1 Partner Addendum Symantec Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard The findings and recommendations contained in this document are provided by VMware certified professionals at Coalfire, a leading PCI Qualified Security Assessor and independent IT audit firm. Coalfire s results are based on detailed document inspections and interviews with the vendor s technical teams. Coalfire s guidance and recommendations are consistent with PCI DSS control intent generally accepted by the QSA assessor community. The results contained herein are intended to support product selection and high level compliance planning for VMware based cloud deployments. More information about Coalfire can be found at If you require more information specific to this solution guide, you may contact us here: SOLUTION GUIDE ADDENDUM 1.
2 Table of Contents 1. INTRODUCTION CLOUD COMPUTING OVERVIEW OF PCI AS IT APPLIES TO CLOUD/VIRTUAL ENVIRONMENTS SYMANTEC PCI COMPLIANCE SOLUTION SYMANTEC S MATRIX (OVERVIEW) SOLUTION GUIDE ADDENDUM 2.
3 1. Introduction Companies today face an increasingly toxic threat landscape. True information protection is more than antivirus. With Symantec s new VMware integrations, they are enabling customers to proactively protect their information whether it's in a physical or virtual environment. Together, Symantec and VMware are taking protection to the next level to give companies confidence to fully embrace virtualization and realize the cost savings and efficiency it brings. Symantec and VMware continue to collaborate to ensure customers have both the security and compliance controls necessary for cloud deployments, both on and off premises. Symantec plans to leverage VMware vshield Endpoint with its endpoint security offerings to maximize performance in Virtual Desktop Infrastructure (VDI) and virtual server environments without sacrificing powerful security. Symantec has also developed additional integrations with VMware in key areas such as Data Loss Prevention, critical infrastructure hardening and log management. With Symantec s advanced optimizations for VMware, you ll be able to secure your virtualized infrastructure. Symantec s high performing infrastructure software provides the enterprise scale data protection capabilities that enable you to deploy the most mission critical workloads on VMware. Symantec Control Compliance Suite Symantec Critical System Protection Symantec Security Information Manager Symantec Data Loss Prevention Symantec Encryption Products Symantec Endpoint Protection SOLUTION GUIDE ADDENDUM 3
5 VMware Compliance and security continue to be top concerns for organizations that plan to move their environment to cloud computing. VMware helps organizations address these challenges by providing bundled solutions (suites) that are designed for specific use cases. These use cases address questions like How to be PCI compliant in a VMware Private Cloud by providing helpful information for VMware architects, the compliance community, and third parties. The PCI Private Cloud Use Case is comprised of four VMware Product Suites vcloud, vcloud Networking and Security, vcenter Operations (vcops) and View. These product suites are described in detail in the VMware Solution Guide for PCI. The use case also provides readers with a mapping of the specific PCI controls to VMware s product suite, partner solutions, and organizations involved in PCI Private Clouds. While every cloud is unique, VMware and its partners can provide a solution that addresses over 70% of the PCI DSS requirements. Figure 2: PCI Requirements. SOLUTION GUIDE ADDENDUM 5.
6 Figure 3: VMware + Symantec Product Capabilities for a Trusted Cloud SOLUTION GUIDE ADDENDUM 6
7 Figure 4: Help Meet Customers Compliance Requirements to Migrate Business Critical Apps to a VMware vcloud. SOLUTION GUIDE ADDENDUM 7.
8 2. Cloud Computing Cloud computing and virtualization have continued to grow significantly every year. There is a rush to move applications and even whole datacenters to the cloud, although few people can succinctly define the term cloud computing. There are a variety of different frameworks available to define the cloud, and their definitions are important as they serve as the basis for making business, security, and audit determinations. VMware defines cloud or utility computing as the following (http://www.vmware.com/solutions/cloud computing/public cloud/faqs.html): Cloud computing is an approach to computing that leverages the efficient pooling of on demand, self managed virtual infrastructure, consumed as a service. Sometimes known as utility computing, clouds provide a set of typically virtualized computers which can provide users with the ability to start and stop servers or use compute cycles only when needed, often paying only upon usage. There are commonly accepted definitions for the cloud computing deployment models and there are several generally accepted service models. These definitions are listed below: Private Cloud The cloud infrastructure is operated solely for an organization and may be managed by the organization or a third party. The cloud infrastructure may be on premise or off premise. Public Cloud The cloud infrastructure is made available to the general public or to a large industry group and is owned by an organization that sells cloud services. Hybrid Cloud The cloud infrastructure is a composition of two or more clouds (private and public) that remain unique entities, but are bound together by standardized technology. This enables data and application portability; for example, cloud bursting for load balancing between clouds. With a hybrid cloud, an organization gets the best of both worlds, gaining the ability to burst into the public cloud when needed while maintaining critical assets on premise. Community Cloud The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (for example, mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party, and may exist on premise or offpremise. To learn more about VMware s approach to cloud computing, review the following: computing/index.html#tab3 VMware Cloud Computing Overview computing/cloud architecture/vcat toolkit.html VMware s vcloud Architecture Toolkit When an organization is considering the potential impact of cloud computing to their highly regulated and critical applications, they may want to start by asking: Is the architecture a true cloud environment (does it meet the definition of cloud)? What service model is used for the cardholder data environment (SaaS, PaaS, IaaS)? What deployment model will be adopted? Is the cloud platform a trusted platform?. SOLUTION GUIDE ADDENDUM 8.
