{"id":64,"date":"2022-10-09T23:56:00","date_gmt":"2022-10-10T04:56:00","guid":{"rendered":"https:\/\/terrabytefoundry.com\/blog_s\/?p=64"},"modified":"2022-10-08T12:17:07","modified_gmt":"2022-10-08T17:17:07","slug":"intro-to-pci-version-4-requirement-5","status":"publish","type":"post","link":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/10\/09\/intro-to-pci-version-4-requirement-5\/","title":{"rendered":"Intro to PCI version 4: Requirement 5"},"content":{"rendered":"\n<p>In the past requirement 5 has been approached from the mindset of \u201cjust install McAfee and be done with it\u201d (or whatever your AV solution happens to be).&nbsp; The new direction in v4 expands on the concepts of protecting against \u201cmalware\u201d to encompass malicious intent that wouldn\u2019t be captured by your AV solution directly, without possibly some configuration changes.&nbsp; The council also continues down the path of automating as much as possible to remove the risk of human error (or intentional internal actions).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Overall Thoughts<\/h2>\n\n\n\n<p>Personally, I like the changes to R5.\u00a0 I have been preaching to any client that will listen (and sometimes to random people on the streets) that they need to put more effort into building a secure culture to reduce the human risk factor, since that is the largest attack vector in most environments.\u00a0 The changes in 5 don\u2019t directly change the culture of your company, but it can reduce the decision points presented to employees, by lowering the risk of phishing, which does have a positive impact on the overall environment.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What\u2019s New for Req 5 in v4<\/h2>\n\n\n\n<p>With that said, here are the changes in the form of new controls in requirement 5 of version 4 are:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>5.1.2 &#8211; Roles and responsibilities for performing activities in Requirement 4 are documented, assigned, and understood.es to the existing controls (surprised?) &lt;- literally cut and past this line from the post on requirement 4 (which was cut from 3, etc.)<\/li><li>5.2.3.1 &#8211; A targeted risk analysis is performed to determine frequency of periodic evaluations of system components identified as not at risk for malware \u2013 No longer able to just declare systems as \u201cnot at risk\u201d and right them off to focus on other items.&nbsp; Targeted Risk Assessments (TRAs) MUST be done prior to the assessment starting, so be mindful of that when getting ready to start your first v4 assessment cycle.<\/li><li>5.3.2.1 &#8211; A targeted risk analysis is performed to determine frequency of periodic malware scans.<\/li><li>5.3.3 &#8211; Anti-malware scans are performed when removable electronic media is in use.&nbsp; This one is potentially HUGE.&nbsp; How many of your employees use USB drives to move files between work and home?<\/li><li>5.4.1 &#8211; Mechanisms are in place to detect and protect personnel against phishing attacks.&nbsp; Anytime you see the word \u201cmechanisms\u201d read it to say, \u201cautomated solutions\u201d.&nbsp; As I mentioned previously, a reduction in the amount of phishing attempts that make it to your internal user community will obviously lead to a more secure environment, allowing employees to focus on their actual work.<\/li><\/ul>\n\n\n\n<p>Requirement 5 is maturing along with the rest of the controls to expand not only the controls but the overall mindset and philosophy behind it.&nbsp; This is very evidence in the changes to requirement 5 existing controls.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>5 \u2013 Clarification\/guidance \u2013 Updated principal requirement title to reflect the focus on protecting all systems and networks from malicious software.<\/li><li>5 \u2013 Clarification\/guidance &#8211; Replaced \u201canti-virus\u201d with \u201canti-malware\u201d throughout to support a broader range of technologies used to meet the security objectives traditionally met by anti-virus software.<\/li><li>5.1.2 &#8211; Clarification\/guidance \u2013 Changed to 5.2.3 and clarified requirement by changing focus to \u201csystem components that are not at risk for malware.\u201d<\/li><li>5.2 \u2013 Clarification\/guidance \u2013 Split this requirement into three separate ones (5.3.1, 5.3.2, 5.3.4) &#8211; Split one requirement into three to focus each requirement on one area:<ul><li>Keeping the malware solution current via automatic updates<\/li><\/ul><ul><li>Performing periodic scans and active or real-time scans (with a new option for continuous behavioral analysis)<\/li><\/ul><ul><li>Generation of audit logs by the malware solution.