaging technologies to help prepare you to meet this requirement. Complying with PCI Requirement 4 will help prevent your organization from being a target of malicious individuals who exploit the vulnerabilities in misconfigured or weakened wireless networks. But it’s not enough just to learn and talk about these things; all policies, procedures, and standards must be implemented in order to comply with PCI Requirement 4 and to securely transmit cardholder data. Requirement 4.3 states, “Ensure that security policies and operational procedures for encrypting transmissions of cardholder data are documented, in use, and known to all affected parties.” This is not only saying that your organization needs to maintain documented security policies and operational procedures; the policies and procedures need to be known and in use by all relevant parties. Your personnel must be living out what the policies, procedures, and standards require of them. It is a requirement of this framework that the affected parties use the policies and procedures. It is not sufficient that you generate documentation just for the sake of the audit. Your assessor should be reading these documents, familiar with the policies and procedures, and interviewing staff to make sure that anybody who is subject to the policies and procedures understands what they are. Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources PCI Demystified: https://kirkpatrickprice.com/pci-demystified/ Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Views: 79 KirkpatrickPrice
PCI Requirement 12: Maintain a Policy that Addresses Information Security for All Personnel
 
01:05
Learn more at https://kirkpatrickprice.com/video/pci-requirement-12-maintain-policy-addresses-information-security-personnel/ We’ve finally made it! Here we are at PCI Requirement 12, the last of the PCI requirements. PCI Requirement 12 states, “Maintain a policy that addresses information security for all personnel.” This requirement is centered around the management of your information security program, which stems from a strong information security policy that sets the tone and expectations for your employees. In order to create a strong information security policy, PCI Requirement 12 demands that many elements be included, such as: risk assessment process, usage policies, lists of devices and personnel with access to them, defined authentication methods, acceptable network locations, remote-access rules, executive management responsibilities, security awareness program, personnel training requirements, vendor compliance management, incident response program, alerts from security monitoring systems, and documentation of review process. After implementing the other 11 PCI requirements, you’ve finally moved past the technology aspect of PCI. Now, we’re defining how your organization will manage your information security program. Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to clients in more than 48 states, Canada, Asia, and Europe. The firm has over 13 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Views: 68 KirkpatrickPrice
Simplify your GDPR compliance journey with Compliance Manager
 
28:53
Compliance Manager helps you assess manage your compliance stature across Microsoft Cloud services for GDPR, ISO 27001, ISO 27018, NIST 800-53, NIST 800-171, and HIPAA. Learn more: https://aka.ms/cmwhitepaper
Views: 1848 Microsoft Office 365
PCI Requirement 5.2 – Ensure Anti-Virus Mechanisms are Current, Perform Scans, & Generate Audit Logs
 
04:20
Learn more at https://kirkpatrickprice.com/video/pci-requirement-5-2-ensure-anti-virus-mechanisms-current-perform-periodic-scans-generate-audit-logs/ Because the threat landscape is constantly evolving, you must keep your organization’s malware protection abreast. PCI Requirement 5.2 exists to, “Ensure that all anti-virus mechanisms are maintained as follows: are kept current, perform periodic scans, and generate audit logs which are retained per PCI DSS Requirement 10.7.” Your organization’s anti-virus solution must be kept current. Every day, new types of malware are created and new definitions are released, so your organization needs to stay up-to-date. Your definitions for malware and the scanning engine itself should be current. The PCI DSS’ reason for this is, “Even the best anti-virus solutions are limited in effectiveness if they are not maintained and kept current with the latest security updates, signature files, or malware protections.” The anti-virus solution that you have in place should perform scans periodically. It is not the assessor’s job to define what “periodically” is for your environment, but generally, we’re looking to see that you have business justification for when you’re running scans. Ideally, you should be running it every day or in real time. We understand that there are some situations when you can’t always run it every day; but, it’s not acceptable to shut off the anti-virus solution just because it’s inconvenient. According to PCI Requirement 5.2, your anti-virus solution should generate audit logs in accordance with PCI Requirement 10.7, which states, “Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis.” The PCI DSS further explains, “Retaining logs for at least a year allows for the fact that it often takes a while to notice that a compromise has occurred or is occurring, and allows investigators sufficient log history to better determine the length of time of a potential breach and potential system(s) impacted. By having three months of logs immediately available, an entity can quickly identify and minimize impact of a data breach.” If there is malware in your environment, your staff should see it because it should show up in a log that is periodically reviewed. Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources PCI Demystified: https://kirkpatrickprice.com/pci-demystified/ Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Views: 124 KirkpatrickPrice
PCI Requirement 7 – Restrict Access to Cardholder Data by Business Need to Know
 