9 The last point is critical when considering moving highly regulated applications to a cloud platform. PCI does not endorse or prohibit any specific service and deployment model. The appropriate choice of service and deployment models should be driven by customer requirements, and the customer s choice should include a cloud solution that is implemented using a trusted platform. VMware is the market leader in virtualization, the key enabling technology for cloud computing. VMware s vcloud Suite is the trusted cloud platform that customers use to realize the many benefits of cloud computing including safely deploying business critical applications. To get started, VMware recommends that all new customers undertake a compliance assessment of their current environment. VMware offers free compliance checkers that are based on VMware s vcenter Configuration Manager solution. Customers can simply point the checker at a target environment and execute a compliance assessment request. The resultant compliance report provides a detailed rule by rule indication of pass or failure against a given standard. Where compliance problems are identified, customers are directed to a detailed knowledge base for an explanation of the rule violated and information about potential remediation. To download the free compliance checkers click on the following link: https://my.vmware.com/web/vmware/evalcenter?p=compliance chk&lp=default&cid= mjsmaaw Find more information on VMware compliance solutions for PCI, please visit security compliance/protect critical applications.html SOLUTION GUIDE ADDENDUM 9
12 3. Overview of PCI as it applies to Cloud/Virtual Environments The PCI Security Standards Council (SSC) was established in 2006 by five global payment brands (American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.). The payment brands require through their Operating Regulations that any merchant or service provider must be PCI compliant. Merchants and service providers are required to validate their compliance by assessing their environment against nearly 300 specific test controls outlined in the PCI Data Security Standards (DSS). Failure to meet PCI requirements may lead to fines, penalties, or inability to process credit cards in addition to potential reputational loss. The PCI DSS has six categories with twelve total requirements as outlined below: Table 1: PCI Data Security Standard The PCI SSC specifically began providing formalized guidance for cloud and virtual environments in October, These guidelines were based on industry feedback, rapid adoption of virtualization technology, and the move to cloud. Version 2.0 of the Data Security Standard (DSS) specifically mentions the term virtualization (previous versions did not use the word virtualization ). This was followed by an additional document explaining the intent behind the PCI DSS v2.0, Navigating PCI DSS. These documents were intended to clarify that virtual components should be considered as components for PCI, but did not go into the specific details and risks relating to virtual environments. Instead, they address virtual and cloud specific guidance in an Information Supplement, PCI DSS Virtualization Guidelines, released in June 2011 by the PCI SSC s Virtualization Special Interest Group (SIG).. SOLUTION GUIDE ADDENDUM 12.
13 Figure 7: Navigating PCI DSS The virtualization supplement was written to address a broad set of users (from small retailers to large cloud providers) and remains product agnostic (no specific mentions of vendors and their solutions). * VMware solutions are designed to help organizations address various regulatory compliance requirements. This document is intended to provide general guidance for organizations that are considering VMware solutions to help them address such requirements. VMware encourages any organization that is considering VMware solutions to engage appropriate legal, business, technical, and audit expertise within their specific organization for review of regulatory compliance requirements. It is the responsibility of each organization to determine what is required to meet any and all requirements. The information contained in this document is for educational and informational purposes only. This document is not intended to provide legal advice and is provided AS IS. VMware makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein. Nothing that you read in this document should be used as a substitute for the advice of competent legal counsel. SOLUTION GUIDE ADDENDUM 13
15 4. Symantec PCI Compliance Solution Symantec has a wide range of VMware integrated products to help with meeting compliance requirements. To make it easier for customers to identify the correct product or products, Symantec has mapped each of its products against the PCI standard. The table below shows the mapping of some customer s requirements to Symantec products and how they relate to the PCI standard. Symantec's industry leading security, data protection, and management products and services provide excellent coverage across PCI DSS Requirements and Prioritized Approach Milestones, for cross compatible protection that includes: Table 2: Symantec Solutions Solution Control Compliance Suite Symantec Critical System Protection Description Symantec Control Compliance Suite automates the compliance process from policy definition through assessment, remediation and reporting. Control Compliance Suite uses centralized vulnerability and control assessments to provide seamless discovery of unknown or unauthorized virtual machines to reduce security risk in the physical and virtual infrastructure. Leveraging VMware published security standards, Control Compliance Suite is also able to assess virtual settings to identify areas of risk and help prioritize remediation efforts. This helps prevent application failure or data corruption on virtual machines, while facilitating compliance with mandates such as PCI or HIPAA. In addition, Control Compliance Suite can ensure that the VMware process guidelines are being followed with procedural questionnaires while automatically reporting on configuration changes, patch levels and critical policy violations on VMware vsphere. The products that support Symantec s Compliance Suite are: Control Compliance Suite Standards Manager Control Compliance Suite Policy Manager Control Compliance Suite Assessment Manager Control Compliance Suite External Data Integration Control Compliance Suite Ad Hoc query Control Compliance Suite Vulnerability Manager Critical System Protection currently protects ESX guest and hypervisors with granular, policybased controls. Symantec supports VMware vsphere 5, leveraging out of the box VMwareprescribed server security policies for ESXi and VMware vcenter that will enable organizations to identify server compliance violations and suspicious activity in real time, limit administrative control, restrict network communications and prevent file and configuration tampering of the virtual infrastructure. Because Symantec Critical System Protection is a non signature, policybased technology it also allows organizations to stop unauthorized services from running on servers and protect against zero day attacks, without impacting system performance. Symantec Critical System Protection SOLUTION GUIDE ADDENDUM 15
16 Symantec Data Loss Prevention Data Loss Prevention addresses the growing challenge organizations face in finding and protecting their intellectual property wherever it resides. Integration with VMware vcloud Networking and Security App enables Symantec customers to more easily find and locate their most valuable information across their virtual environments. Symantec Data Loss Prevention makes it easier for customers to identify and remediate potential data loss in their virtual environments by automatically separating virtual machines that contain sensitive information from those that do not. Symantec Data Loss Prevention for Network Symantec Data Loss Prevention for Endpoint Symantec Data Loss Prevention for Mobile Symantec Data Loss Prevention for Storage Symantec Data Loss Prevention Enforce Platform Symantec Encryption encompasses a wide range of PGP products. Data protection through encryption plays a very important part in protecting card data. From to full disk encryption Symantec provides the best of class tools and products. Symantec Encryption Products Symantec Endpoint Protection PGP Universal Server PGP Universal Gateway (PGP PDF Messenger is an add on for Gateway ) PGP Command Line PGP NetShare PGP Whole Disk Encryption PGP Desktop (PGP for Blackberry is an add on for Desktop ) Optimized Endpoint Protection for High density Virtual Environments Symantec plans to leverage VMware vshield Endpoint with its endpoint security offerings to maximize performance in Virtual Desktop Infrastructure (VDI) and virtual server environments without sacrificing powerful security. Available in the second half of 2012, these solutions will offload critical security analysis from protected virtual machines to a dedicated security virtual appliance resulting in optimized scan performance, reduced resource utilization, and increased management visibility. Built upon Symantec Insight, these solutions will provide fast and effective endpoint security for VMware environments, offering unique protection against modern polymorphic malware, zeroday attacks and rootkits. Symantec Endpoint Protection SOLUTION GUIDE ADDENDUM 16
