Item 4.2
To defend Information Technology (IT) systems against
common cybersecurity threats, a company must install
sufficient software/hardware protection from malware
(viruses, spyware, worms, Trojans, etc.) and
internal/external intrusion (firewalls) in Members’
computer systems. Members must ensure that their
security software is current and receives regular security
updates. Members must have policies and procedures to
prevent attacks via social engineering. If a data breach
occurs or another unseen event results in the loss of data
and/or equipment, procedures must include the recovery
(or replacement) of IT systems and/or data.
So IT has to make sure each desktop/server has anti-virus installed, and firewall enabled. This software has to be updated regularly.
Management has to have policies and procedures in place to prevent “social engineering” attacks.
There also has to be procedures for recovering from a breach or data loss.
Implementation
To properly control and audit the security software you would have to deploy the software via a managed system. For McAfee you would have to deploy the anti-virus software via their management program ePolicy Orchestrator as this program lets you know the status of each registered device including the version installed and the current update status. A report from this management system can be printed and attached to the compliance assessment.
Data loss recovery means you will need good backups and/or replacement hardware.
I’ve been through a ransomware “event”. It was not pretty. I found the backup process still had flaws, even though I had multiple levels of backups the ransomware went through them as they were still accessible.
Data Loss Prevention (DLP) is another topic that may or may not be included here. DLP means you have to control all media used by people (i.e. USB sticks). You will have to block any unauthorized attempts to write to removable media, send via email, upload to web sites, etc. McAfee does have a DLP program. At a minimum desktops should be configured to block write access to USB storage.
Other Programs
- PCI-DSS: 1.4, 1.5, 5.x