March 2012 www.tufin.com



Similar documents
Best Practices for PCI DSS V3.0 Network Security Compliance

1.3 Prohibit Direct Public Access - Prohibit direct public access between the Internet and any system component in the cardholder data environment.

74% 96 Action Items. Compliance

Achieving PCI-Compliance through Cyberoam

SonicWALL PCI 1.1 Implementation Guide

LogRhythm and PCI Compliance

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

REDSEAL NETWORKS SOLUTION BRIEF. Proactive Network Intelligence Solutions For PCI DSS Compliance

GFI White Paper PCI-DSS compliance and GFI Software products

PCI DSS Requirements - Security Controls and Processes

An Oracle White Paper January Using Oracle Enterprise Manager Configuration Management Pack for PCI Compliance

University of Sunderland Business Assurance PCI Security Policy

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

Windows Azure Customer PCI Guide

Teleran PCI Customer Case Study

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

Did you know your security solution can help with PCI compliance too?

General Standards for Payment Card Environments at Miami University

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

The Comprehensive Guide to PCI Security Standards Compliance

PCI and PA DSS Compliance Assurance with LogRhythm

CorreLog Alignment to PCI Security Standards Compliance

A Rackspace White Paper Spring 2010

Thoughts on PCI DSS 3.0. September, 2014

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

PCI DSS Requirements Version 2.0 Milestone Network Box Comments. 6 Yes

ISO PCI DSS 2.0 Title Number Requirement

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Achieving PCI DSS Compliance with Cinxi

PCI Requirements Coverage Summary Table

WHITEPAPER. Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

FairWarning Mapping to PCI DSS 3.0, Requirement 10

Using Skybox Solutions to Achieve PCI Compliance

PCI Requirements Coverage Summary Table

TIBCO LogLogic. PCI Compliance Suite Guidebook. Software Release: December Two-Second Advantage

Achieving PCI Compliance Using F5 Products

PCI Compliance Top 10 Questions and Answers

Becoming PCI Compliant

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 2

PCI Compliance. Top 10 Questions & Answers

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

Payment Card Industry - Data Security Standard (PCI-DSS) Security Policy

Technology Innovation Programme

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline Payment Card Industry Technical Requirements

Payment Card Industry (PCI) Data Security Standard ROC Reporting Instructions for PCI DSS v2.0

Meeting PCI-DSS v1.2.1 Compliance Requirements. By Compliance Research Group

Network Security Guidelines. e-governance

When it Comes to Monitoring and Validation it Takes More Than Just Collecting Logs

PCI Compliance Can Make Your Organization Stronger and Fitter. Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc.

Using the AppGate Network Segmentation Server TO ACHIEVE PCI COMPLIANCE

Automate PCI Compliance Monitoring, Investigation & Reporting

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

Beyond PCI Checklists:

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Enforcing PCI Data Security Standard Compliance

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

Compliance and Security Information Management for PCI DSS Requirement 10 and Beyond

Information Technology Standard for PCI systems Syracuse University Information Technology and Services PCI Network Security Standard (Appendix 1)

PCI Compliance Report

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

Payment Card Industry (PCI) Compliance. Management Guidelines

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0

How Reflection Software Facilitates PCI DSS Compliance

Payment Card Industry Data Security Standard C-VT Guide

Please note that in VISA s vernacular this security program for merchants is sometimes called CISP (cardholder information security program).

With Globalscape EFT and the High-Security Module. The Case for Compliance

Secure Auditor PCI Compliance Statement

PCI Compliance We Can Help Make it Happen

So you want to take Credit Cards!

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

Global Partner Management Notice

PCI DSS v2.0. Compliance Guide

SecureTrack. Securing Network Segments and Optimizing Permissive Rules with the Automatic Policy Generator.