17 Solution Guide for Payment Card Industry (PCI) Figure 9: Symantec VMware Integration SOLUTION GUIDE ADDENDUM 17..
18 5. Symantec PCI Requirements Matrix (Overview) Table 3: Symantec PCI DSS Requirement PCI DSS REQUIREMENT NUMBER OF PCI REQUIREMENTS CONTROL SYMANTEC CRITICAL SYSTEM SYMANTEC SECURITY SYMANTEC DATA LOSS SYMANTEC ENCRYPTION SYMANTEC ENDPOINT COLLECTIVE TOTAL CONTROLS ADDRESSED BY SYMANTEC Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendorsupplied defaults for system passwords and other security parameters Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Requirement 5: Use and regularly update anti virus software or programs Requirement 6: Develop and maintain secure systems and applications Requirement 8: Assign a unique ID to each person with computer access Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes. Requirement 12: Maintain a policy that addresses the information security for all personnel. TOTAL Note: Control totals do not add up to 297 due to overlapping features of Symantec products SOLUTION GUIDE ADDENDUM 18.
19 Symantec Control Compliance Suite Symantec Control Compliance Suite automates the compliance process from policy definition through assessment, remediation and reporting. Control Compliance Suite uses centralized vulnerability and control assessments to provide seamless discovery of unknown or unauthorized virtual machines to reduce security risk in the physical and virtual infrastructure. Leveraging VMware published security standards, Control Compliance Suite is also able to assess virtual settings to identify areas of risk and help prioritize remediation efforts. This helps prevent application failure or data corruption on virtual machines, while facilitating compliance with mandates such as PCI or HIPAA. In addition, Control Compliance Suite can ensure that the VMware process guidelines are being followed with procedural questionnaires while automatically reporting on configuration changes, patch levels and critical policy violations on VMware vsphere. Table 4: Applicability of PCI Controls to Symantec Control Compliance PCI DSS V2.0 APPLICABILITY MATRIX REQUIREMENT Requirement 2: Do not use vendor supplied defaults for system passwords and other security parameters Requirement 6: Develop and maintain secure systems and applications CONTROLS ADDRESSED 2.1, 2.2.a, 2.2.b, 2.2.c, a, b, b, c, a, b, c, 2.3.b 6.1.a, 6.1.b, 6.2.a, 6.2.b DESCRIPTION Control Compliance Suite validates configuration settings through the use of custom configured policies or with standards set by industry recognized organizations like CIS, ISO, NIST or COBIT. This validation of system configuration will help identify and alert system administrators to systems that fall out of compliance with configuration standards. Through review of configuration, identification of unnecessary or insecure services can be reported on and corrected by system administrators. Control Compliance Suite which has several modules is documented to perform the following functions: Patch assessments for deployed patches, which can provide a mechanism to validate that patches are deployed with in the required time lines. Scans the network to discover devices running on it. Probes vulnerabilities of the discovered devices. Discovers the data which is associated with each device, for example, installed software and services running on the devices. Discovers external attacks such as vulnerability exploits, malicious file downloads, SQL Injections or buffer overflows, as well as insider abuse such as changing permissions, and tampering with system or application files. With Control Compliance Suite a risk score is used to quantify the risk that is associated with an asset in your organization based on CVSS scoring. The capability to scan a target computer to locate and identify the presence of known vulnerabilities and evaluate the software patches status. The patch status is evaluated to determine the compliance with a defined patch policy using the target computer's logon privileges.. SOLUTION GUIDE ADDENDUM 19.
20 PCI DSS V2.0 APPLICABILITY MATRIX REQUIREMENT Requirement 8: Assign a unique ID to each person with computer access Requirement 11: Regularly test security systems and processes. Requirement 12: Maintain a policy that addresses information security for all personnel. CONTROLS ADDRESSED 8.1, 8.5.4, 8.5.5, a, a, b, a, b, a, b, a, b, , a, b, c, a, b, c , 12.2, , 12.4 DESCRIPTION Authenticated Vulnerability and Patch Scanner that provides the capability to scan a target computer to locate and identify the presence of known vulnerabilities and evaluate the software patch status. The patch status is evaluated to determine the compliance with a defined patch policy using the target computer's logon privileges. Control Compliance Suite which has several modules is documented to perform the following functions: The Entitlements view in Control Compliance Suite facilitates the monitoring of access rights in the organization. The Entitlements view provides the means to efficiently gather the permissions data from the various platforms and enables the user to generate reports. Policies elements like password complexity, length and other values can be audited for using custom policies or policies from industry standards like NIST, ISO or COBIT. CCS Vulnerability Manager does the following: Scans the network to discover devices running on it. Probes vulnerabilities of the discovered devices. Discovers the data which is associated with each device. For example, installed software and services running on the devices. CCS Vulnerability Manager generates the data which is mainly associated with the devices. The data comprises the list of scans which are performed on the network, discovered devices, and associated vulnerabilities for discovered devices. Risk ratings are based on CVSS. The policy management module can support compliance with in the following way. The policy management module of CCS simplifies the process of complying with multiple mandates to improve the security and compliance posture of your environment. The module provides pre shipped policy content mapped to technical and procedural controls. Policy updates are done on changes to regulations and frameworks. You can report on policy compliance through reports and web based dashboards. By mapping policies to control statements, you connect the mandates that you must comply with to the security and configuration assessment policies that validate compliance. SOLUTION GUIDE ADDENDUM 20
