Learn more at https://kirkpatrickprice.com/video/pc...
Most, if not all, security programs require that you have some type of Change Control Program. At the start of our PCI Demystified journey, we discussed Change Control Programs. In PCI Requirement 6.4, this point is reiterated. PCI Requirement 6.4 states, “Follow change control processes and procedures for all changes to system components.” Your organization should have the appropriate methods to control any changes into and out of your environment. Your organization’s Change Control Program should include a documented roll-back plan, a testing phase, management’s approval, and updated documentation. The PCI DSS warns, “Without properly documented and implemented change controls, security features could be inadvertently or deliberately omitted or rendered inoperable, processing irregularities could occur, or malicious code could be introduced.”
A documented roll-back plan is crucial to your Change Control Program. This documentation should outline exactly how to roll-back changes in the event that something goes wrong or there’s a negative impact. All changes need to be tested to ensure there is no negative impact on the cardholder data environment. Testing the roll-back plan shows an assessor your organization’s level of maturity. Management needs to approve all aspects of the Change Control Program. Any time there is a significant change within your environment, you must ensure that all documentation is updated, including network diagrams, dataflow diagrams, and inventory lists. Until documentation is update, the change control should be left open.
Development and testing environments must be separate from production environments, plus there needs to be access control in place to enforce this separation. A separation of duties must exist between the employees assigned to the development and testing environments and those assigned to the production environment. Production data (live PANs) cannot be used for testing or development and, vice versa, test data should be removed before a system or application goes into production. Change control procedures related to security patches and software modifications must be documented.
It’s vital to follow change control processes and procedures for all changes to system components. If not, according to the PCI DSS, security features could be unintentionally or deliberately omitted or rendered inoperable, processing irregularities could occur, or malicious code could be introduced.
Stay Connected
Twitter: / kpaudit
LinkedIn: / kirkpatrickprice-llc
Facebook: / kirkpatrickprice
More Free Resources
Blog: https://kirkpatrickprice.com/blog/
Webinars: https://kirkpatrickprice.com/webinars/
Videos: https://kirkpatrickprice.com/video/
White Papers: https://kirkpatrickprice.com/white-pa...
About Us
KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks.
For more about KirkpatrickPrice: https://kirkpatrickprice.com/
Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
Информация по комментариям в разработке