<\/li><\/ul><\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>From an operational standpoint not much is going to change on the daily routine based on the changes to Requirement 5.&nbsp; There will be some potential upfront work to upgrade and develop the oversight processes going forward (TSAs), but once those are in place.&nbsp; Best advice I have for you is to take this one seriously and put the effort in early to build processes that keep the areas of your security program which govern and manage this area in the forefront of management\u2019s minds.&nbsp; Develop KPIs that show how much the new solutions are capturing before it gets into the environment, etc.&nbsp; Keep the narrative between security and management, especially finance, focused on a lack of large events is made possible by the efforts of the group on the numerous small events that happen every day.<\/p>\n\n\n\n<p>As always, I hope this tidbit of information gives you a base to have discussions with your internal subject matter experts and your trusted external sources for IT security and PCI knowledge.&nbsp; Feel free to reach out to me directly with questions or to have a conversation via my email and\/or social media information on the TBF website.&nbsp; Thanks for taking the time to read my thoughts on PCI v4 Requirement 5.&nbsp; We will continue to work through each of the PCI requirements each week.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In the past requirement 5 has been approached from the mindset of \u201cjust install McAfee and be done with it\u201d (or whatever your AV solution happens to be).&nbsp; The new direction in v4 expands on the concepts of protecting against \u201cmalware\u201d to encompass malicious intent that wouldn\u2019t be captured by your AV solution directly, without &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/terrabytefoundry.com\/blog_s\/2022\/10\/09\/intro-to-pci-version-4-requirement-5\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Intro to PCI version 4: Requirement 5&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"nf_dc_page":"","om_disable_all_campaigns":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[7],"tags":[],"class_list":["post-64","post","type-post","status-publish","format-standard","hentry","category-shawn"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Intro to PCI version 4: Requirement 5 - Shawn&#039;s Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/terrabytefoundry.com\/blog_s\/2022\/10\/09\/intro-to-pci-version-4-requirement-5\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Intro to PCI version 4: Requirement 5 - Shawn&#039;s Blog\" \/>\n<meta property=\"og:description\" content=\"In the past requirement 5 has been approached from the mindset of \u201cjust install McAfee and be done with it\u201d (or whatever your AV solution happens to be).&nbsp; The new direction in v4 expands on the concepts of protecting against \u201cmalware\u201d to encompass malicious intent that wouldn\u2019t be captured by your AV solution directly, without &hellip; Continue reading &quot;Intro to PCI version 4: Requirement 5&quot;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/terrabytefoundry.com\/blog_s\/2022\/10\/09\/intro-to-pci-version-4-requirement-5\/\" \/>\n<meta property=\"og:site_name\" content=\"Shawn&#039;s Blog\" \/>\n<meta property=\"article:published_time\" content=\"2022-10-10T04:56:00+00:00\" \/>\n<meta name=\"author\" content=\"TBF_Shawn\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TBF_Shawn\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/10\\\/09\\\/intro-to-pci-version-4-requirement-5\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/10\\\/09\\\/intro-to-pci-version-4-requirement-5\\\/\"},\"author\":{\"name\":\"TBF_Shawn\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#\\\/schema\\\/person\\\/588d52e259ebeabac260cbb21bb1aeb4\"},\"headline\":\"Intro to PCI version 4: Requirement 5\",\"datePublished\":\"2022-10-10T04:56:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/10\\\/09\\\/intro-to-pci-version-4-requirement-5\\\/\"},\"wordCount\":814,\"articleSection\":[\"Shawn\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/10\\\/09\\\/intro-to-pci-version-4-requirement-5\\\/\",\"url\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/10\\\/09\\\/intro-to-pci-version-4-requirement-5\\\/\",\"name\":\"Intro to PCI version 4: Requirement 5 - Shawn&#039;s Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#website\"},\"datePublished\":\"2022-10-10T04:56:00+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#\\\/schema\\\/person\\\/588d52e259ebeabac260cbb21bb1aeb4\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/10\\\/09\\\/intro-to-pci-version-4-requirement-5\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/10\\\/09\\\/intro-to-pci-version-4-requirement-5\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/10\\\/09\\\/intro-to-pci-version-4-requirement-5\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Intro