21 Symantec Critical System Protection Critical System Protection protects guest and hypervisor with granular with policy based controls. Symantec supports VMware vsphere 5, leveraging out ofthe box VMware prescribed server security policies for ESXi and VMware vcenter that will enable organizations to identify server compliance violations and suspicious activity in real time, limit administrative control, restrict network communications and prevent file and configuration tampering of the virtual infrastructure. Because Symantec Critical System Protection is a non signature, policy based technology it also allows organizations to stop unauthorized services from running on servers and protect against zero day attacks, without impacting system performance. Table 5: Applicability of PCI Controls to Symantec Critical System Protection PCI DSS V2.0 APPLICABILITY MATRIX REQUIREMENT Requirement 1: Install and maintain a firewall configuration to protect cardholder data CONTROLS ADDRESSED 1.3.5, 1.3.7, 1.4.a, 1.4.b DESCRIPTION Critical System Protection Host based Firewall enables organizations to: Control inbound and outbound network traffic to and from servers Requirement 2: Do not use vendor supplied defaults for system passwords and other security parameters Requirement 5: Use and regularly update antivirus software or programs Requirement 10: Track and monitor all access to network resources and cardholder data 2.2.a, 2.2.b, 2.2.c, 2.2.d, a, b, c, a 5.2.b, 5.2.c, 5.2.d , , , , , Symantec Critical System Protection has the ability to control process behavior by allowing or disallowing specific actions. These configurations are managed with existing policies or by creating custom policies. These policies can be used to support specific system configuration requirements that include security specific parameters. Symantec Critical Systems Protection can support prevention policies that restrict applications and services to specific behaviors and will prevent inappropriate modification or access to system resources. Symantec Critical System Protection agents detect behavior by auditing and monitoring processes, files, log data, and Windows registry settings. Symantec Critical System Protection Monitoring provides: Real time monitoring Increases detection of changes to system, data and application files, registry keys, configuration settings and notifies on inappropriate user and application behaviors. Event logging and reporting Promotes effective host integrity and efficient demonstration of compliance with consolidated event logs and advanced log analysis capabilities for high availability and security across heterogeneous platforms. Integration with SIEM Data collectors are built for Symantec SIM and third party SIEM SOLUTION GUIDE ADDENDUM 21
22 PCI DSS V2.0 APPLICABILITY MATRIX REQUIREMENT Requirement 11: Regularly test security systems and processes. CONTROLS ADDRESSED 11.4.a, 11.4.b, 11.4.c, 11.5.a, 11.5.b DESCRIPTION products to enable real time log management and correlation. The Symantec Critical System Protection suite includes both a host based IDS/IPS and File Integrity Monitoring components. These components can be configured to detect and alert personnel to potential issues. Symantec provides out of the box policies to configure IDS/IPS for Windows systems. SOLUTION GUIDE ADDENDUM 22
23 Symantec Security Information Manager Security Information Manager will enable organizations to seamlessly identify and respond to security threats that impact business critical applications across both their physical and virtual infrastructures. Through integration with the VMware vcloud Networking and Security log management collector, SSIM correlates virtual machine activity with events from the physical environment as well as the Symantec's global intelligence network to give a holistic view of an organization's security posture. Organizations can use Symantec Security Information Manager to perform malicious activity assessments for their entire environment physical and virtual gaining immediate insight into malicious activity and threats inside both their physical and virtual infrastructure. Table 6: Applicability of PCI Controls to Symantec Security Information Manager PCI DSS V2.0 APPLICABILITY MATRIX REQUIREMENT CONTROLS ADDRESSED Requirement 10: Track 10.1, , , and monitor all access to , , , network resources and , , , cardholder data , , , , , , , , 10.6.a, 10.7.a, 10.7.b DESCRIPTION Symantec Security Information Manager: Can enable organizations to produce executive, technical, and audit level reports that are highly effective at communicating risk levels and the security posture of the organization. Can help organizations gain visibility into user access of systems and produce audit trails showing access and changes to critical applications and assets. Can help keep track of user behaviors relative to sensitive data, changes in access privileges, failed login attempts and other events that can collectively indicate disruptive incidents. Contains logging information that identifies the user, the type of event, success or failure of that event, origination and name of the affected resource. Will scan and create file watch lists or asset policies and roles to help prioritize incident identification. Enables organizations to collect, store, and analyze log data as well as monitor and respond to security events to meet IT compliance requirements. Stores events in a collection of archive files within a specified location. The archive is implemented as a self maintained module where it monitors disk usage and the age of individual archive files. Based on policy, when a specified maximum disk space is reached or files approach their expiration date, the system deletes old archives to make room for new ones. Requirement 12: Maintain a policy that addresses information security for all personnel Symantec Security Information Manager uses over 150 predefined source collectors and provides flexible options for customizing the additional collection of unique source logs. This will allow for alerts to be generated and acted upon in support of the incident response process. SOLUTION GUIDE ADDENDUM 23
24 Symantec Data Loss Prevention Symantec s DLP addresses the growing challenge organizations face in finding and protecting their intellectual property wherever it resides. Integration with VMware vcloud Networking and Security App enables Symantec customers to more easily find and locate their most valuable information across their virtual environments. Symantec Data Loss Prevention makes it easier for customers to identify and remediate potential data loss in their virtual environments by automatically separating virtual machines that contain sensitive information from those that do not. Table 7: Applicability of PCI Controls to Symantec Data Loss Prevention PCI DSS V2.0 APPLICABILITY MATRIX REQUIREMENT Requirement 3: Protect stored cardholder data CONTROLS ADDRESSED a, b, d, e, 3.2.a, 3.2.1, 3.2.2, 3.2.3, 3.3, 3.4.a, 3.4.b, 3.4.c, 3.4.d DESCRIPTION Symantec Data Loss Prevention covers both agent and network based monitoring for sensitive data. Symantec Data Loss Prevention: Enables you to do the following: Locate confidential information on file and Web servers, in databases, and on endpoints like, desktop and laptop systems. Protect confidential information through quarantine. Monitor network traffic for transmission of confidential data. Monitor the use of sensitive data on endpoint computers. Prevent transmission of confidential data to outside locations. Automatically enforce data security and encryption policies. Data Loss Prevention/Enterprise Vault: Data Loss Prevention for Storage includes Symantec Enterprise Vault Enterprise Vault enables this by putting intelligence around archive, retention and deletion policies. Relevant items are easily preserved on legal hold and provided to the requesting party though a flexible and auditable export process to simplify production. Manage and files with more granular control for the identification, retention, and deletion of information. Symantec Data Loss Prevention Discovery and Storage: Advanced endpoint agent tamper proofing protects you against technically savvy malicious insiders who try to avoid DLP protection by tampering with the Endpoint Agent services and files in Microsoft Windows. Discovery finds and fixes sensitive data Network Discover finds the sensitive files, Data Insight identifies the owner, and Network Protect can automatically protect the data. The key to risk education is getting the data owners involved in the clean up process Data Insight gives you the means to understand ownership. SOLUTION GUIDE ADDENDUM 24
