Assignment: PCI DSS Scenario
Learning Objectives and Outcomes: You will learn and understand best practices related to Payment Card Industry Data Security Standard (PCI DSS) and to U.S. compliance laws.
Introduction: In managing risks in an organization, professionals in the information technology (IT) department or consultants conduct research to identify threats, vulnerabilities, and threat/vulnerability pairs. Then, the IT professionals and/or consultants determine the likelihood of each threat occurring. The results are presented to management, whose role in risk management is to determine and recommend approaches to manage these risks. Management then presents these recommendations to the senior management and/or the board of directors, whose role is to allocate resources, specifically money and employees, to prepare for and respond to identified threats and vulnerabilities appropriately.
This activity allows students to fulfill the role of an IT consultant tasked with identifying threats, vulnerabilities, and threat/vulnerability pairs; estimating the likelihood of these threats occurring; and present this information to IT management. Assume the audience has a basic understanding of the technology involved, but clearly explain any advanced concepts in terms that will be understood by business people and not just information technology experts.
Scenario: FertileGrow is a small agricultural company, which produces and sells fertilizer products. The company headquarters is in a small town in Nebraska. Outside its headquarters, there are two large production facilities-one in Indiana and other in Oklahoma. Furthermore, FertileGrow employs salespeople in every state in the U.S. to serve its customers locally.
The company has five servers located at its headquarters- a Windows 2019 Active Directory server, a Linux Mint application server, a CentOS email server, a CentOS / Apache web server and an Oracle database server. The application server hosts FertileGrow's primary software application, which is a home-grown program managing inventory, sales, supply-chain, and customer information. The database server manages all data stored locally with direct attached storage.
All three major sites use Ethernet cabled local area networks (LANs) to connect the users Windows 10 workstations via Cisco 2960 managed switches.
The remote production facilities connect to headquarters via routers T-1 WAN connections provided by an external Internet service provider (ISP), and share an Internet connection through a firewall at headquarters.
Individual salespersons throughout the country connect to FertileGrow's network via virtual private network (VPN) software through their individual Internet connections, typically in a home office.
Assignment Requirements:
FertileGrow Company's senior management has recently decided to accept credit card payments from FertileGrow customers both from store locations and online transactions. This decision makes meeting PCI DSS objectives and requirements a necessary consideration in order to validate compliance for enforcement organizations.
You will make recommendations to IT management to implement best practices of PCI DSS.
Tasks: You need to assume the role of an PCI-DSS consultant hired by FertileGrow's IT management to conduct the following risk management tasks:
- Identify security-related threats to the organization.
- Identify vulnerabilities within the organization's architecture.
- Identify threat/vulnerability pairs to determine threat actions that could pose risks to the organization.
- Estimate the likelihood of occurrence and the potential negative impact for each threat action.
- Justify your reasoning for each identified threat highlighting qualitative and quantitative data.