Policy Pack Cross Reference to PCI DSS Version 3.1

You Can Survive a PCI-DSS Assessment

Controls for the Credit Card Environment Edit Date: May 17, 2007

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

Payment Card Industry (PCI) Data Security Standard

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

Meeting PCI Data Security Standards with

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Payment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures. Version 3.0 November 2013

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers

Tripwire PCI DSS Solutions: Automated, Continuous Compliance

Document TMIC-003-PD Version 1.1, 23 August

Credit Card Security

PCI DSS Compliance Guide

Payment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures. Version 3.1 April 2015

Transcription:

SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com

Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions... 3 SecureTrack Support for PCI DSS Requirements... 5 Build and Maintain a Secure Network... 5 PCI Requirement 1: Install and maintain a firewall configuration to protect cardholder data... 5 PCI Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters... 8 Protect Cardholder Data... 9 PCI Requirement 4: Encrypt transmission of cardholder data across open, public networks... 9 Maintain a Vulnerability Management Program... 9 PCI Requirement 6: Develop and maintain secure systems and applications... 9 Implement Strong Access Control Measures... 9 PCI Requirement 7: Restrict access to cardholder data by business need-to-know... 9 Regularly Monitor and Test Networks... 10 PCI Requirement 10: Track and monitor all access to network resources and cardholder data... 10 PCI Requirement 11: Regularly test security systems and processes... 12 Maintain an Information Security Policy... 12 PCI Requirement 12: Maintain a policy that addresses information security for employees and contractors 12 Conclusion: Automating PCI DSS Compliance... 13 Ensuring Compliance with PCI DSS 2/13

Introduction Since 2004, the major US credit card companies have cooperated on the implementation of a common data security standard called the Payment Card Industry Data Security Standard (PCI DSS). The PCI standards provide guidelines for organizations that process card payments in order to help them prevent credit card fraud, cracking and other security threats. By aligning with the industry best practices defined by PCI DSS, companies can increase the trust of both customers and partners. The Importance of Network Security Operations The majority of the PCI DSS requirements relate to network security. On the one hand, they are designed to ensure that network security practices eliminate or minimize known risks. On the other hand, they ensure that the organization defines well-structured policies, procedures and practices that can be tracked and audited. Data is only as secure as the pathways that provide access to it. PCI DSS requires firewalls to limit external access to sensitive data, combined with a formal process for monitoring all changes to firewall configuration. The standard defines a number of aspects of firewall operations that must be tracked and audited regularly, including clear definitions of roles and responsibilities. Within the organization, PCI DSS specifies ways to strictly limit access to sensitive data. While some requirements relate to technologies such as encryption, the majority are concerned with organizational practices such as defining and enforcing need to know status, changing default passwords and installing software updates. In addition to documenting organizational procedures, PCI DSS demands that organizations continuously track and demonstrate compliance through internal and external audits. Supporting PCI DSS with Automated Solutions Establishing PCI DSS compliance can be extremely resource intensive. For medium to large organizations, the many tasks involved in documenting, tracking and auditing network security procedures manually can take days. With Tufin SecureTrack, the leading automated firewall operations, auditing and compliance solution, companies can substantially reduce the time and cost of PCI DSS compliance as it applies to the management of firewalls, routers and related network security infrastructure. SecureTrack often reduces the amount of time required for audit preparation by more than 50%, while enabling continuous compliance with the PCI standard. Tufin SecureTrack is enabling countless organizations to meet the PCI requirements relating to network security, data safety, access control, and accountability. Automatic PCI DSS audit makes it easy to prepare quickly and thoroughly for an internal or external audit. Continuous change tracking and analysis monitors firewall policy changes, reports them in real-time and maintains a comprehensive, accurate audit trail for full accountability. Powerful security policy simulation and risk analysis enables security managers to query complex rule bases and simulate a broad range of scenarios. Configurable security alerts warn security managers whenever any change that could affect cardholder data security is implemented. Audit trail and reporting capabilities enable periodic audits by IT security teams and external auditors with intuitive, customizable reports. Multi-vendor best practices derived from extensive industry experience compare the current device configuration with best practice recommendations. The table below indicates the specific PCI requirements addressed by Tufin SecureTrack. Ensuring Compliance with PCI DSS 3/13

PCI DSS Requirement Description Tufin Security Suite Coverage Requirement 1 Requirement 2 Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters Requirement 3 Protect stored cardholder data N/A Requirement 4 Encrypt transmission of cardholder data across open, public networks Requirement 5 Use and regularly update antivirus software or programs N/A Requirement 6 Develop and maintain secure systems and applications (includes installing the latest security patches) Requirement 7 Restrict access to data by business need-to-know Requirement 8 Assign a unique ID to each person with computer access N/A Requirement 9 Restrict physical access to cardholder data N/A Requirement 10 Track and monitor all access to network resources and cardholder data Requirement 11 Regularly test security systems and processes Requirement 12 Maintain a policy that addresses information security for all personnel The SecureTrack PCI Audit Report can be used both by organizations that are self-certifying and by organizations undergoing an on site assessment by a Qualified Security Assessor (QSA). SecureTrack reports are based on the Payment Card Industry Data Security Standard v 2.0 (October 2010), which can be found at: https://www.pcisecuritystandards.org/security_standards/documents.php In the same location, you can also find PCI Self Assessment Documents. Visa merchant levels for PCI classification can be found on the Visa site: http://usa.visa.com/merchants/risk_management/cisp_merchants.html The rest of this paper explains in more detail how SecureTrack, with a rich set of automated and intuitive tools can help your organization ensure real compliance with PCI DSS. Ensuring Compliance with PCI DSS 4/13

