Simphony v2 Antivirus Recommendations

Similar documents
Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Internet Explorer Exploit Protection ENTERPRISE BRIEFING REPORT

MICROS e7 Version 2.7 Patch 1 Upgrade Best Practices

GFI White Paper PCI-DSS compliance and GFI Software products

Types of cyber-attacks. And how to prevent them

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Best Practices (Top Security Tips)

Security Industry Market Share Analysis

Securing The Data. Payment System Forum Bank Negara Malaysia. 27 th November Murugesh Krishnan Head of Risk, South & Southeast Asia

The Business Case for Security Information Management

Agilent OpenLAB. Data Store. Disaster Recovery Plan

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

SECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

The PCI DSS Compliance Guide For Small Business

IBM Tivoli Endpoint Manager for Security and Compliance

Getting Started with Symantec Endpoint Protection

La règlementation VisaCard, MasterCard PCI-DSS

Benefits of Integrated Credit Card Processing Within Microsoft Dynamics GP. White Paper

Security Industry Market Share Analysis

EView/400i Management Pack for Systems Center Operations Manager (SCOM)

PCI Compliance. Top 10 Questions & Answers

Case 2:13-cv ES-JAD Document Filed 12/09/15 Page 1 of 116 PageID: Appendix A

Why Is Compliance with PCI DSS Important?

Introduction. PCI DSS Overview

PANO MANAGER CONNECTOR FOR SCVMM& HYPER-V

Streamlining Web and Security

Windows Small Business Server 2003 Upgrade Best Practices

Project Title slide Project: PCI. Are You At Risk?

Microsoft Security Intelligence Report volume 7 (January through June 2009)

General Information. About This Document. MD RES PCI Data Standard November 14, 2007 Page 1 of 19

Trend Micro OfficeScan Best Practice Guide for Malware

PCI Compliance Top 10 Questions and Answers

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

CORPORATE AV / EPP COMPARATIVE ANALYSIS

MICROS e7 Credit Card Security Best Practices

Sophos Computer Security Scan startup guide

Lab Answer Key for Module 6: Configuring and Managing Windows SharePoint Services 3.0. Table of Contents Lab 1: Configuring and Managing WSS 3.

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments

5nine Security for Hyper-V Datacenter Edition. Version 3.0 Plugin for Microsoft System Center 2012 Virtual Machine Manager

PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS

Windows Hard Disk Encryption

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)

Symantec Endpoint Protection 11.0 Architecture, Sizing, and Performance Recommendations

Spotlight Management Pack for SCOM

Best Practices for Running Symantec Endpoint Protection 12.1 on Point-of- Sale Devices

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

Insight. Security Response. Deployment Best Practices

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Mitigating Card System Breaches. October 11, :00 pm 2:50 pm

Windows Embedded Security and Surveillance Solutions

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

IBM Endpoint Manager for Core Protection

Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security

Xerox Products and Anti-Virus Software

Did you know your security solution can help with PCI compliance too?

Data Management Policies. Sage ERP Online

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

Dell Statistica. Statistica Document Management System (SDMS) Requirements

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

SIMATIC. Process Control System PCS 7 Configuration Symantec Endpoint Protection (V12.1) Preface 1. Virus scanner administration 2.

Can Consumer AV Products Protect Against Critical Microsoft Vulnerabilities?

Observations from the Trenches

Evolutions in Browser Security

PCI Requirements Coverage Summary Table

Password Management. Password Management Guide HMS 9700

Secure Web Service - Hybrid. Policy Server Setup. Release Manual Version 1.01

Secure Your Mobile Workplace

Simplêfy Client Support and Information Services. PCI Compliance Guidebook

Payment Card Industry (PCI) Data Security Standard

An Oracle Technical White Paper May How to Configure Kaspersky Anti-Virus Software for the Oracle ZFS Storage Appliance

The McAfee SECURE TM Standard

New PCI Standards Enhance Security of Cardholder Data

How to Configure Symantec Protection Engine for Network Attached Storage for the Oracle ZFS Storage Appliance

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)

NETWORK AND INTERNET SECURITY POLICY STATEMENT

IBM Tivoli Endpoint Manager for Security and Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

How To Protect Your Data From Being Stolen

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

Contact details For contacting ENISA or for general enquiries on information security awareness matters, please use the following details:

Symantec AntiVirus Corporate Edition Patch Update

Payment Card Industry (PCI) Data Security Standard

PCI Compliance. PCI DSS v3.1. Dan Lobb CRISC. Lisa Gable CISM

Dell One Identity Cloud Access Manager SonicWALL Integration Overview

Brief Solution Description

Installation Guide Supplement

Payment Card Industry Data Security Standard Explained

Step-by-Step Guide to Securing Windows XP Professional with Service Pack 2 in Small and Medium Businesses

Payment Card Industry (PCI) Data Security Standard

Transcription:

DECLARATIONS WARRANTIES Although the best efforts are made to ensure that the information in this document is complete and correct, MICROS Systems, Inc. makes no warranty of any kind with regard to this material, including but not limited to the implied warranties of marketability and fitness for a particular purpose. Information in this document is subject to change without notice. MICROS Systems, Inc. shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this document. COPYRIGHT 2014 MICROS Systems, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express prior written consent of the publisher. MICROS Systems, Inc. retains the right to update or change the contents of this document without prior written notice. MICROS Systems, Inc. assumes no responsibility for the contents of this document. 2014 MICROS Systems, Inc. DOCUMENT INFORMATION GENERAL INFORMATION Document Name: Simphony Antivirus Recommendations.doc Last Edited: 03/06/2014 Document Revision: 1.1 Simphony Product Version: 2x Prepared By: Gabe Shulman AUDIENCE This document is intended to be read by members of the following groups: - Product Development - Product Management - Account Management - Sales - Marketing 2014 MICROS Systems, Inc. Declarations 2

USAGE The information contained in this document is provided to give guidance on how to deploy and configure antivirus software for use with MICROS Simphony. SOFTWARE VERSION NOTICE The information contained within this document is based on the Simphony v2 product version. 3 2014 MICROS Systems, Inc. Declarations

CONTENTS DECLARATIONS... 2 WARRANTIES... 2 COPYRIGHT... 2 DOCUMENT INFORMATION... 2 SOFTWARE VERSION NOTICE... 3 CONTENTS... 4 VERSION CONTROL... 5 ABBREVIATIONS... 5 OVERVIEW... 6 PCI DSS... 6 SIMPHONY DEVICE USAGE... 7 ANTIMALWARE... 7 RECOMMENDATIONS... 8 GENERAL ANTIVIRUS CONFIGURATION RECOMMENDATIONS... 8 SERVER RECOMMENDATIONS... 8 CLIENT RECOMMENDATIONS... 10 2014 MICROS Systems, Inc. Contents 4

VERSION CONTROL Version Date Editor Changes 1.0 3/10/2014 G Shulman Original 1.1 4/3/2014 N Low Content edits and formatting changes ABBREVIATIONS Abbreviation AV PCI DSS POS R&D Explanation Antivirus Payment Card Industry Data Security Standard Point-of-Sale Research & Development 5 2014 MICROS Systems, Inc. Version Control

OVERVIEW MICROS Systems, Inc. strongly recommends that Antivirus (AV) software be installed and maintained on all devices which are deployed in the payment network used by MICROS Simphony v2 (referred to as the Cardholder Data Environment or CDE) and have commercially available AV solutions. The following Point-of-Sale (POS) devices are commonly found on the CDE on which AV software should be installed and maintained: Application and Database servers Point-of-Sale Clients Shared Services Clients In addition to the devices which are managed and controlled by the POS application, any other device that is deployed within the CDE or connects to the CDE should also have AV software installed on it, such as: Back Office PCs Manager s Laptops Third Party Integration Servers The following list contains operating systems that are known to have commercially available AV solutions: Microsoft Windows XP Microsoft Windows 7 Microsoft Windows POS Ready 7 Microsoft Windows POS Ready 2009 Microsoft Windows Server 2008 R2 Microsoft Windows Server 2012 MICROS does not endorse or recommend any particular AV solutions or software packages. The MICROS Simphony Engineering and Quality Assurance teams develop and test the Simphony software on computers that have antivirus software installed on them. The machines are typically configured to use either the Symantec End Point Security or Microsoft Security Essentials packages. From the Simphony application perspective, MICROS clients may use any AV solution that is compatible with the hardware and operating system on which it is installed. In the unlikely event a compatibility issue is discovered between Simphony and the AV software, MICROS will endeavor to assist the client with resolving the problem through the normal support channels. PCIDSS The Payment Card Industry Data Security Standard (PCIDSS) establishes requirements and regulations for the use of antivirus software within the CDE. MICROS clients are strongly encouraged to work with a Payment Card Industry Security Standards Council (PCISSC) certified Qualified Security Assessor (QSA) to ensure that their AV implementation and infrastructure as a whole complies with the applicable terms of the PCIDSS. Information regarding the PCIDSS can be found on the PCISSC Web site at this link: https://www.pcisecuritystandards.org/security_standards/ 2014 MICROS Systems, Inc. overview 6

