BMC BSM for PCI DSS Addressing PCI DSS File Integrity Monitoring SOLUTION WHITE PAPER

Transcription

1 BMC BSM for PCI DSS Addressing PCI DSS File Integrity Monitoring SOLUTION WHITE PAPER

2 TABLE OF CONTENTS INTRODUCTION » ABOUT PCI DSS FILE INTEGRITY MONITORING » BEGIN WITH THE END IN MIND » PCI DATA SECURITY STANDARD REQUIREMENTS AND FIM » WHAT IS BMC BUSINESS SERVICE MANAGEMENT HOW BMC BSM RESOLVES PCI DSS FIM REQUIREMENTS BMC BSM FOR PCI DSS FILE INTEGRITY MONITORING CONCLUSIONS

3 INTRODUCTION ABOUT PCI DSS FILE INTEGRITY MONITORING The Payment Card Industry (PCI) Data Security Standard (DSS) encourages and enhances cardholder data security and facilitates the broad adoption of consistent data security measures globally. Consumers, trading partners, regulators, legislators and shareholders demand that organizations accepting credit card payments comply with the credit card industry s PCI DSS (Payment Card Industry Data Security Standard). Companies that fail to protect consumer data stand to lose millions of dollars in fi nes, lost sales, reduced shareholder value and squandered customer confi dence. The PCI DSS is comprised of six Major Groups that contain the twelve Major Requirements, which refer to over 210 specifi c requirements. The sheer volume of individual specifi c requirements suggests a stepwise and phased approach utilizing risk weighting and value prioritization, based on a company s unique parameters. It is important to do the right things the right way. An interesting and common characteristic amongst modern Regulations and Frameworks is that the PCI DSS is comprised of both technical control compliance and governance standards. Examples of PCI DSS technical control compliance standards include Protect Cardholder Data and Regularly Monitor and Test Networks. An example of a PCI DSS governance standard is Maintain an Information Security Policy. BEGIN WITH THE END IN MIND Protecting cardholder data is the core goal and purpose of the PCI DSS. Beginning your initiative by using standardized and repeatable manual processes to Regularly Monitor and Test Networks (one of the major requirements of the PCI DSS) is a practical approach. Similarly, utilizing a manual review and attestation process to meet the requirement to Maintain an Information Security Policy is a common fi rst step for this governance standard. A common requirement for both of these standards is ensuring the integrity of critical data fi les, audit trails, and logs. These data elements are used both as evidence and as sources for the control, review, and monitoring activities that are common to the entire PCI Data Security Standard. Starting with a manual review and monitoring process based upon trustworthy data requires File Integrity Monitoring (FIM) for critical system fi les, confi guration fi les, content fi les and log fi les that constitute required audit trails. As such, the PCI DSS dictates the use of File Integrity Monitoring. PCI DATA SECURITY STANDARD REQUIREMENTS AND FIM The following illustrates three of the twelve PCI DSS Major requirements that ensure the integrity of critical system fi les, confi guration fi les, content fi les and log fi les that constitute required audit trails: REGULARLY MONITOR AND TEST NETWORKS PCI DSS Requirement 10 - Track and monitor all access to network resources and cardholder data Requirement Secure audit trails so they cannot be altered. Requirement Use fi le-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). PCI DSS Requirement 11- Regularly test security systems and processes Requirement Deploy fi le-integrity monitoring software to alert personnel to unauthorized modifi cation of critical system fi les, confi guration fi les, or content fi les; and confi gure the software to perform critical fi le comparisons at least weekly. Note: For fi le-integrity monitoring purposes, critical fi les are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. File integrity monitoring products usually come pre-configured with critical files for the related operating system. Other critical files, such as those for custom applications, must be evaluated and defi ned by the entity (that is, the merchant or service provider). 1