SecureTrack Support for PCI DSS Requirements The PCI Data Security Standards lay down a specific list of guidelines that companies must follow in order to safely process credit card payments and store credit card information. This paper explains how SecureTrack can help your organization with each of the relevant requirements in the standard. 1 Build and Maintain a Secure Network PCI Requirement 1: Install and maintain a firewall configuration to protect cardholder data Firewalls are devices that control computer traffic allowed between an entity s networks (internal) and untrusted networks (external), as well as traffic into and out of more sensitive areas within an entity s internal trusted networks. The cardholder data environment is an example of a more sensitive area within an entity s trusted network. A firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria. All systems must be protected from unauthorized access from untrusted networks, whether entering the system via the Internet as e-commerce, employee Internet access through desktop browsers, employee e-mail access, dedicated connections such as business-tobusiness connections, via wireless networks, or via other sources. Often, seemingly insignificant paths to and from untrusted networks can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network. Other system components may provide firewall functionality, provided they meet the minimum requirements for firewalls as provided in Requirement 1. Where other system components are used within the cardholder data environment to provide firewall functionality, these devices must be included within the scope and assessment of Requirement 1. Requirement 1.1 Establish firewall and router configuration standards that include the following: 1.1.1 A formal process for approving and testing all external network connections and changes to the firewall and router configurations 1.1.2 Current network diagram with all connections to cardholder data, including any wireless networks SecureTrack enables organizations to implement a formal change management process with comprehensive tracking and reporting of every change, including full accountability. The PCI DSS Audit report provides a concise summary of the changes made to each device. Tufin s SecureChange Workflow to define and enforce and automate a comprehensive process for handling security configuration changes. SecureTrack s Network Topology feature helps to create and maintain an accurate map of the network. 1 Descriptions of the requirements are excerpted from the PCI DSS standard, version 2.0, released October 2010. Ensuring Compliance with PCI DSS 5/13

Requirement 1.1 1.1.4 Description of groups, roles and responsibilities for logical management of network components 1.1.5 Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure. Examples of insecure services, protocols, or ports include but are not limited to FTP, Telnet, POP3, IMAP, and SNMP. 1.1.6 Requirement to review firewall and router rule sets at least every six months Using Business Ownership Change Reports, administrators can assign responsibility for network resources to the appropriate individuals. The PCI DSS Audit verifies that Business Ownership is configured and reports to the owners of the different network segments. The PCI DSS Audit also checks whether rules are documented. Tufin SecureChange Workflow enables you to enforce the application of roles and responsibilities throughout the security change process along with a separation of duties. PCI DSS Audit automatically performs a policy analysis and reports on the services and ports that are open between external networks, the DMZ and the internal network. Custom lists of allowed protocols and risky protocols can be configured within the PCI report. Tufin SecureChange Workflow performs proactive risk analysis before changes are approved or implemented to prevent inappropriate use of potentially insecure protocols. SecureTrack provides tools that enable in depth periodic rule audit and review by security managers and external auditors. PCI DSS Audit checks which reports are scheduled and verifies that they run on a quarterly basis. Requirement 1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment. 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment. 1.2.3 Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment. PCI DSS Audit checks that traffic from untrusted networks and hosts is limited to specific PCI protocols. In addition, the Audit checks for explicit cleanup rules. SecureTrack tests all firewall policies to report connectivity between the wireless network and the cardholder environment. Ensuring Compliance with PCI DSS 6/13

