GRC IRMF Lab 3.3 Secure POS Systems in Tokyo Japan

Secure POS Systems in Tokyo, Japan
Lab 3.3 25 minutes
Table of Contents
Objectives..................................................................................................................................................... 1
Scenario ........................................................................................................................................................ 1
Section 1 Create and process a policy to publication .......................................................................... 3
Section 1.1 Create a policy .................................................................................................................... 3
Section 1.2 Approve the Policy to Publish the Policy ........................................................................... 6
Section 2 Create a manual indicator template ...................................................................................... 8
Section 3 Associate the control objective with an entity type and move controls to attest .......... 10
Section 4 Consolidate the attestations and respond ........................................................................... 12
Section 5 Respond to a manual indicator ............................................................................................. 14
Section 5.1 Execute an indicator ahead of schedule ....................................................................... 14
Section 5.2 Respond to an indicator task ........................................................................................... 16
Objectives
• Take a policy through its lifecycle from creation to publication
• Create a manual indicator and associate it with a control objective
• Associate the control objective with the entity type, Active POS Devices
• Associate the control objective with the policy
• Move controls into the assess state
• Consolidate control attestations and respond to them for one travel branch location
Scenario
Personal travelers can book travel at one of Aglow Travel Co.’s eight travel branches worldwide.
The travel branches accept payments using point of sale (POS) devices, which are leased from
regional banks. To comply with PCI DSS and to protect customer data, Aglow Travel Co. requires
branch managers to physically examine POS devices once a month for signs of tampering.
Tampering could include missing or altered equipment. Criminal groups are known to illegally
modify active POS devices by utilizing a “skimmer” that gathers cardholder data and PINs during
transactions.
1
© 2022 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or registered
trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the respective
companies with which they are associated.
Cecilia Uchiyama, the compliance analyst, needs to publish a policy that outlines the required
procedures for branch managers and set up the framework for continuous monitoring.
Note: Confirm that you have downloaded the Aglow Travel Monthly Inspection
Checklist for POS Terminal Tampering.docx. This document was available as an
attachment, with this lab guide, from the course in Now Learning.
Lab Dependency: Other labs are dependent on the completion of this lab, Lab 3.2
Secure POS Systems in Tokyo, Japan.
2
Section 1 Create and process a policy to publication
Aglow Travel Co. has requested an anti-tampering policy created for POS systems. The new
policy is to be processed by Aglow Travel Co. personnel through publication.
Section 1.1 Create a policy
1. Impersonate Cecilia Uchiyama, the compliance analyst, with the role of compliance
user.
2. Navigate to Workspaces > Compliance Workspace from the Unified Navigation Header.
3. Select Create from the right side of the Home page.
4. Select Policy from the drop-down list.
5. Complete the form with the following values:
a. Name: Travel Branch Security for POS Systems
b. Type: Policy
c. Description: Anti-tampering policy for POS systems.
d. Policy text: A list of POS systems must be maintained at each travel branch. Travel
Branch Managers are responsible for inspecting devices monthly. All branch staff
must complete the required training for securing devices.
e. Assignment:
i. Owning group: Compliance Users (Aglow Travel Co.)
ii. Approvers: Colin Macarthur
iii. Owner: Cecilia Uchiyama
iv. Reviewers: Cecilia Uchiyama
Note: In a real-time scenario, you can select a different person as the reviewer;
however, we do not require additional reviewers for this lab.
3
f. Schedule:
i. Valid from: <<Today>>
ii. Valid to: <<One year from today>>
Note: Notice the fields and default values in the Policy setup section.
g. Scroll down to the Exception setup section:
Note: If this field is left blank, then the duration will be the default value that was set
up during implementation in a system property. This is covered in the
Implementation course. The baseline default is 30 days.
i. Maximum exception duration (days): 60
6. Save the record.
Cecilia decided to associate this policy with the control objective, Establish and maintain on-site
physical controls for all distributed Information Technology assets.
7. Select Control objectives related list and select Add.
8. In the pop-up box, search for the control objective Establish and maintain on-site
physical controls for all distributed Information Technology assets by selecting the
column context menu.
9. Select the control objective record with Reference: 04820 and select Add.
4
10. Select Establish and maintain on-site physical controls for all distributed Information
Technology assets from the Control objectives related list to open the control objective
record.
11. Select the Details related list. Notice that the control objective has not been set to
automatically generate controls and that the Attestation has no field value.
12. Make the following updates:
a. Creates controls automatically: <<Checked>> (true).
b. Attestation: GRC Attestation
13. Save the changes to the record.
14. Select Policy: Travel Branch Security for POS Systems from the breadcrumb to return to
the policy record.
15. Select Request review.
16. Type your message in the Request review pop-up box and select Request.
Policy moves to Review state.
17. Submit the policy for approval by selecting Request approval.
5
18. Enter your message in the pop-up Request approval Message box.
19. Select Request.