4 MAINTAIN AN INFORMATION SECURITY POLICY PCI DSS Requirement 12- Maintain a policy that addresses information security for employees and contractors. Requirement Monitor and control all access to data. WHAT IS BMC BUSINESS SERVICE MANAGEMENT As the recognized leader in Business Service Management (BSM), BMC is uniquely positioned to help you succeed in your PCI DSS compliance efforts. BSM offers a unifi ed approach that enables you to govern the delivery of business services throughout their lifecycle, enforce policies and automate compliance across your entire IT organization mainframe, distributed, and virtual environments. BSM from BMC provides a common and unifi ed platform to secure and protect cardholder data. Integration between products across the BSM portfolio is the cornerstone for addressing PCI DSS requirements. In some cases BSM provides both general support and complete support for all the PCI DSS requirements. A good example is ensuring that environments are confi gured with components required to ensure Primary Account Numbers (PAN) is rendered unreadable with strong cryptography with associated key-management processes and procedures. While BSM does not provide Encryption key management specifi cally, it does provide confi guration compliance audit and automated remediation to ensure the components are confi gured appropriately. In other cases, BSM provides a total solution that integrates governance and risk management, control automation, incident and change management, and policy based measurement and reporting to resolve the standard requirements in a way that exceeds the capabilities of other solutions. The BSM solution for PCI DSS FIM requirements is a good example of a complete solution with enhancements in comparison to other solutions. Every customer has to defi ne both the intensity of the control and the frequency of the associated tests for many requirements in PCI DSS. BSM from BMC Software provides options to meet your unique requirements, from routinely scheduled audits that identify and alert to real time monitors that detect and alert, BMC BSM solutions provide a choice, with integration to the industry s leading IT Service Management suite of solutions to classify, escalate, and track the resulting incidents. BSM solutions from BMC deliver a closed loop FIM that provides the appropriate levels of risk mitigation and superior performance within constraints. HOW BMC BSM RESOLVES PCI DSS FIM REQUIREMENTS REGULARLY MONITOR AND TEST NETWORKS PCI DSS Requirement 10- Track and monitor all access to network resources and cardholder data. Requirement Secure audit trails so they cannot be altered. Requirement Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). Best Practice Process Support /Product Capabilities Solution Commentary Audit/Identify/Alert with BMC BladeLogic Server Automaton Suite BMC BladeLogic Server Automation audits log fi le settings and attributes and can generate an alert AND automate remediation if required. BMC BladeLogic Server Automation can report on any log fi le attribute or setting identified as out of compliance and can generate an incident in BMC Remedy Incident Management to manage and track the incident remediation processes. File Integrity Monitoring on a log that is not confi gured with settings that protect its security and ensures correct recording of the required audit trail required results in incomplete data an inaccurate audit trails. The fi rst assurance that must be addressed is to identify that the settings on the log fi les are as per policy and that they remain in compliance. BMC BladeLogic can independently identify out-of band changes and integrates with ITSM to classify changes that occur outside of the Change Management Process. 2

5 Best Practice Process Support /Product Monitor/Detect/Alert with BMC PATROL KM for Log Management Classify/Escalate/Track with BMC Remedy ITSM Suite Capabilities The BMC PATROL KM for Log Management monitors changes to fi le and log data and generates an alert when that condition occurs. BMC Remedy ITSM Suite provides ITIL certifi ed Incident Management processes for alerts passed from BMC BladeLogic and the BMC PATROL KM for Log Management, providing closed loop FIM compliance. Solution Commentary The BMC PATROL KM for Log Management ALSO provides complete log fi le management capabilities to ensure capacity availability, backup, and general health. BMC Remedy ITSM integration with BMC BladeLogic Server Automation and the BMC PATROL KM for Log Management, provides out-of-the-box closed loop FIM compliance This ensures all rapid risk mitigation for FIM exposures that are detected. REGULARLY MONITOR AND TEST NETWORKS PCI DSS Requirement 11- Regularly test security systems and processes Requirement Deploy fi le-integrity monitoring software to alert personnel to unauthorized modifi cation of critical system fi les, confi guration fi les, or content fi les; and confi gure the software to perform critical fi le comparisons at least weekly. Note- For fi le-integrity monitoring purposes, critical fi les are usually those that do not regularly change, but the modifi cation of which could indicate a system compromise or risk of compromise. File integrity monitoring products usually come pre-confi gured with critical fi les for the related operating system. Other critical fi les, such as those for custom applications, must be evaluated and defi ned by the entity (that is, the merchant or service provider). Best Practice Process Support /Product Capabilities Solution Commentary Audit/Identify/Alert with BMC BladeLogic Server Automaton Suite BMC BladeLogic Server Automation Suite snapshots and audits critical settings and fi le attributes at the most granular level, providing the basis for comparison audits as often as necessary. Confi guration policies based on industry best practices and regulatory controls such as PCI DSS are provided as out-of-box content and can be customized to meet unique requirements. With BMC BladeLogic Server Automation Suite, reports identifying any unauthorized or out of band changes to critical systems and/ or fi le attributes are generated easily. Providing the most granular level snapshots and audits improves the integrity of the comparison audit. Performing critical fi le comparisons with the ability to schedule the comparisons according to policy specifi cations for frequency is a key solution element. Ready to deploy integration between the BMC BladeLogic and BMC Remedy ITSM is another key solution element. BMC BladeLogic can independently identify out-of band changes and integrates with BMC Remedy ITSM to classify changes that occur outside of the Change Management Process, ensuring rapid risk mitigation for identified unauthorized changes to critical settings and fi le attributes. Monitor/Detect/Alert with BMC PATROL KM for Log Management Classify/Escalate/Track with BMC Remedy ITSM Suite The BMC PATROL KM for Log Management monitors for and detects unauthorized modifi cation of critical system fi les, confi guration fi les, or content fi les and issues alerts when such activity occurs. BMC Remedy ITSM Suite provides ITIL certifi ed Incident Management processes for alerts passed from BMC BladeLogic and the BMC PATROL KM for Log Management, providing closed loop FIM compliance. The BMC PATROL KM for Log Management provides log monitoring that goes beyond detecting unauthorized modifi cation of fi les. This includes monitoring for: - size, growth rate, and age - content - state (WARN, ALARM) - numeric comparisons - change in permissions and timestamp. BMC Remedy ITSM integration with BMC BladeLogic Server Automation and the BMC PATROL KM for Log File Management, provides out-of-the-box closed loop FIM compliance. This ensures rapid risk mitigation for detected FIM exposures. 3