25 PCI DSS V2.0 APPLICABILITY MATRIX REQUIREMENT Requirement 4: Encrypt transmission of cardholder data across open, public networks CONTROLS ADDRESSED 4.2.a DESCRIPTION Symantec Data Loss Prevention for the network will be able to monitor and web traffic for sensitive data leaving in an unencrypted method. The local Symantec Data Loss Prevention agent installed on the host will be able to monitor instant messaging traffic for sensitive data. SOLUTION GUIDE ADDENDUM 25
26 Symantec Encryption Products Encryption encompasses a wide range of PGP products. Data protection through encryption plays a very important part in protecting card data. From to full disk encryption Symantec provides the best of class tools and products. Table 8: Applicability of PCI Controls to Symantec Encryption PCI DSS V2.0 APPLICABILITY MATRIX REQUIREMENT Requirement 3: Protect stored cardholder data CONTROLS ADDRESSED 3.4.a, 3.4.c, 3.4.d, a, b, c, 3.5.1, a, b, 3.6.a, 3.6.1, 3.6.2, 3.6.3, 3.6.4, a, b, DESCRIPTION Symantec Encryption Products/PGP Key Management: Using the PGP Key Management Server, organizations can monitor access controls from a central location to make sure that all keys stay safe. Key management creates, distributes, and stores encryption keys while maintaining the organization s ability to recover data. Provides a comprehensive system for managing multiple types of encryption keys for use throughout a distributed enterprise with a broad number of applications. It consists of a server that acts as the administrative point, along with a number of methods to connect, including an agent, API, and SDK. Prior to a key being generated, there must be an established set of policies that define how keys should be created, what workflow must be followed, and the circumstances that govern its usage. Provides organizations concerned or required to rotate keys on a periodic basis may need to set a policy to rotate the key within a given time frame, such as on an annual basis. Retired key should be removed from production, but it may exist in a state that it might be required under certain circumstances even though it s no longer in use. Keys that are no longer in use and no longer needed may need to be destroyed properly. For example, if an archive tape is stolen, an organization may choose to destroy the key to effectively destroy the ability to recover any data on that tape. Key Management Server, organizations can monitor access controls from a central location to make sure that all keys stay safe. Symantec Endpoint Encryption: Removable Storage: Allows enterprise organizations and government agencies to enjoy the benefits of removable storage devices while eliminating the liability, customer service, and SOLUTION GUIDE ADDENDUM 26
27 PCI DSS V2.0 APPLICABILITY MATRIX REQUIREMENT CONTROLS ADDRESSED DESCRIPTION brand erosion costs associated with data breach incidents. As part of Symantec Endpoint Encryption, Symantec Endpoint Encryption Removable Storage leverages existing IT infrastructures for seamless deployment and operation. PGP Whole Disk Encryption: Whole Disk Encryption is a feature of PGP Desktop that encrypts your entire hard drive or partition (on Windows systems), including your boot record, thus protecting all your files when you are not using them. You can use PGP Whole Disk Encryption and PGP Virtual Disk volumes on the same system. On Windows systems, you can protect whole disk encrypted drives with a passphrase or with a keypair on a USB token for added security. Requirement 4: Encrypt transmission of cardholder data across open, public networks 4.2.a PGP Universal Server can be configured to do the following: Automatically creates and maintains a Self Managing Security Architecture (SMSA) by monitoring authenticated users and their traffic. Allows you to send protected messages to addresses that are not part of the SMSA. Automatically encrypts, decrypts, signs, and verifies messages. SOLUTION GUIDE ADDENDUM 27
28 Symantec Endpoint Protection Symantec plans to leverage VMware vshield Endpoint with its endpoint security offerings to maximize performance in Virtual Desktop Infrastructure (VDI) and virtual server environments without sacrificing powerful security. Available in the second half of 2012, these solutions will offload critical security analysis from protected virtual machines to a dedicated security virtual appliance resulting in optimized scan performance, reduced resource utilization, and increased management visibility. Built upon Symantec Insight, these solutions will provide fast and effective endpoint security for VMware environments, offering unique protection against modern polymorphic malware, zero day attacks and rootkits. Table 9: Applicability of PCI Controls to Symantec Endpoint Protection PCI DSS V2.0 APPLICABILITY MATRIX REQUIREMENT Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 5: Use and regularly update antivirus software or programs CONTROLS ADDRESSED 1.4.a, 1.4.b 5.1, 5.1.1, 5.2.b, 5.2.c, 5.2.d DESCRIPTION Symantec Network Access Control: Is a complete, end to end network access control solution that enables organizations to efficiently and securely control access to corporate networks through integration with existing network infrastructures, regardless of how endpoints connect to the network, Symantec Network Access Control discovers and evaluates endpoint compliance status, provisions the appropriate network access, provides remediation capabilities, if needed, and continually monitors endpoints for changes in compliance status. The result is a network environment where corporations can realize significant reductions in security incidents and increased levels of compliance with corporate IT security policy. Inbound and outbound traffic is limited to need. The Symantec desktop firewall will police network access, providing host based network port and protocol enforcement. Peer to peer enforcement ensures that client to client communication occurs only between the company computers and compliant computers outside the company. Compliant computers have the latest company security policy. Symantec Endpoint Protection: Real time SONAR examines programs as they run, identifying and stopping malicious behavior even for new and previously unknown threats. Leveraging Symantec s Global Intelligence Network, Endpoint Protection informs and automates responses to new threats. Advanced reporting and analytics: Includes IT Analytics which complements and expands upon the traditional reporting offered by Endpoint Protection by incorporating multi dimensional analysis and robust graphical reporting in an easy to use dashboard. SOLUTION GUIDE ADDENDUM 28
29 PCI DSS V2.0 APPLICABILITY MATRIX REQUIREMENT Requirement 11: Regularly test security systems and processes. CONTROLS ADDRESSED 11.4.a, 11.4.b, 11.4.c DESCRIPTION Symantec Endpoint Protection: Includes network threat protection which includes intrusion prevention through Generic Exploit Blocking (GE) and host based Firewall. SOLUTION GUIDE ADDENDUM 29
30 Detailed PCI Applicability Matrix for VMware and Symantec Table 10: PCI Applicability Matrix for VMware 1.1 Establish firewall and router configuration standards that include the following: 1.1 Obtain and inspect the firewall and router configuration standards and other documentation specified below to verify that standards are complete. Complete the following: SYSTEM A formal process for approving and testing all network connections and changes to the firewall and router configurations Verify that there is a formal process for testing and approval of all network connections and changes to firewall and router configurations.. SOLUTION GUIDE ADDENDUM 30.