01:07
Learn more at https://kirkpatrickprice.com/video/pci-requirement-7-restrict-access-cardholder-data-business-need-know/ PCI Requirement 7 focuses on establishing access into your organization’s cardholder data environment through the lens of business need to know. PCI Requirement 7 states, “Restrict access to cardholder data by business need to know.” Complying with PCI Requirement 7 is critical to ensuring that cardholder data is accessed only by authorized personnel. There’s nothing wrong with granting someone access to the CDE and the PCI DSS does not define which personnel should receive access. If access is required for a job, grant it. The PCI DSS, though, does define “need to know” as, “…when access rights are granted to only the least amount of data and privileges needed to perform a job.” In this set of PCI Requirement 7 videos, we will discuss the systems and processes that must be in place to limit access based on business need to know. We will cover the following PCI Requirement 7 sub-requirements: 7.1, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.2, 7.2.1, 7.2.2, 7.2.3, 7.3. Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Views: 146 KirkpatrickPrice
Public Key, Private Key, Symmetric Cryptography and Asymetric Cryptography ISO 27001 Training
 
02:26
Thanks For Watching This Video, I Hope You Must Have Liked It. If yes then please hit the subscribe button as I will be uploading a lot of IT security related training videos on this channel and if you will be my subscriber then you my friend will be the first one who will be notified about all my new videos my friend. If you have any questions for the topic that I have discussed in this video then please feel free to comment my friend and I will be happy to respond back to your queries... Please note that - all ISO 27001 documents and standards are completely owned intellectual property & copyright of ISO. So in case if by any chance you are interested to study more about the standard that I have discussed here then please go to the official ISO website in order to purchase the standards. This channel is only created to generate awareness and best practices for Information Security in general and if by any chance you wish to implement any of the standards that I have discussed here then you have to first purchase them from official ISO website. This channel is only created to help anyone who is currently studying or planning to study about ISMS Information Security Management System ISO 27001 Implementation. I want to make my contribution in the information security community.This channel is only created to generate awareness and best practices for Information Security in general. Disclaimer: Since ISO 27001 is a very vast topic and the implementation varies for all organization's so I can't ever call myself an "expert" in this field, all the knowledge and information that I am sharing here is only based upon my past experience in information security field and may not be directly applicable within your organization as such. So please use your judgement before implementing anything based upon my suggestions. I request you not to rely on anything that I say here, I do my best to be as accurate and as complete information that I can provide you “but” only the published standards are definitive. Only the published ISO standards stand above any information that I have shared in any of my videos. Thanks, Your IT Security Friend Luv Johar Website : http://aajkatech.com/ iso 27001 explained, iso 27001 awareness trainings, iso 27001 free trainings online, Iso 27001 free tutorials, ISO 27001 training material free, lead auditor free training course, lead implementer free training course, ISMS training free, information security management system training free,
PCI Requirement 7.1 – Limit Access to System Components and Cardholder Data
 
