======New CDE Component======

===== 1.Introduction =====

Gemporia recognises that payment card information is a valuable asset. Managing security systems and the information they contain is vital to maintain Gemporia’s reputation and the ability to continue trading successfully.

Gemporia considers the security of its cardholder data environment (CDE) and cardholder data to be a crucial element of its business and, to this end, has created a well-defined set of policies, standards and procedures to support secure operations 

The aim of this policy document is to lay out how Gemporia will integrate new hardware and software components into the CDE in order to uphold security standards required and desired for this role.

===== 2.Scope =====

This policy applies to the people, processes and technology that install, either directly or indirectly, new hardware or software within the CDE.


This policy document is designed to be used in conjunction with the appropriate [[policies:configuration_standards|implementation standards]] as defined by Gemporia in accordance with best practices.


===== 3.Policy Statement =====

==== 3.1 Prior to installation in CDE ====

3.1.1 All unnecessary services and protocols shall be disabled


3.1.2 All necessary services and protocols shall be justified and documented


3.1.3 All vendor defaults shall be changed where possible


3.1.4 All common security parameters shall be changed where possible


3.1.5 All non-console administrative access shall be encrypted using strong encryption techniques such as TLS, SSHv2


3.1.6 All web based management shall be carried over HTTPS where possible


==== 3.2 Wireless - additional requirements ====



3.2.1 All encryption shall be strong and in-line with best practices


3.2.2 All defaults including SNMP community strings shall be changed


==== 3.3 Documentation ====

3.3.1 The asset shall be recorded on the CDE asset register


==== 3.4 Post installation in CDE ====

3.4.1 All internal and external vulnerability scans will be re-run if change is significant

3.4.2 All internal and external vulnerability scans will be re-run if a high risk vulnerability is discovered


===== 4. Revision History =====

^Date         ^Description          ^Who
|12/08/2015   |Original Document    |Andrew Smith|
|23/09/2015   |Added 3.2            |Andrew Smith|
|08/11/2015   |Modified 3.1.5 to remove SSL |Andrew Smith|
|02/12/2015   |Added 3.4 and 3.4.1   |Andrew Smith|
|01/11/2016   |Changed TGGC to Gemporia   |Andrew Smith| 
|07/11/2016   |Added 3.4.2   |Andrew Smith|