Section 1.2 Approve the Policy to Publish the Policy
Colin Macarthur, the compliance manager, is the approver for this policy.
20. Impersonate Colin Macarthur with the role of compliance manager.
22. Select the Tasks icon.
23. A record will be displayed under My pending tasks > Policy approvals.
24. Select Requested to open the record.
25. After reviewing the policy, select the State field and change the value to Approved from
the drop-down menu.
6
26. Select Save.
Now that the policy is approved, it has been published as a Knowledge article.
27. Select the List icon.
28. Navigate to Compliance library > All policies.
29. Select to open the policy with the name, Travel Branch Security for POS Systems.
30. Select the Details related list and scroll to the Policy setup section.
31. Select the information icon next to the Published policy number.
32. Verify the published knowledge article.
7
Section 2 Create a manual indicator template
Now that the policy is approved, Colin Macarthur would like to set up control validation on the
associated control objective. He creates a manual indicator template from the control
objective.
1. Continuing as Colin Macarthur on the Compliance workspace, select the list icon and
navigate to Lists > Control Monitoring > Indicator templates.
2. Select New to create an indicator template.
3. Complete the form with the following values:
a. Name: Inspect POS systems for signs of tampering or substitution
b. Description: Physically examine POS devices once a month for signs of tampering.
Tampering could include missing or altered equipment.
c. Category: Control Indicator Template
d. Method tab > Type: Manual
e. Method tab > Target type: None
f. Method tab > Instructions:
(1) Examine each POS system at the travel branch for abnormalities
(2) Confirm correct serial and model number
(3) Check the number of connections going to and from POS system
g. In the Schedule section:
i. Collection frequency: Monthly
ii. Next run date: <<Leave as it is>>
4. Select Save.
5. Select the List icon and navigate to Compliance library > All policies.
8
6. Select and open Travel Branch Security for POS Systems policy.
7. From the Control Objectives related list, open the control objective, Establish and
maintain on-site physical controls for all distributed Information Technology assets.
8. Select the Indicator templates related list to add the recently created indicator to this
control objective.
Note: If Indicator templates is not listed in the related list, select More and then select
from the drop-down list.
9. Select Add.
10. Select Inspect POS systems for signs of tampering or substitution.
11. Select Add.
9
Section 3 Associate the control objective with an entity type
and move controls to attest
Colin wants the control objective, Establish and maintain on-site physical controls for all
distributed Information Technology assets, associated with the entity type, Active POS Systems.
1. Continuing on the control objective record with Source ID 04820, select the Entity Types
related list.
2. Select Add.
3. Select Active POS Devices (Aglow Travel Co.) and select the Add button.
Controls and indicators will automatically generate for each entity of this entity
type and be owned by the Travel Branch Managers.
A message displays:
4. Close the displayed message by selecting x.
5. Select the Controls related list and notice that the controls have been generated.
6. At the bottom right of the screen, change the number of rows per page to 50 to display
all the controls on the same page.
10
7. Select the checkbox on the left of the header, Name, to select all the controls.
8. Select Attest.
Alerts are displayed stating that the attestations have been created.
9. Select Dismiss All button to close the pop-up alerts.
Now, all 24 controls are in the state of Attest.
11
Section 4 Consolidate the attestations and respond
Ban Maki, the travel branch manager for the East Asia travel branch, consolidates the
attestations and responds with the same response to all of them except CardReader001, which
is having an issue.
1. Impersonate Ban Maki, the travel branch manager in Tokyo, Japan.
2. Navigate to Policy and Compliance > Controls > My Attestations.
3. Select the checkboxes for all rows except the one for CardReader001.
Note: Your ordering and numbers may differ.
4. From the Actions on selected rows drop-down list, select Group Assessments.
5. Set the Response type to Provide same response for all assessments and Additional
criteria as Control Objective/Risk Statement.
6. Select Group.
12
7. An assessment group is created and displayed. Select the Assessment group link in the
message.
8. Select Take assessment.
9. Respond to the GRC Attestation with the following:
a. Is the control implemented?: Yes
b. Explain: Please see attached document
10. Select the Manage Attachments icon.
11. Select Choose file and upload the Aglow Travel Monthly Inspection Checklist for POS
Terminal Tampering.docx.
You should have downloaded this document with the course lab guide. This will be
attached as proof for the attestation.
12. Select the X to close the window.
13. Select Submit.
14. Close the browser thread used for the group attestation.
At this stage, there is one attestation remaining for CardReader001.
Ban Maki has now provided documentation that he, the control owner, has a defined method
to measure the control.
13
Section 5 Respond to a manual indicator
Now that Ban has provided his defined method to measure the control, he needs to complete a
manual indicator to measure the effectiveness of the method identified in the control
attestation.
Section 5.1 Execute an indicator ahead of schedule
The manual indicator is set to run on the first of each month. For this lab, you will impersonate
Colin Macarthur, the compliance manager, and execute this indicator outside of the defined
schedule to generate an indicator task for Ban.
1. Impersonate Colin MacArthur.
3. Select the List icon and navigate to Compliance library > Control objectives.
4. Search for the control objective with the Name: Establish and maintain on-site physical
controls for all distributed Information Technology assets.
14
5. Open the control objective by selecting the Establish and maintain on-site physical
controls for all distributed Information Technology assets with Source ID: 04820.
6. Select More and select Indicator templates related list from the drop-down menu.
7. Open the indicator template, Inspect POS systems for signs of tampering or substitution.
8. From the Indicators related list, search and select the indicator name for the entity,
CardReader017 to open it.
9. Select Execute to run the indicator.
15
An indicator task has been created for Ban Maki, the owner of this control indicator.
Section 5.2 Respond to an indicator task
10. Impersonate Ban Maki.
11. Navigate to All > Employee Center.
12. Select GRC tasks from the My active items widget.
13. Select the Tasks icon and the Indicator tasks module. Then open the Task for Inspect POS
systems for signs of tampering or substitution from the Indicator tasks list.
14. Open the document Aglow Travel Monthly Inspection Checklist for POS Terminal
Tampering saved on your computer.
Note: In the real world, the indicator would contain a link to this checklist, allowing
them to download it for completion and inclusion in the indicator.
15. Complete the following fields on the checklist:
a. POS Device: CardReader017
b. Travel branch: E. Asia
16
c. Name of employee performing inspection: Ban Maki
d. Date of inspection: <Enter today’s date>
e. Checklist: <Check each checklist item>
16. Save the file to your computer.
17. Select the Manage Attachments paperclip icon.
18. Select Browse and upload the Aglow Travel Monthly Inspection Checklist for POS
Terminal Tampering.docx just updated for CardReader017.
19. Select the X to close the window.
20. Update the Result field to Passed.
21. Change the State field to Closed.
22. Select Save.
23. Close the Employee Center browser tab.
Congratulations! You have completed this lab.
17