01:47
Learn more at https://kirkpatrickprice.com/video/pci-requirement-7-1-limit-access-system-components-cardholder-data/ We’ve discussed least privileges before (See PCI Requirements 2.2.2 and 3.1) and the concept of, “If you don’t need it, get rid of it.” PCI Requirement 7.1 also follows this idea. PCI Requirement 7.1 states, “Limit access to system components and cardholder data to only those individuals whose job requires such access.” If someone’s job needs access to function, grant it. But if they can function without it? Deny access. Implementing PCI Requirement 7.1 within your organization further protects cardholder data. The PCI DSS states, “The more people who have access to cardholder data, the more risk there is that a user’s account will be used maliciously. Limiting access to those with a legitimate business reason for the access helps an organization prevent mishandling of cardholder data through inexperience or malice.” During a PCI assessment, an assessor will ask for a list of all job roles within your organization and the responsibilities that fall under each job. An assessor will question which data each job has access to, and why this data is essential to their job. Your organization’s policies and procedures will also be examined to determine compliance with PCI Requirement 7.1. Policies and procedures for access control should incorporate the four sub-requirements of PCI Requirement 7.1. Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Views: 83 KirkpatrickPrice
PCI Requirement 10.1 – Implement Audit Trails to Link all Access to System Components
 
01:00
Learn more at https://kirkpatrickprice.com/video/pci-requirement-10-1-implement-audit-trails-to-link-all-access-to-system-components-to-each-individual-user/ PCI Requirement 10.1 is a pretty straightforward requirement. It states, “Implement audit trails to link all access to system components to each individual user.” This means that everything in scope should have logging enabled to enable organizations to track suspicious activity back to a specific user. To verify compliance with PCI Requirement 10.1, an auditor will observe and interview a system administrator to see that audit trails are enabled and active for system components and access to system components is linked to individual users. Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to clients in more than 48 states, Canada, Asia, and Europe. The firm has over 13 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Views: 91 KirkpatrickPrice
PCI Requirement 3.3 Mask PAN when Displayed
 
03:02
PCI Requirement 3.3 relates to displaying PAN, or primary account number. The PAN is the defining factor for cardholder data. Personnel without a legitimate business need should never see more than the first six and last four digits of thee PAN. Making PAN when displayed minimizes the chance that an unauthorized or malicious individual could gain access to PAN and use it fraudulently. Watch now to learn from Jeff Wilder, director of PCI Services at KirkpatrickPrice, as he explains how to protect PAN. If you store, process, or transmit cardholder data, interact with payment card data in any way, or have the ability to impact someone else’s cardholder information or the security of that information, you are subject to comply with the PCI DSS. This exclusive video series, PCI Demystified, was developed to assist your organization in understanding what the Payment Card Industry Data Security Standard (PCI DSS) is, who it applies to, what the specific requirements are, and what your organizations needs to know and do to become compliant. Learn more at https://kirkpatrickprice.com/video/pci-requirement-3-3-mask-pan-displayed/ Video Transcript: Once again, we go with the mantra of “If we don’t need it, there shouldn’t be access to it.” PCI DSS Requirement 3.3 if individuals do not need access to the full cardholder numbers, it’s expected that you mask that data. We’ll describe what that looks like in a few moments. As an assessor, what we’re going to be looking for is an inventory of the individuals within your organization that would need to see the full cardholder data. It’s often believed that a database administrator, because of the nature of what they’re doing, needs to see the full cardholder data; that’s often a misnomer. Just because a database administrator is a DBA, that doesn’t necessarily grant them the permissions to view cardholder data. What we’re looking for – and this kind of marries into Requirement 7 – is the role of the individual that might be viewing this cardholder data, and understand what it is about their job or function that requires them to view the full cardholder data. In situations where the individuals do not actually need to see the cardholder data, we’re going to look to see that that information is truncated or redacted or masked in some respect. At a maximum, there should only be no more than the first 6 and last 4 characters of the cardholder data being displayed to individuals that do not need to see it. If an individual needs to see it to support their business, that’s quite alright, there’s no problem with that. From an assessment perspective, the assessor is going to look at all places where the cardholder data is displayed. You might have a call center that’s viewing cardholder data, you might be printing cardholder data for receipts – there’s multiple places where this information might be displayed. Once we’ve received that inventory, we’re going to ask to physically look at that data to see that it’s either masked or truncated. Truncated means that we’ve actually moved the data, more than the first 6 or the last 4. Masking is actually how the data is displayed. Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources PCI Demystified: https://kirkpatrickprice.com/pci-demystified/ Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Views: 421 KirkpatrickPrice
PCI Requirement 6.5.2 – Buffer Overflow
 