to PCI version 4: Requirement 5\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#website\",\"url\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/\",\"name\":\"Shawn&#039;s Blog\",\"description\":\"Shawn&#039;s Thoughts and Ramblings\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#\\\/schema\\\/person\\\/588d52e259ebeabac260cbb21bb1aeb4\",\"name\":\"TBF_Shawn\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g\",\"caption\":\"TBF_Shawn\"},\"sameAs\":[\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\"],\"url\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/author\\\/tbf_shawn\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Intro to PCI version 4: Requirement 5 - Shawn&#039;s Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/10\/09\/intro-to-pci-version-4-requirement-5\/","og_locale":"en_US","og_type":"article","og_title":"Intro to PCI version 4: Requirement 5 - Shawn&#039;s Blog","og_description":"In the past requirement 5 has been approached from the mindset of \u201cjust install McAfee and be done with it\u201d (or whatever your AV solution happens to be).&nbsp; The new direction in v4 expands on the concepts of protecting against \u201cmalware\u201d to encompass malicious intent that wouldn\u2019t be captured by your AV solution directly, without &hellip; Continue reading \"Intro to PCI version 4: Requirement 5\"","og_url":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/10\/09\/intro-to-pci-version-4-requirement-5\/","og_site_name":"Shawn&#039;s Blog","article_published_time":"2022-10-10T04:56:00+00:00","author":"TBF_Shawn","twitter_card":"summary_large_image","twitter_misc":{"Written by":"TBF_Shawn","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/10\/09\/intro-to-pci-version-4-requirement-5\/#article","isPartOf":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/10\/09\/intro-to-pci-version-4-requirement-5\/"},"author":{"name":"TBF_Shawn","@id":"https:\/\/terrabytefoundry.com\/blog_s\/#\/schema\/person\/588d52e259ebeabac260cbb21bb1aeb4"},"headline":"Intro to PCI version 4: Requirement 5","datePublished":"2022-10-10T04:56:00+00:00","mainEntityOfPage":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/10\/09\/intro-to-pci-version-4-requirement-5\/"},"wordCount":814,"articleSection":["Shawn"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/10\/09\/intro-to-pci-version-4-requirement-5\/","url":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/10\/09\/intro-to-pci-version-4-requirement-5\/","name":"Intro to PCI version 4: Requirement 5 - Shawn&#039;s Blog","isPartOf":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/#website"},"datePublished":"2022-10-10T04:56:00+00:00","author":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/#\/schema\/person\/588d52e259ebeabac260cbb21bb1aeb4"},"breadcrumb":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/10\/09\/intro-to-pci-version-4-requirement-5\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/terrabytefoundry.com\/blog_s\/2022\/10\/09\/intro-to-pci-version-4-requirement-5\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/10\/09\/intro-to-pci-version-4-requirement-5\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/terrabytefoundry.com\/blog_s\/"},{"@type":"ListItem","position":2,"name":"Intro to PCI version 4: Requirement 5"}]},{"@type":"WebSite","@id":"https:\/\/terrabytefoundry.com\/blog_s\/#website","url":"https:\/\/terrabytefoundry.com\/blog_s\/","name":"Shawn&#039;s Blog","description":"Shawn&#039;s Thoughts and Ramblings","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/terrabytefoundry.com\/blog_s\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/terrabytefoundry.com\/blog_s\/#\/schema\/person\/588d52e259ebeabac260cbb21bb1aeb4","name":"TBF_Shawn","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g","caption":"TBF_Shawn"},"sameAs":["https:\/\/terrabytefoundry.com\/blog_s"],"url":"https:\/\/terrabytefoundry.com\/blog_s\/author\/tbf_shawn\/"}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/posts\/64","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/comments?post=64"}],"version-history":[{"count":1,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/posts\/64\/revisions"}],"predecessor-version":[{"id":65,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/posts\/64\/revisions\/65"}],"wp:attachment":[{"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/media?parent=64"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/categories?post=64"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/tags?post=64"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}