GRC IRMF Lab 3.3 Secure POS Systems in Tokyo Japan

Uploaded by

Copyright:

Available Formats

GRC IRMF Lab 3.3 Secure POS Systems in Tokyo Japan

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

GRC IRMF Lab 3.3 Secure POS Systems in Tokyo Japan

Uploaded by

Copyright:

Available Formats

Secure POS Systems in Tokyo, Japan

Lab 3.3 25 minutes

3. Select Create from the right side of the Home page.

4. Select Policy from the drop-down list.

5. Complete the form with the following values:

a. Name: Travel Branch Security for POS Systems

c. Description: Anti-tampering policy for POS systems.

i. Owning group: Compliance Users (Aglow Travel Co.)

ii. Approvers: Colin Macarthur

iii. Owner: Cecilia Uchiyama

iv. Reviewers: Cecilia Uchiyama

i. Valid from: <<Today>>

ii. Valid to: <<One year from today>>

g. Scroll down to the Exception setup section:

i. Maximum exception duration (days): 60

6. Save the record.

7. Select Control objectives related list and select Add.

12. Make the following updates:

a. Creates controls automatically: <<Checked>> (true).

b. Attestation: GRC Attestation

13. Save the changes to the record.

15. Select Request review.

Policy moves to Review state.

17. Submit the policy for approval by selecting Request approval.

19. Select Request.

20. Impersonate Colin Macarthur with the role of compliance manager.

22. Select the Tasks icon.

24. Select Requested to open the record.

27. Select the List icon.

28. Navigate to Compliance library > All policies.

32. Verify the published knowledge article.

2. Select New to create an indicator template.

3. Complete the form with the following values:

a. Name: Inspect POS systems for signs of tampering or substitution

c. Category: Control Indicator Template

d. Method tab > Type: Manual

e. Method tab > Target type: None

f. Method tab > Instructions:

g. In the Schedule section:

i. Collection frequency: Monthly

ii. Next run date: <<Leave as it is>>

10. Select Inspect POS systems for signs of tampering or substitution.

11. Select Add.

4. Close the displayed message by selecting x.

9. Select Dismiss All button to close the pop-up alerts.

Now, all 24 controls are in the state of Attest.

1. Impersonate Ban Maki, the travel branch manager in Tokyo, Japan.

2. Navigate to Policy and Compliance > Controls > My Attestations.

Note: Your ordering and numbers may differ.

8. Select Take assessment.

9. Respond to the GRC Attestation with the following:

a. Is the control implemented?: Yes

b. Explain: Please see attached document

10. Select the Manage Attachments icon.

12. Select the X to close the window.

13. Select Submit.

At this stage, there is one attestation remaining for CardReader001.

1. Impersonate Colin MacArthur.

9. Select Execute to run the indicator.