The goal
|
The goal of PCI DSS Key Requirement 5 is to ensure that all relevant systems across the CDE commonly affected by malicious software remain protected at all times against known and evolving malware threats with an effective anti-malware solution, and that organizational capability to respond to malware-related incidents is continuously in place and corrective action is taken in a timely manner to prevent or contain malware contamination of the CDE.
This goal includes complete integration with all related PCI DSS Key Requirements for the establishment of an effective, integrated series of control systems, and the development and ongoing improvement of all related capabilities, processes, documentation, tools and training needed to achieve < Quantitatively managed/Optimized > maturity of this key requirement by < insert date >.
|
Goal applicability and scope considerations
|
- Technology components: This goal applies to all in-scope system components known to be affected by malware, which may include servers, employee computers, mobile computers, email systems and storage devices, including related logging, monitoring and incident response systems
- People and teams: The goal also includes the individuals and teams responsible for the deployment, monitoring and response to malware-related incidents, the training and education of end users that access any CDE system components, and third-party vendors that supply or support anti-malware and related security system components
|
Goal requirements:
Some of the primary conditions necessary to achieve the goal
|
- Capability—deployment: Create a standardized deployment and maintenance process capability for the anti-malware system to be installed and remain active on all in-scope system components, which includes a defined process for identifying in-scope components, i.e., systems commonly affected by malware
- Capability—anti-malware functions: Install anti-malware systems capable of detecting various types of malicious software to protect systems from current and evolving malware threats, including viruses, worms, Trojans, spyware, adware, ransomware, keyloggers, rootkits, malicious code, scripts and malicious links on in-scope system components, such as servers, employee computer systems, mobile computers, email systems and storage devices. It must include automated regular updates, generating alerts
- Capability—automation and monitoring: Standardize and automate the deployment and maintenance of anti-malware systems; particularly in large environments, automate the inability to disable anti-malware without management approval, and automate alerts and the ability to detect an alert when an anti-malware system is inactive on an in-scope component
- Capability—detection and response: Integrate anti-malware systems, network access control (NAC) systems and a centralized security information and event management (SIEM) system for the aggregation of security log data across CDE for normalization, analysis and effective monitoring and response
- Documentation and processes: Maintain effective standard operating procedures, with clearly articulated standards, roles and responsibilities. Regularly train and educate staff on how to follow the documented procedures. Internally monitor and report adherence to procedures
|
Strong dependencies and integration with other key requirements
|
- Requirement 1: Integration with network security components, for network-based anti-malware protection
- Requirement 2: The security configuration of anti-malware system components
- Requirement 6: Integration with system hardening of components, such as NAC
- Requirement 10: Integration with logging and monitoring systems
- Requirement 11: Sufficient security testing of anti-malware systems
- Requirement 12: The risk-based re-evaluation of systems not known to be affected by malware
|
Short-term objectives
|
- Scope and automation: Implement and maintain a configuration management system for the effective, automatic identification and status synchronization and reporting of all in-scope components across the entire CDE
- Communication: Document and communicate configuration standards and implementation procedures, management and monitoring procedures for all system components across the CDE
|
Long-term objectives
|
- Improvement: Improve the integration of security and refine configurations and support processes, documentation and training, monitoring, and reporting
- Maturity: Achieve and maintain high performance of process and capability maturity on the deployment, maintenance and monitoring of anti-malware components, alerts and incident response
|
Common constraints
|
- Cost: Lack of budget to deploy and maintain advanced integrated end-point security solutions
- Competency: Lack of qualified staff to properly integrate and maintain various endpoint solutions
|
