Asset Management in PCI DSS: Safeguarding Your Data Ecosystem
Introduction:
Asset Management is a critical aspect of information security, particularly in the context of the Payment Card Industry Data Security Standard (PCI DSS).
In this article, we will delve into what Asset Management entails and why it is essential in maintaining robust security.
We will also explore the concept of Configuration Items in ISO 20000 and Asset Management in ISO 27001.
Finally, we will examine how PCI DSS describes and mandates Asset Management.
What is Asset Management?
Asset Management is the systematic process of identifying, tracking, and managing an organization's assets.
In the context of information security, assets encompass a broad spectrum, including physical, digital, and intellectual resources.
These assets range from hardware and software to data, personnel, and business processes.
Importance of Asset Management in Information Security:
Asset Management is integral to information security for several reasons:
1. Risk Assessment: To protect sensitive data, organizations must understand what they have, where it's located, and its value. Asset management facilitates risk assessment by identifying vulnerabilities and their potential impact.
2. Resource Allocation: Asset management enables organizations to allocate resources efficiently. By knowing which assets are critical, organizations can direct security measures and budgets to protect them adequately.
3. Compliance: Many regulatory standards, including PCI DSS, require organizations to maintain an inventory of assets. Demonstrating compliance with these standards necessitates effective asset management.
4. Incident Response: In the event of a security incident, an up-to-date asset inventory helps organizations respond quickly and effectively, minimizing damage and downtime.
5. Data Protection: Asset management plays a crucial role in safeguarding sensitive data. Knowing the location of data assets ensures that security measures are applied where they are needed most.
According to ISO 20000-1:2018
Clause 3.2.1 describes the asset as (page 14):
item, thing or entity that has potential or actual value to an organization.
Note 1 to entry: Value can be tangible or intangible, financial or non-financial, and includes consideration of risks and liabilities. It can be positive or negative at different stages of the asset life.
Note 2 to entry: Physical assets usually refer to equipment, inventory and properties owned by the organization. Physical assets are the opposite of intangible assets, which are non-physical assets such as leases, brands, digital assets, use rights, licences, intellectual property rights, reputation or agreements.
Note 3 to entry: A grouping of assets referred to as an asset system could also be considered as an asset.
Note 4 to entry: An asset can also be a configuration item . Some configuration items are not assets.
Clause 3.2.2 describes Configuration Item(s) as (page 14):
CI element that needs to be controlled in order to deliver a service or services
CIs in ISO 20000-1:2018 refer to the individual components of an IT service or system.
CIs are items that need to be managed and controlled in a structured way to maintain the integrity and stability of IT services.
These can include hardware, software, documentation, and even the relationships between these components.
Proper management of CIs is essential for the effective delivery of IT services.
Asset Management in ISO 27001:2022:
ISO 27001:2022 Annex 1 Information security controls reference, in control 5.9 stipulate (page 17)
Organizational controls 5.9
Inventory of information and Control other associated assets.
Control: An inventory of information and other associated assets, including owners, shall be developed and maintained.
This involves identifying, classifying, and managing assets that are relevant to information security.
This includes tangible assets like hardware and software, as well as intangible assets such as intellectual property, knowledge, and information.
Effective Asset Management ensures that information assets are adequately protected against risks and threats, thus maintaining the confidentiality, integrity, and availability of sensitive information.
Asset Management in PCI DSS v4:
The way how an asset management is looked at in PCI DSS v4, in my opinion, shall start as described below:
Step 1 - Develop Policy
Requirement 12.1 A comprehensive information security policy that governs and provides direction for the protection of the entity’s information assets is known and current.
Step 2 - Address Risks
Requirement 12.8 Risk to information assets associated with third-party service provider (TPSP) relationships is managed.
Step 3 - Develop and Maintain assets inventory
Requirement 12.5.1 An inventory of system components that are in scope for PCI DSS, including a description of function/use, is maintained and kept current.
领英推荐
Step 4 - Add all required elements in the inventory list
Requirement 4.2.1.1 An inventory of the entity’s trusted keys and certificates used to protect PAN during transmission is maintained.
Requirement 6.3.2 An inventory of bespoke and custom software, and third-party software components incorporated into bespoke and custom software is maintained to facilitate vulnerability and patch management.
Requirement 6.4.3 All payment page scripts that are loaded and executed in the consumer’s browser are managed as follows:
An inventory of all scripts is maintained with written justification as to why each is necessary.
Requirement 9.4.5 Inventory logs of all electronic media with cardholder data are maintained.
Requirement 11.2.2 An inventory of authorized wireless access points is maintained, including a documented business justification.
Requirement 12.3.3 Cryptographic cipher suites and protocols in use are documented and reviewed at least once every 12 months, including at least the following:
An up-to-date inventory of all cryptographic cipher suites and protocols in use, including purpose and where used.
If You are the Service Provider*, then take into account the following requirement too-
Requirement 3.6.1.1 Additional requirement for service providers only: A documented description of the cryptographic architecture is maintained that includes:
Inventory of any hardware security modules (HSMs), key management systems (KMS), and other secure cryptographic devices (SCDs) used for key management, including type and location of devices, as outlined in Requirement 12.3.4
If You have read until this point, You may think, well it is clear, but what would be the best/effective approach to take to fulfill these requirements.
It is obvious that we need to implement a system/solution to cover all required above. There are many options available, free and paid.
The idea here is not to list these solutions, but to suggest You a script to select the most suitable one.
Here is a checklist to use:
Assets
Impact
Incidents and Problems
I understand, that it would be difficult to find a solution to match all these items, but using the checklist shall help to find the most suitable one.
For example, we have developed our own CMBD** (not for sale), fully based on the items above.
In conclusion, Asset Management is not just a technical or administrative process; it is a fundamental practice that underpins information security and compliance with standards like PCI DSS, ISO 27001, and ISO 20000-1.
By understanding what assets are, where they are, and their importance, organizations can better protect sensitive information and maintain a secure and compliant data ecosystem.
* Service Provider
Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This includes payment gateways, payment service providers (PSPs), and independent sales organizations (ISOs). This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS, and other services as well as hosting providers and other entities.If an entity provides a service that involves only the provision of public network access—such as a telecommunications company providing just the communication link—the entity would not be considered a service provider for that service (although they may be considered a service provider for other services). See Multi-Tenant Service Provider and Third-Party Service Provider.
Other useful links
Configuration management database - Wikipedia
Computer security incident management - Wikipedia
Configuration management - Wikipedia
Configuration item - Wikipedia
Asset management - Wikipedia
ISO 55000 - Wikipedia
Asset Management Standards | BSI PAS 55
Ingeniero de Computacion
1 年Great article, very informative. I was wondering if there is any example or model of how to inventory and manage assets? It seems like a very detailed inventory. Best regards.