6 MAINTAIN AN INFORMATION SECURITY POLICY PCI DSS Requirement 12- Maintain a policy that addresses information security for employees and contractors. Requirement Monitor and control all access to data. Best Practice Process Support /Product Capabilities Solution Commentary Audit/Identify/Alert with BMC BladeLogic Server Automaton Suite Monitor/Detect/Alert with BMC PATROL KM for Log Management Plan/Schedule/Attest with BMC IT Controls Management BMC BladeLogic Server Automaton Suite audits data access settings to enforce compliance. BMC PATROL KM for Log Management monitors unauthorized modifi cation of critical system fi les, confi guration fi les, content fi les and audit logs and issues alerts when such activity occurs. BMC IT Controls Management provides the framework for planning, scheduling, managing, and tracking attestations to policy and procedures that govern monitoring and controlling all access to data. Attesting to a policy that all access to data is monitored and controlled is easier when you know that data access settings are being audited and enforced. Attesting to a policy that all access to data is monitored and controlled is easier when you know that data access settings are being monitored and File Integrity Monitoring is occurring in a managed and auditable way. BMC IT Controls Management with BMC IT Business Management Suite provides the ability to manage Vendors and Suppliers. With this module, oversight of risk and management of contracts and ensures that FIM and other monitoring and control requirements for PCI DSS are part of Multisourced environments. BMC BSM FOR PCI DSS FILE INTEGRITY MONITORING CONCLUSIONS Protecting cardholder data is the core goal and purpose Simply implementing File Integrity Monitoring does not provide a total File Integrity Monitoring solution. A total solution: 1. Ensures the effective and complete exploitation of the investment in FIM software and its implementation: 2. Includes confi guration compliance enforcement to ensure that the FIM software is enabled and confi gured with the correct log settings. 3. Includes FIM software that not only provides monitoring and alerting of unauthorized accesses to and any modifi cation of critical log data, but provides the support to ensure log capacity availability and health. 4. Provides the ability to confi gure critical fi les and provide snapshot based compare audits of critical fi les with near atomic granularity. 5. Provides the ability to perform granular audits to monitor and enforce data access settings. 6. Provides monitoring and alerting for un-authorized modifi cation of critical system fi les, confi guration fi les, and cardholder data content fi les. 7. Provides ready to deploy integration of all the above monitoring and alerting capabilities to an ITIL certifi ed ITSM platform for managed alerting and ticketing, facilitating closed loop FIM. 8. Provides a governance framework to plan, schedule, manage, track and report on attestations to completion of processes required to manage and control all accesses to cardholder data. 9. Provides both integration and flexibility that supports a stepwise and orderly implementation of FIM capabilities. This TOTAL solution is a combination of software products and quality professional services. The ability to provide a platform based closed loop FIM solution based upon out-of-the-box integration with the only ITIL Certifi ed ITSM solution distinguishes the total PCI DSS FIM solution from BMC Software. 4

7 Whether you decide that an audit/identify/alert process or a monitor/detect/alert process is adequate to match your unique policy and controls, only BMC BSM solutions allow a choice, with integration to an industry best practice classify/escalate/track process in ITSM. This enables closed loop FIM that provides appropriate levels of risk mitigation and superior performance within constraints. BMC Business Service Management with the BMC BladeLogic Server Automation Suite, the BMC PATROL KM for Log Management, the BMC Remedy ITSM Suite, the BMC Business Management Suite and BMC IT Controls Management, are integrated and flexible solutions that enable total closed loop File Integrity Monitoring compliance for PCI DSS. 5

8 BUSINESS RUNS ON IT. IT RUNS ON BMC SOFTWARE. Business thrives when IT runs smarter, faster, and stronger. That s why the most demanding IT organizations in the world rely on BMC Software across both distributed and mainframe environments. Recognized as the leader in Business Service Management, BMC provides a comprehensive and unifi ed platform that helps IT organizations cut cost, reduce risk, and drive business profi t. For the four fi scal quarters ended March 31, 2010, BMC revenue was approximately $1.91 billion. Visit for more information. BMC, BMC Software, and the BMC Software logo are the exclusive properties of BMC Software, Inc., are registered with the U.S. Patent and Trademark Offi ce, and may be registered or pending registration in other countries. All other BMC trademarks, service marks, and logos may be registered or pending registration in the U.S. or in other countries. UNIX is the registered trademark of The Open Group in the US and other countries. Tivoli and IBM are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. IT Infrastructure Library is a registered trademark of the Offi ce of Government Commerce and is used here by BMC Software, Inc., under license from and with the permission of OGC. ITIL is a registered trademark, and a registered community trademark of the Offi ce of Government Commerce, and is registered in the U.S. Patent and Trademark Office, and is used here by BMC Software, Inc., under license from and with the permission of OGC. All other trademarks or registered trademarks are the property of their respective owners BMC Software, Inc. All rights reserved. *133376*