COMPENSATING CONTROLS Compensating Controls are solutions design to meet the criteria established by the PCIDSS specification when that specification is not able to be implemented for a legitimate technical reason. According to PCI DSS (Appendix B, pg. 109) Compensating Controls must satisfy the following criteria: Meet the intent and rigor of the original PCI DSS requirement. Provide a similar level of defense as the original PCI DSS requirement, such that the compensating control sufficiently offsets the risk that the original PCI DSS requirement was designed to defend against. Be above and beyond other PCI DSS requirements. (Simply being in compliance with other PCI DSS requirements is not a compensating control.) When discussing a Compensation Control for antivirus software, MICROS clients must consult with their QSA to identify a viable option that safeguards their system as well as an antivirus software would. If that is the case, the above recommendations need not be adhered to. SIMPHONY DEVICE USAGE To mitigate virus or malware infections, MICROS strongly recommends that its users not use any of the Simphony POS devices or any other devices deployed on the CDE for any purpose other than its primary purpose. By avoiding Web surfing, social networks, downloading non-essential files or programs, personal email, streaming files and other recreational activities, the probability of a virus or malware infection can be greatly reduced. ANTIMALWARE In addition to antivirus software solutions, there are antimalware solutions that are commercially available that could be used to provide additional protection for the CDE. Malware, by definition, is intrusive and malicious software that attempts to gain access to computers via email, viruses, Trojan horses and other means of conveyance. Most antivirus software has one form of antimalware or another and it is something that customers must be cognizant of when selecting an antivirus tool. In most cases where the devices are dedicated for use only as part of the POS system and do not allow activities such as Web surfing or checking email, the additional protection provided by antimalware solutions is not necessary. 7 2014 MICROS Systems, Inc. overview

RECOMMENDATIONS GENERAL ANTIVIRUS CONFIGURATION RECOMMENDATIONS AV software should be configured to regularly perform the following activities: Check for definition updates o These are generally provided either by a corporate definition management server or from the AV software vendor itself Check for software updates o Vendors will update their antivirus software and will typically deploy these updates through the same mechanism that distributes definition updates Exclude specific files, file types, or directories from real time scanning o This feature is used to ensure that the AV software does not cause system performance degradation Perform scheduled full system scans o This feature ensures that infrequently checked or files excluded from the real time scan do not get infected SERVER RECOMMENDATIONS This section discusses specific configuration requirements for any AV solution that is used with Simphony. These recommendations are provided to mitigate the possibility of the AV software adversely affecting system performance. MICROS clients should review these recommendations with their QSA to ensure that the deployment still meets the PCIDSS requirements. There are two server deployments which are commonly used that are discussed in this document: Single Server o Contains both the database and application components Split Servers o Typically consists of the database components on a dedicated server and the application server components on one or more servers. For single server deployments, the recommendation for both the database and application apply to the server. When using split servers, use the recommendation for the specific role that the server will be used for. ENTERPRISE DATABASE RECOMMENDATIONS MICROS Simphony is supported on both Microsoft SQL Server and Oracle database platforms. Each vendor maintains recommendations for configuring AV software in a manner that is least likely to cause performance 2014 MICROS Systems, Inc. Recommendations 8

issues with the database. MICROS recommends that users review the guidance provided by these vendors and follow it as best as possible. In both cases, the vendors recommend disabling the real time scanner component of the database data and log files to ensure that scanning activities do not slow data access time. The real time scanning feature should continue to be used for the application and operating system files and directories. Daily scans of the hard drives should be configured to occur when the system is at its lowest volume of activity. MICROSOFT SQL SERVER The page located at the following URL is Microsoft s support article where this topic is covered in depth. The recommendations contained in this article should be followed when configuring AV software on a server that is running SQL Server. http://support.microsoft.com/kb/309422 ORACLE Oracle s documentation for the configuration of antivirus on a Windows Server Running an Oracle Database is contained in support document (782354.1). This document may be accessed through Oracle support. The following information was taken from the article, which is dated 01-MAR-2013. When an AV performs a scan on a file it holds a lock on it. This lock interrupts the normal functioning of the database. To prevent any disaster situation such as database crash/hang, we recommend the following files to be excluded from online anti-virus scanning. Oracle datafiles Control files Redo-log files Archived redo-log files if database is in archive log mode Files with extension '.ora' Password file Files with extension '.log' under ORACLE_HOME You can also contact your anti-virus vendor to know more on the details of the scanning mechanism of the particular anti-virus software and for any additional Oracle files that has to be excluded from the scanner There are numerous Oracle partner, antivirus software, and database (DB) support sites that reference this article and present the same guidance. ENTERPRISE APPLICATION RECOMMENDATIONS Neither the Simphony POS nor Simphony Reporting application components have any recommended file exclusions which should be configured. 9 2014 MICROS Systems, Inc. Recommendations

CLIENT RECOMMENDATIONS The Simphony client software is supported on a wide range of operating systems, many of which should have antivirus software installed on them. The following operating systems are supported by the Simphony client and are known to have AV software packages commercially available: Microsoft Windows XP Microsoft Windows 7 Microsoft Windows POS Ready 7 Microsoft Windows POS Ready 2009 Microsoft Windows Server 2008 R2 NOTE: The list above is not necessarily an all-inclusive list of every operating system that could require antivirus software. Remember to check with a PCISSC QSA if there are any questions about whether or not a specific operating system or variant requires antivirus software. To obtain a list of PCISSC certified QSAs, please visit the PCISSC Web site at the link below: https://www.pcisecuritystandards.org/approved_companies_providers/qsa_companies.php There are no special recommendations for file exclusions on the Simphony clients. 2014 MICROS Systems, Inc. Recommendations 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information