PLEASE ANSWER ALL THE QUESTIONS WITH FOLLOWING REQUIREMENTS, ALSO PLEASE USE THE TEMPLET AS REQUIRED

******************************************************************

Write a report to address all parts of the questions. Do not provide brief answers to each question. Your answers should be in a report format. Use the risk assessment template provided to conduct risk analysis and submit a word document report with your name. You will lose 20 points if your answer is not in a report format including the risk assessment template

******************************************************************************

Read the following articles

1. PCI DSS Report

2. PCI DSS Breach Examples

3. PCI DSS Explained

Due to COVID-19 restrictions, the Girls Guide (GG) cookies sale drive is planning to use only electronic payment, including credit cards for payments. The Girls Guide Board of Directors has directed the IT Department to implement Processing Card Industry Data Security Standards (PCI DSS) before the organization begins accepting credit card payments

The IT Department currently manages a Wi-Fi Network, a wired network, and web servers that provide information to customers and clients, but the department has no explicit security policies or controls. The only policy that it has implemented successfully is a password length and change policy that requires all users to use a 12-character length password and also change passwords every 6 months.

The strategy of the IT Department is to focus on 4 PCI DSS requirements listed in the Worse Areas in PCI DSS Non-compliance table from the Verizon 2020 Payment Security Report. As head of the IT Departments, you must perform a risk assessment and present a report to the BOD to justify the Departments selection and what strategies and tactics the Department will use to ensure compliance with the 4 PCI DSS requirements

Data Source: Verizon 2020 Payment Security Report

1

Using the risk assessment template (RAT) provided, perform a risk assessment of the 4 areas that the IT Department selected. An example of a completed template on UALR learning management system is provided for illustration on page 4.

In your assessment, evaluate the vulnerability assessment scale, threat impact scale, risk likelihood scale and assign appropriate values and compute the composite scale.

THIS IS THE QUESTIONS

1. List the 4 PCI DSS requirements (after reviewing all three readings) What are the 4 PCI DSS requirement selected by the IT Department (10 pts)

2. Explain why the selected areas are important to PCI DSS implementation (10 pts)

3. Using the Template Perform a risk assessment of the 4 PCI DSS requirements using the

scales provided in Tables 1-4 (10 pts)

4. Based on your risk assessment, write a brief report on your findings. As IT Department manager explain and briefly elaborate on how the IT Department will use the vulnerability assessment scale, threat impact scale, risk likelihood scale to guide the implementation of the PCI DSS (20 pts)

5. In your report as IT Department Manager, explain the composite score to the Girls Guide BOD and explain the strategy of the IT department given the Composite Score Level for the 4 PCI DD Requirements. (20 pts)

6. As head of the IT Department, use the report to explain and justify the tactical plans of the IT Department. These plans should include specific IT controls/processes to support compliance of the 4 PCI DSS requirements (30 points)

*************************************************************************

Sample Risk Assessment Using UALR as an example This image is just an illustration and example of how you use the template and explanation UALR Risk Assessment Template Threat Vulnerability Risk Assessment Likelihood Composite Risk IT Areas Impact Scale Scale Scale Score and Level L M L M L M H Score Level Learning Management System (LMS) 2 0 0 2 0 0 2 0 0 6 M Wi-Fi Network Access 0 0 3 0 2 0 0 0 3 8 H The LMS is accessible to all students and faculty remotely, thus, it poses a significant threat. The seamless access to the LMS, makes it vulnerability to phishing, social re-engineering, and hackers The threat impact is medium because a breach of the LMS will not completely paralyze UALR, the impact will affect students and faculty. The vulnerability level is 3 because it is a viable target for hackers and cyber criminals to get passwords and initiate social engineering to gain access to the UALR network. Hence, the vulnerable assessment scale is 3 The risk likelihood is 2, medium, because hackers may feel that the LMS will not yield valuable information, hence may not focus all attention on breaching the LMS although it may appear to be a soft target The composite score is an aggregate of the risk assessment, and it is medium, hence UALR should monitor the risk of breaching the LMS every yearly and ensure that they have policies that are effective in protecting the LMS from hackers and security breaches. They should implement 2 factor authentication, password length and change policies, segment the LMS network from other networks, and scan the LMS network for potential problems regularly during the year PCI DSS Risk Assessment Template Threat Vulnerability Risk PCI DSS Requirements Impact Scale Assessment Likelihood Scale Scale L L M H L M H Composite Risk Score and Level Score Level Table 1: Vulnerability Assessment Scale Levels Explanation H 3 Exploited vulnerability impacts organization M 2 Exploited vulnerability impacts functional units L 1 Exploited vulnerability impact is minor Levels Table 2: Risk Likelihood Scale Explanation High probability that risk will occur Medium probability that risk will occur Low probability that risk will occur 2 M L -N Table 3: Threat Impact Scale Levels Explanation H 3 Threat potential impacts organization M Threat potential impact limited to functional units 1 Threat potential is limited and minor IS 2 L Table 4: Composite Score Scale Level Composite Risk Score Recommended Annual Review H 7-9 Monitor risk regularly during the year M 4-6 Monitor risk yearly L 1-3 Monitor risk during a 2-3-year period