31 1.1.2 Current network diagram with all connections to cardholder data, including any wireless networks a Verify that a current network diagram (for example, one that shows cardholder data flows over the network) exists and that it documents all connections to cardholder data, including any wireless networks. SYSTEM b Verify that the diagram is kept current Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone a Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone b Verify that the current network diagram is consistent with the firewall configuration standards. SOLUTION GUIDE ADDENDUM 31
32 1.1.4 Description of groups, roles, and responsibilities for logical management of network components Verify that firewall and router configuration standards include a description of groups, roles, and responsibilities for logical management of network components. SYSTEM Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure. Examples of insecure services, protocols, or ports include but are not limited to FTP, Telnet, POP3, IMAP, and SNMP a Verify that firewall and router configuration standards include a documented list of services, protocols and ports necessary for business for example, hypertext transfer protocol (HTTP) and Secure Sockets Layer (SSL), Secure Shell (SSH), and Virtual Private Network (VPN) protocols. SOLUTION GUIDE ADDENDUM 32
33 1.1.5.b Identify insecure services, protocols, and ports allowed; and verify they are necessary and that security features are documented and implemented by examining firewall and router configuration standards and settings for each service. SYSTEM Requirement to review firewall and router rule sets at least every six months a Verify that firewall and router configuration standards require review of firewall and router rule sets at least every six months b Obtain and examine documentation to verify that the rule sets are reviewed at least every six months. SOLUTION GUIDE ADDENDUM 33
34 1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment. Note: An untrusted network is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity's ability to control or manage. 1.2 Examine firewall and router configurations to verify that connections are restricted between untrusted networks and system components in the cardholder data environment, as follows: SYSTEM Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment a Verify that inbound and outbound traffic is limited to that which is necessary for the cardholder data environment, and that the restrictions are documented. SOLUTION GUIDE ADDENDUM 34
35 1.2.1.b Verify that all other inbound and outbound traffic is specifically denied, for example by using an explicit deny allǁ or an implicit deny after allow statement. SYSTEM Secure and synchronize router configuration files Verify that router configuration files are secure and synchronized for example, running configuration files (used for normal running of the routers) and start-up configuration files (used when machines are rebooted), have the same, secure configurations. SOLUTION GUIDE ADDENDUM 35
36 1.2.3 Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment Verify that there are perimeter firewalls installed between any wireless networks and systems that store cardholder data, and that these firewalls deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment. SYSTEM SOLUTION GUIDE ADDENDUM 36
37 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment. 1.3 Examine firewall and router configurations including but not limited to the choke router at the Internet, the DMZ router and firewall, the DMZ cardholder segment, the perimeter router, and the internal cardholder network segment to determine that there is no direct access between the Internet and system components in the internal cardholder network segment, as detailed below. SYSTEM Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports Verify that a DMZ is implemented to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports Limit inbound Internet traffic to IP addresses within the DMZ Verify that inbound Internet traffic is limited to IP addresses within the DMZ. SOLUTION GUIDE ADDENDUM 37
38 1.3.3 Do not allow any direct connections inbound or outbound for traffic between the Internet and the cardholder data environment Verify direct connections inbound or outbound are not allowed for traffic between the Internet and the cardholder data environment. SYSTEM Do not allow internal addresses to pass from the Internet into the DMZ Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet Verify that internal addresses cannot pass from the Internet into the DMZ Verify that outbound traffic from the cardholder data environment to the Internet is explicitly authorized Implement stateful inspection, also known as dynamic packet filtering. (That is, only establishedǁ connections are allowed into the network.) Verify that the firewall performs stateful inspection (dynamic packet filtering). (Only established connections should be allowed in, and only if they are associated with a previously established session.) SOLUTION GUIDE ADDENDUM 38
39 1.3.7 Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other non- trusted networks Verify that system components that store cardholder data are on an internal network zone, segregated from the DMZ and other non-trusted networks. SYSTEM Do not disclose private IP addresses and routing information to unauthorized parties. Note: Methods to obscure IP addressing may include, but are not limited to: Network Address Translation (NAT) Placing servers containing cardholder data behind proxy servers/firewalls or content caches, Removal or filtering of route advertisements for private networks that employ registered addressing, Internal use of RFC1918 address space instead of registered addresses a Verify that methods are in place to prevent the disclosure of private IP addresses and routing information from internal networks to the Internet b Verify that any disclosure of private IP addresses and routing information to external entities is authorized. SOLUTION GUIDE ADDENDUM 39
40 1.4 Install personal firewall software on any mobile and/or employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization s network. 1.4.a Verify that mobile and/or employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), and which are used to access the organization s network, have personal firewall software installed and active. SYSTEM 1.4.b Verify that the personal firewall software is configured by the organization to specific standards and is not alterable by users of mobile and/or employee-owned computers. SOLUTION GUIDE ADDENDUM 40
41 2.1 Always change vendorsupplied default settings before installing a system on the network, including but not limited to passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts. 2.1 Choose a sample of system components, and attempt to log on (with system administrator help) to the devices using default vendor-supplied accounts and passwords, to verify that default accounts and passwords have been changed. (Use vendor manuals and sources on the Internet to find vendorsupplied accounts/passwords.) SYSTEM For wireless environments connected to the cardholder data environment or transmitting cardholder data, change wireless vendor defaults, including but not limited to default wireless encryption keys, passwords, and SNMP community strings Verify the following regarding vendor default settings for wireless environments: a Verify encryption keys were changed from default at installation, and are changed anytime anyone with knowledge of the keys leaves the company or changes positions SOLUTION GUIDE ADDENDUM 41
42 2.1.1.b Verify default SNMP community strings on wireless devices were changed. SYSTEM c Verify default passwords/passphrases on access points were changed d Verify firmware on wireless devices is updated to support strong encryption for authentication and transmission over wireless networks e Verify other security-related wireless vendor defaults were changed, if applicable. SOLUTION GUIDE ADDENDUM 42
REDSEAL NETWORKS SOLUTION BRIEF Proactive Network Intelligence Solutions For PCI DSS Compliance Overview PCI DSS has become a global requirement for all entities handling cardholder data. A company processing,
SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...