01:49
Learn more at https://kirkpatrickprice.com/video/pci-requirement-6-5-2-buffer-overflow/ PCI Requirement 6.5 requires that your organization addresses common coding vulnerabilities in software-development processes to ensure that applications are securely developed. One of the common coding vulnerabilities associated with secure application development is buffer overflow, which is outlined in PCI Requirement 6.5.2. PCI Requirement 6.5.2 requires that your organization protects its applications from buffer overflow. The PCI DSS describes this type of vulnerability as, “Buffer overflows occur when an application does not have appropriate bounds checking on its buffer space. This can cause the information in the buffer to be pushed out of the buffer’s memory space and into executable memory space.” Buffer overflow is a vicious cycle. When buffer overflow occurs, “an attacker could insert malicious code at the end of the buffer and then push that malicious code into executable memory space by overflowing the buffer. The malicious code is then executed and often enables the attacker remote access to the application and/or infected system.” To comply with PCI Requirement 6.5.2, we recommend that when your organization develops applications, there are defined lengths within your code, you’re truncating or you’re extracting only the data that you would need for processing, and ignoring any other data. During an assessment for PCI Requirement 6.5.2, an assessor will examine your policies and procedures related to application development and interview the responsible personnel to verify that you are validating buffer boundaries and truncating input data. Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Views: 150 KirkpatrickPrice
Clear Desk Policy
 
02:34
-- Created using PowToon -- Free sign up at http://www.powtoon.com/youtube/ -- Create animated videos and animated presentations for free. PowToon is a free tool that allows you to develop cool animated clips and animated presentations for your website, office meeting, sales pitch, nonprofit fundraiser, product launch, video resume, or anything else you could use an animated explainer video. PowToon's animation templates help you create animated presentations and animated explainer videos from scratch. Anyone can produce awesome animations quickly with PowToon, without the cost or hassle other professional animation services require.
Views: 630 C Rod
PCI Requirements 3.2.1, 3.2.2 & 3.2.3 Do Not Store Tracks, Codes or PINs After Authorization
 
02:23
PCI Requirement 3.2 states that organizations should never store sensitive authentication data after authorization, unless there’s a business justification. In order to comply with PCI Requirement 3.2, your organization needs to comply with its sub-requirements as well: PCI Requirements 3.2.1, 3.2.2, 3.2.3. These requirements work together to protect track data, card verification codes, and PIN values so that a malicious individual cannot create counterfeit payment cards and fraudulent transactions. Watch now to learn from Jeff Wilder, director of PCI Services at KirkpatrickPrice, as he explains PCI Requirements 3.2.1, 3.2.2, and 3.2.3. If you store, process, or transmit cardholder data, interact with payment card data in any way, or have the ability to impact someone else’s cardholder information or the security of that information, you are subject to comply with the PCI DSS. This exclusive video series, PCI Demystified, was developed to assist your organization in understanding what the Payment Card Industry Data Security Standard (PCI DSS) is, who it applies to, what the specific requirements are, and what your organizations needs to know and do to become compliant. https://kirkpatrickprice.com/video/pci-requirement-3-2-1-3-2-2-3-2-3-not-store-track-code-pin-authorization/ Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources PCI Demystified: https://kirkpatrickprice.com/pci-demystified/ Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Views: 313 KirkpatrickPrice
IT Security Tip #24: How to keep staff from unintentionally causing a security breach
 
01:51
With so many points of access, from cell phones to laptop and home computers, how can anyone hope to keep their network safe from hackers, viruses and other unintentional security breaches? https://www.sans.org/security-resources/policies/general/pdf/acceptable-use-policy https://it.brown.edu/computing-policies/acceptable-use-policy http://www.getsafeonline.org/themes/site_themes/getsafeonline/download_centre/Sample_Acceptable_Usage_Policy.pdf https://www.webwise.ie/teachers/acceptable-use-policy/sample-acceptable-use-policies-2 Get Weekly IT Security Tips in your inbox (no spam): www.coleinformatics.com/tips
Views: 33 Cole Informatics
PCI Requirement 8: Identify and Authenticate Access to System Components
 
