PCI-DSS-FORM-00-3 Gap Assessment Tool

Page 1

Please note: This sample shows only a small section of the complete Gap Assessment tool.

PCI DSS Gap Assessment Tool PCI-DSS-FORM-00-3

PCI DSS: Requirements AREA/SECTION

SUB-SECTION

PCI DSS REQUIREMENTS

REQS MET? ACTION NEEDED TO MEET REQ

1 Install and maintain a firewall configuration to protect cardholder data 1.1 Implement Firewall

Have firewall and router configuration standards and other documentation been completed? Is there a formal process for testing and approval of all network connections and firewall and router configurations? Is there an up to date network diagram? Is there an up to date cardholder data flow diagram? Is a valid DMZ in place? Are groups, roles, and responsibilities for management of network components defined? Is business justification for the use of services, ports and protocols documented? Is there evidence that the firewall and router rule sets are reviewed at least every 6 months? Have firewall and router configuration standards been verified to confirm that all inbound and outbound traffic is necessary for the card holder data environment?

Yes

Do the applicable firewalls and routers limit inbound and outbound traffic to that necessary for the cardholder data environment? 1.2.2 Router configuration Are router configurations secured from unauthorized access? 1.2.3 Firewall between CDE and wireless Are perimeter firewalls installed between network all wireless networks and the cardholder data environment? Are firewall and router configurations defined —including but not limited to the choke router at the Internet, the DMZ router and firewall, the DMZ cardholder segment, the perimeter router, and the internal cardholder network segment?

Yes

1.3.1 DMZ

Yes

1.1.1 Firewall testing

1.1.2 Network diagram 1.1.3 Cardholder data flow diagram 1.1.4 DMZ 1.1.5 Network roles and responsibilities

1.1.6 Business justification for services, ports and protocols open 1.1.7 Firewall and Router review

1.2 Protect Cardholder Data Environment

1.1.2 Restrict traffic

1.3 Access between internet and CDE

Is the DMZ implemented to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.

Yes

Yes Yes Yes Yes

Yes

Yes

Yes

Yes Yes

Yes

ACTION OWNER


PCI DSS Gap Assessment dashboard To refresh chart data, click on “Refresh All” on the Data ribbon.

Gap assessment results AREA OF STANDARD

REQS IN SECTION NO OF REQS MET PERCENTAGE CONFORMANT

1 Install and maintain a firewall configuration to protect cardholder data 2 Do not use vendor-supplied defaults for system passwords and other security parameters 3 Protect stored cardholder data 4 Encrypt transmission of cardholder data across open, public networks 5 Protect all systems against malware and regularly update anti-virus software or programs 6 Develop and maintain secure systems and applications 7 Restrict access to cardholder data by business need to know 8 Identify and authenticate access to system components 9 Restrict physical access to cardholder data 10 Regularly Monitor and Test Networks 11 Regularly test security systems and processes 12 Maintain a policy that addresses information security for all personnel Total

22 11 23 4 6 25 10 25 27 17 17 24 211

22 11 23 4 6 25 10 25 27 17 17 24 211

Percentage level of compliance to the PCI DSS radar chart

100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100%

1 Install and maintain a firewall configuration to protect cardholder… 100% 2 Do not use vendor-supplied 90% defaults for system passwords and… 80%

12 Maintain a policy that addresses information security for all personnel

70% 60% 50% 40% 30% 20% 10% 0%

11 Regularly test security systems and processes

10 Regularly Monitor and Test Networks

3 Protect stored cardholder data

4 Encrypt transmission of cardholder data across open, public networks

9 Restrict physical access to cardholder data

Level of compliance to the PCI DSS

5 Protect all systems against malware and regularly update anti-virus…

8 Identify and authenticate access to system components NO OF REQS MET

6 Develop and maintain secure systems and applications

7 Restrict access to cardholder data by business need to know

REQS IN SECTION 22 22

1 Install and maintain a firewall configuration to protect cardholder data 11 11

2 Do not use vendor-supplied defaults for system passwords and other security parameters

Percentage level of compliance to the PCI DSS 23 23

3 Protect stored cardholder data 4 4

4 Encrypt transmission of cardholder data across open, public networks

100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0%

6 6

5 Protect all systems against malware and regularly update anti-virus software or programs

25 25

6 Develop and maintain secure systems and applications 10 10

7 Restrict access to cardholder data by business need to know

25 25

8 Identify and authenticate access to system components

27 27

9 Restrict physical access to cardholder data 19 19

10 Regularly Monitor and Test Networks 17 17

11 Regularly test security systems and processes

24 24

12 Maintain a policy that addresses information security for all personnel 0

5

10

15

20

25

30

100%

100%

100%

100%

100%

100%

100%

100%

100%

100%

100%

100%


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.