Best Practices for PCI DSS V3.0 Network Security Compliance January 2015 www.tufin.com Table of Contents Preparing for PCI DSS V3.0 Audit... 3 Protecting Cardholder Data with PCI DSS... 3 Complying with
White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption
ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE AGENDA PCI DSS Basics Case Studies of PCI DSS Failure! Common Problems with PCI DSS Compliance
LogRhythm and PCI Compliance The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent
White paper Achieving PCI-Compliance through Cyberoam The Payment Card Industry (PCI) Data Security Standard (DSS) aims to assure cardholders that their card details are safe and secure when their debit
What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated
Compliance SonicWALL PCI 1.1 Implementation Guide A PCI Implementation Guide for SonicWALL SonicOS Standard In conjunction with ControlCase, LLC (PCI Council Approved Auditor) SonicWall SonicOS Standard
Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment
Tenable Product Applicability Guide For Payment Card Industry (PCI) Partner Addendum VMware Compliance Reference Architecture Framework to VMware Product Applicability Guide for Payment Card Industry Data
solution brief PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP AWS AND PCI DSS COMPLIANCE To ensure an end-to-end secure computing environment, Amazon Web Services (AWS) employs a shared security responsibility
Partner Addendum Vormetric Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard The findings and recommendations contained in this document are provided by VMware-certified
Partner Addendum BeyondTrust Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard The findings and recommendations contained in this document are provided by VMware-certified
VMware Solution Guide for Payment Card Industry (PCI) September 2012 v1.3 VALIDATION DO CU MENT Table of Contents INTRODUCTION... 3 OVERVIEW OF PCI AS IT APPLIES TO CLOUD/VIRTUAL ENVIRONMENTS... 5 GUIDANCE
Netzwerkvirtualisierung? Aber mit Sicherheit! Markus Schönberger Advisory Technology Consultant Trend Micro Stephan Bohnengel Sr. Network Virtualization SE VMware Agenda Background and Basic Introduction
Using Skybox Solutions to Achieve PCI Compliance Achieve Efficient and Effective PCI Compliance by Automating Many Required Controls and Processes Skybox Security whitepaper August 2011 1 Executive Summary
Achieving PCI DSS Compliance with A White Paper Spring 2010 Summary The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard defined by the Payment Card Industry
How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements I n t r o d u c t i o n The Payment Card Industry Data Security Standard (PCI DSS) was developed in 2004 by the PCI Security Standards
Automate PCI Compliance Monitoring, Investigation & Reporting Reducing Business Risk Standards and compliance are all about implementing procedures and technologies that reduce business risk and efficiently
Payment Card Industry Data Security Standard Self-Assessment Questionnaire C-VT Guide Prepared for: University of Tennessee Merchants 12 April 2013 Prepared by: University of Tennessee System Administration
Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security
VMware Product Applicability Guide for Payment Card Industry Data Security Standard (PCI DSS) version 3.0 February 2014 V3.0 DESIGN DO CU MENT Table of Contents EXECUTIVE SUMMARY... 4 INTRODUCTION... 5
PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor firstname.lastname@example.org January 23, 2014 Agenda Introduction PCI DSS 3.0 Changes What Can I Do to Prepare? When Do I Need to be Compliant? Questions
WHITEPAPER Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI About PCI DSS Compliance The widespread use of debit and credit cards in retail transactions demands
Payment Card Industry (PCI) Data Security Standard Summary of s from PCI DSS Version 1.2.1 to 2.0 October 2010 General General Throughout Removed specific references to the Glossary as references are generally
VMware Integrated Partner Solutions for Networking and Security VMware Integrated Partner Solutions for Security and Compliance VMware vcloud Networking and Security is the leading networking and security
Firewall and Router Policy Approved By: \S\ James Palmer CSC Loss Prevention Director PCI Policy # 1600 Version # 1.1 Effective Date: 12/31/2011 Revision Date: 12/31/2014 December 31, 2011 Date 1.0 Purpose:
BAE Systems PCI Essentail PCI Requirements Coverage Summary Table Introduction BAE Systems PCI Essential solution can help your company significantly reduce the costs and complexity of meeting PCI compliance
Business Application Intelligence White Paper The V ersatile BI S o l uti on! Click&DECiDE s PCI DSS Version 1.2 Compliance Suite Nerys Grivolas December 1, 2009 Sales Office: 98, route de la Reine - 92100
Standard: Data Security Standard (DSS) Requirement: 6.6 Date: February 2008 Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Release date: 2008-04-15 General PCI
WHITE PAPER Automating Cloud Security Control and Compliance Enforcement for 3.0 How Enables Security and Compliance with the PCI Data Security Standard in a Private Cloud EXECUTIVE SUMMARY All merchants,
NETASQ & PCI DSS Is NETASQ compatible with PCI DSS? We have often been asked this question. Unfortunately, even the best firewall is but an element in the process of PCI DSS certification. This document
University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Chief Financial
VMware Integrated Partner Solutions for Networking and Security VMware Integrated Partner Solutions for Networking and Security Networking and Security are complex, dynamic areas, and VMware recognizes
Net Report s PCI DSS Version 1.1 Compliance Suite Real Security Log Management! July 2007 1 Executive Summary The strict requirements of the Payment Card Industry (PCI) Data Security Standard (DSS) are
Information Security Services Achieving PCI compliance with Dell SecureWorks security services Executive summary In October 2010, the Payment Card Industry (PCI) issued the new Data Security Standard (DSS)
Safeguarding the cloud with IBM Dynamic Cloud Security Maintain visibility and control with proven security solutions for public, private and hybrid clouds Highlights Extend enterprise-class security from
Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration
Information Technology Security Policy for IBTS Pakistan Stock Exchange Limited Table of contents Information Technology Security Policy for IBTS 1- INTRODUCTION AND SCOPE... 3 2- CHARTER OF THE DOCUMENT...