02:00
Learn more at https://kirkpatrickprice.com/video/pci-requirement-8-identify-and-authenticate-access-to-system-components/ PCI Requirement 8 focuses on two actions: identify and authenticate. These actions are critical to protecting your system. PCI Requirement 8 states, “Identify and authenticate access to system components.” Being able to identify each user in your system enables you to hold each user accountable for their actions. Assigning a unique identification to every user ensures that you know who’s taking which specific actions on your systems. The authentication of your system depends on effective passwords. If there are no security measures taken at the point of entry, during transmission, and while in storage, passwords will likely become susceptible to an attacker. The actions of identify and authenticate function together to protect your system components. It's important to note that the PCI DSS states PCI Requirement 8 applies to all accounts, including point-of-sale accounts, with administrative capabilities, as well as all accounts used to view cardholder data, access cardholder data, or access systems with cardholder data. This includes accounts used by vendors and other third parties, but does not apply to accounts used by consumers. However, the PCI DSS states that PCI Requirements 8.1.1, 8.2, 8.5, 8.2.3 through 8.2.5, and 8.1.6 through 8.1.8 do not to apply to user accounts within a point-of-sale payment application that only have access to one card number at a time in order to facilitate a single transaction, such as a cashier account. Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Views: 194 KirkpatrickPrice
PCI Requirement  5.1 – Deploy Anti-Virus Software on all Commonly Affected Systems
 
04:20
Learn more at https://kirkpatrickprice.com/video/pci-requirement-5-1-deploy-anti-virus-software-commonly-affected-systems/ There’s more people than you think looking to harm to your environment. We used to see viruses created just for the sake of creating viruses. Nowadays, organizations are attacked by software that is specifically written for their environment, probably by somebody that has knowledge of their environment. Your organization should take every precaution you can to prevent a potential attack; this is why PCI Requirement 5 states that all systems need to be protected from malware and regularly updated with antivirus software. Malware includes viruses, worms, and Trojans. PCI Requirement 5.1 specifically requires any system that is commonly affected by malware to have antivirus software. If you have a device that is unplugged from the network and there’s no way to get data in or out of it, that system wouldn’t be considered commonly affected. If you believe Linux systems or Apple systems are not affected by malware or already have malware solutions installed, you’ve got some work to do. Wherever you have systems that are susceptible to malware, there needs to be some type of solution implemented to prevent an attack. During the assessment, we’re looking to see you’ve done your due diligence to protect your systems. A sample of system components will be taken so that the assessor can verify that anti-virus software has been deployed wherever necessary. Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources PCI Demystified: https://kirkpatrickprice.com/pci-demystified/ Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Views: 228 KirkpatrickPrice
PCI Requirement 3.5.3 Store Secret and Private Keys Used to Encrypt/decrypt Cardholder Data
 
01:47
PCI Requirement 3.5.3 works alongside PCI Requirements 3.5.1, 3.5.2, and 3.5.4 to protect keys. We don’t want to only protect your keys from unauthorized access; we want to take you a step further and prevent them from getting the information contained in the keys, even if they do happen to obtain them. An assessor will examine your procedures, system configurations, and key storage locations to verify that your organizations in protecting keys and complying with PCI Requirement 3.5.3. If you store, process, or transmit cardholder data, interact with payment card data in any way, or have the ability to impact someone else’s cardholder information or the security of that information, you are subject to comply with the PCI DSS. This exclusive video series, PCI Demystified, was developed to assist your organization in understanding what the Payment Card Industry Data Security Standard (PCI DSS) is, who it applies to, what the specific requirements are, and what your organizations needs to know and do to become compliant. Learn more at https://kirkpatrickprice.com/video/pci-requirement-3-5-3-store-secret-private-keys-used-encryptdecrypt-cardholder-data/ Video Transcription Wherever you’re storing these keys, we want to make sure that the encryption keys that are being stored are protected. So not only are we asking that these keys be protected from unauthorized access, we also want to make sure that individuals (attackers or people with malintent) are prevented from getting the information contained in these keys, should they ever get custody of them. We’re going to ask that from an assessment perspective, specific to PCI Requirement 3.5.3, that these keys be rendered unreadable. You’re going to be encrypting them, you might be storing them on an HSM, or if you use split knowledge and dual controls in order to support this particular requirement, that you have means and methods to render those particular keys unreadable by anybody, should they ever get access to them. These keys should never reside in clear text in an unprotected state, ever. Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources PCI Demystified: https://kirkpatrickprice.com/pci-demystified/ Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Views: 291 KirkpatrickPrice
PCI Requirement 5.3 – Ensure Anti-Virus Mechanisms are Active and Can’t be Altered
 
02:39
Learn more at https://kirkpatrickprice.com/video/pci-requirement-5-3-ensure-anti-virus-mechanisms-active-cant-altered/ Now that there is an anti-virus solution installed and running in your environment, we need to keep it that way. PCI Requirement 5.3 states, “Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.” There may be situations when you need to disable the anti-virus mechanism for a very short period of time and for a very specific reason; this must be approved by management and management must understand the vulnerability associated with disabling your solution. The PCI DSS notes, “Anti-virus solutions may be temporarily disabled only if there is legitimate technical need, as authorized by management on a case-by-case basis. If anti-virus protection needs to be disabled for a specific purpose, it must be formally authorized. Additional security measures may also need to be implemented for the period of time during which anti-virus protection is not active.” We’ve seen attacks occur when anti-virus mechanisms are shut it off. The reason could be that the mechanism is inconvenient for them or it might slow down their system; whatever the reason is, understand that it could be the gateway for a hacker to launch their attack within the rest of your environment. Your anti-virus solution should be running, it should not be disabled, and if it is disabled, there should be additional security measures in place. For example, this measure could be disconnecting the system from the Internet during the period of time when the anti-virus protection is shut off, then running a scan once it’s re-enabled. Your assessor will take inventory of your systems, examine anti-virus configurations to verify that the anti-virus solution is actively running and cannot be altered by users, question situations where/if an anti-virus solution is not running, and observe processes to ensure that the anti-virus solution cannot be shut off without management’s approval. Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources PCI Demystified: https://kirkpatrickprice.com/pci-demystified/ Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Views: 79 KirkpatrickPrice
Attribute Based Encryption With Verifiable Outsourced Decryption-2013 PASS IEEE Projects
 
00:43
Ph: 0452 4243340; Mobile: 9840992340; http://pandianss.com Pandian Systems and Solutions Pvt Ltd 2nd Floor, No 393 Annanagar Main Road Indian Bank Complex Madurai - 625020, Tamil Nadu India E-Mail: [email protected], [email protected]
Views: 140 pass pandian
Securely Outsourcing Attributes Based Encryption with Checkability
 
01:03
Securely Outsourcing Attributes Based Encryption with Checkability
Views: 61 WingzTechnolo gies
PCI Requirement 2.5 - Ensure Security Policies Are Known to All Affected Parties
 
01:47
Ensure that Policies and Procedures are Documented, In Use, and Known to All Affected Parties PCI DSS Requirement 2.5 addresses one of the most important aspects of the assessment. It directs, “Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties.” If vendor defaults and other security measures are not continuously managed, it’s harder to prevent insecure configurations; this is why security policies and procedures must be documented, in use, and known to all affected parties. We find that many organizations struggle with documentation, but policies and procedures are vital to your business. You need to have the processes in place to define how to complete tasks securely to ensure the ongoing operation and security of your organization. Small organizations, huge businesses – it doesn’t matter, you must ensure that policies and procedures are documented, in use, and known to all affected parties. https://kirkpatrickprice.com/video/pci-requirement-2-5-ensure-security-policies-are-known-to-all-affected-parties/ Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/   More Free Resources Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/   About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks.   For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Views: 90 KirkpatrickPrice