Implementation Guide PayLINK Implementation Guide Version 2.1.252 Released September 17, 2013 Copyright 2011-2013, BridgePay Network Solutions, Inc. All rights reserved. The information contained herein
Achieving PCI Compliance Using F5 Products Overview In April 2000, Visa launched its Cardholder Information Security Program (CISP) -- a set of mandates designed to protect its cardholders from identity
Unified Security Anywhere PCI COMPLIANCE PCI COMPLIANCE WE CAN HELP MAKE IT HAPPEN PCI COMPLIANCE COMPLIANCE MATTERS. The PCI Data Security Standard (DSS) was developed by the founding payment brands of
How Protected Is Your Enterprise? Next Gen thinking and technology to help strengthen and protect your critical business systems and data Greg Belanger, CISSP Symantec (Canada) Corporation - Security Practice
Payment Card Industry Data Security Standard Introduction Purpose Audience Implications Sensitive Digital Data Management In an effort to protect credit card information from unauthorized access, disclosure
Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls
Payment Card Industry (PCI) Data Security Standard ROC Reporting Instructions for PCI DSS v2.0 September 2011 Changes Date September 2011 Version Description 1.0 To introduce PCI DSS ROC Reporting Instructions
Payment Card Industry (PCI) Data Security Standard is an international information security standard assembled by the Payment Card Industry Security Standards Council (PCI SSC). The standard was created
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
PCI PA - DSS Point ipos Implementation Guide VeriFone Vx820 using the Point ipos Payment Core Version 1.01 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566 287 00 www.point.se Page
White Paper Meeting PCI Data Security Standards with Juniper Networks SECURE ANALYTICS When it Comes to Monitoring and Validation it Takes More Than Just Collecting Logs Copyright 2013, Juniper Networks,
SOLUTION BRIEF PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP The benefits of cloud computing are clear and compelling: no upfront investment, low ongoing costs, flexible capacity and fast application
solution brief Trend Micro Cloud and Data Center Security Secure virtual, cloud, physical, and hybrid environments easily and effectively introduction As you take advantage of the operational and economic
Mandated by the Federal Information Security Management Act (FISMA) of 2002, the National Institute of Standards and Technology (NIST) created special publication 800-53 to provide guidelines on security
Devising a Server Protection Strategy with Trend Micro A Trend Micro White Paper Trend Micro, Incorporated» A detailed account of why Gartner recognizes Trend Micro as a leader in Virtualization and Cloud
PCI Compliance - A Realistic Approach Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM email@example.com What What is PCI A global forum launched in September 2006 for ongoing enhancement
PCI PA - DSS Point BKX Implementation Guide Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core Version 2.01 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566
How to Grow and Transform your Security Program into the Cloud Wolfgang Kandek Qualys, Inc. Session ID: SPO-207 Session Classification: Intermediate Agenda Introduction Fundamentals of Vulnerability Management
ENTERPRISE APPLICATION WHITELISTING SOLUTION Achieving PCI Compliance at the Point of Sale Using Bit9 Parity TM to Protect Cardholder Data PCI: Protecting Cardholder Data As the technology used by merchants
A White Paper by AirTight Networks, Inc. 339 N. Bernardo Avenue, Suite 200, Mountain View, CA 94043 www.airtightnetworks.com 2013 AirTight Networks, Inc. All rights reserved. Introduction Although [use
White Paper Achieving PCI Data Security Standard Compliance through Security Information Management White Paper / PCI Contents Executive Summary... 1 Introduction: Brief Overview of PCI...1 The PCI Challenge:
A COALFIRE WHITE PAPER Using s Cloud & Data Center Security Solution to meet PCI DSS 3.0 Compliance Implementing s Deep Security Platform in a Payment Card Environment April 2015 Page 1 Executive Summary...
Devising a Server Protection Strategy with Trend Micro A Trend Micro White Paper» Trend Micro s portfolio of solutions meets and exceeds Gartner s recommendations on how to devise a server protection strategy.
Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 2.0 October 2010 Document Changes Date Version Description Pages October 2008 July 2009 October
Payment Card Industry (PCI) Data Security Standard Summary of s from Version 2.0 to 3.0 November 2013 Introduction This document provides a summary of changes from v2.0 to v3.0. Table 1 provides an overview
White Paper PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data Using credit cards to pay for goods and services is a common practice. Credit cards enable easy and
Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work Security concerns and dangers come both from internal means as well as external. In order to enhance your security posture
1 Keith Luck, CISSP, CCSK Security & Compliance Specialist, VMware, Inc. firstname.lastname@example.org Agenda Cloud Computing VMware and Security Network Security Use Case Securing View Deployments Questions 2 IT consumption
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
1. Obtain previous workpapers/audit reports. FIREWALL CHECKLIST Pre Audit Checklist 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 3. Obtain current network diagrams
- Cloud based SaaS Single repository for regulations and standards Centralized repository for compliance related organizational data Electronic workflow to speed up communications between various entries
Meeting PCI-DSS v1.2.1 Compliance Requirements By Compliance Research Group Table of Contents Technical Security Controls and PCI DSS Compliance...1 Mapping PCI Requirements to Product Functionality...2
PCI v2.0 Compliance for Wireless LAN November 2011 This white paper describes how to build PCI v2.0 compliant wireless LAN using Meraki. Copyright 2011 Meraki, Inc. All rights reserved. Trademarks Meraki
WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both. But it s
SAQ D Compliance Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP Ground Rules WARNING: Potential Death by PowerPoint Interaction Get clarification Share your institution s questions, challenges,
We Can Help Make it Happen Compliance Matters The Data Security Standard (DSS) was developed by the founding payment brands of the Security Standards Council (American Express, Discover Financial Services,
A COALFIRE WHITE PAPER Using s Cloud & Data Center Security Solution to meet PCI DSS 3.1 Compliance Implementing s Deep Security Platform in a Payment Card Environment October 2015 Page 1 Executive Summary...