Requirement 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment. 1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports. 1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ. 1.3.3 Do not allow any direct connections inbound or outbound for traffic between the Internet and the cardholder data environment. 1.3.4 Do not allow internal addresses to pass from the Internet into the DMZ. 1.3.5 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet. 1.3.6 Implement stateful inspection, also known as dynamic packet filtering. (That is, only established connections are allowed into the network.) 1.3.7 Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks. PCI DSS Audit reports permissive rules that originate outside the DMZ (at external and internal addresses). SecureTrack compliance alerts provide notification about any change that allows unauthorized traffic. SecureTrack analyzes firewall policies with configured DMZ and internal network zones to verify that inbound connectivity terminates in the DMZ networks and not the Internal networks. SecureTrack analyzes all relevant firewall rules to verify that no direct Internet connections are allowed to the cardholder application and database servers. PCI DSS Audit reports on critical databases and verifies that they located within internal networks and not in a DMZ. Rule and object usage reports identify unused unnecessary - rules and objects. Security Policy Analysis can identify whether specific protocols are allowed inbound or outbound and by which rules. Enables managers to simulate each firewall rule base and uncover rules that enable traffic that is not necessary for the cardholder data environment. PCI DSS Audit verifies that all inspected firewalls implement stateful inspection. SecureTrack analyses relevant policies to verify that the PCI database servers are not in defined DMZ networks. Ensuring Compliance with PCI DSS 7/13

PCI Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Malicious individuals (external and internal to an entity) often use vendor default passwords and other vendor default settings to compromise systems. These passwords and settings are well known by hacker communities and are easily determined via public information. Requirement 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. 2.2.1 Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (For example, web servers, database servers, and DNS should be implemented on separate servers.) 2.2.2 Enable only necessary and secure services, protocols, daemons, etc., as required for the function of the system. Implement security features for any required services, protocols or daemons that are considered to be insecure for example, use secured technologies such as SSH, S-FTP, SSL, or IPSec VPN to protect insecure services such as NetBIOS, file-sharing, Telnet, FTP, etc. 2.2.3 Configure system security parameters to prevent misuse. PCI Audit identifies servers that are allowed to implement more than one function. PCI DSS Audit automatically performs a policy analysis and reports on the services and ports that are open between external networks, the DMZ and the internal network. Custom lists of allowed protocols and risky protocols can be configured within the PCI report. SecureTrack compares current configuration with best practice recommendations, including over 50 different tests to ensure that firewalls are optimally tuned and defaults are changed. PCI DSS Audit checks which Best Practice Security Audits are activated and configured. Ensuring Compliance with PCI DSS 8/13

Protect Cardholder Data PCI Requirement 4: Encrypt transmission of cardholder data across open, public networks Sensitive information must be encrypted during transmission over networks that are easily accessed by malicious individuals. Misconfigured wireless networks and vulnerabilities in legacy encryption and authentication protocols continue to be targets of malicious individuals who exploit these vulnerabilities to gain privileged access to cardholder data environments. Requirement 4.1 Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks. Policy Analysis locates any non-encrypted access as well as rules that accept services other than those specified. Compliance alerts notify administrators about any change that allows for non-encrypted access. Maintain a Vulnerability Management Program PCI Requirement 6: Develop and maintain secure systems and applications Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor- provided security patches, which must be installed by the entities that manage the systems. All critical systems must have the most recently released, appropriate software patches to protect against exploitation and compromise of cardholder data by malicious individuals and malicious software. Requirement 6.1 Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Install critical security patches within one month of release. The Software Version Compliance Report provides a baseline test of software versions installed throughout the organization. PCI DSS Audit verifies that this report is configured. Implement Strong Access Control Measures PCI Requirement 7: Restrict access to cardholder data by business need-toknow To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need to know and according to job responsibilities. Need to know is when access rights are granted to only the least amount of data and privileges needed to perform a job. Ensuring Compliance with PCI DSS 9/13

Requirement 7.1 Limit access to computing resources and cardholder information only to those individuals whose job requires such access. Policy Analysis enables security managers to simulate firewall policy by querying the rule base. Managers can use this tool to verify that access to cardholder data complies with policy. In addition, changes in access permissions are reported through SecureTrack s real-time reporting and alerting framework. Rule and Object Usage analysis identifies permitted access which is not used and should be removed. Requirement 7.2 Establish an access control system for system components with multiple users that restricts access based on a user s need to know, and is set to deny all unless specifically allowed.. Policy Analysis enables security managers to simulate the firewall policy by querying the rule base. Managers can use this tool to verify that access is limited according to need to know policies. Regularly Monitor and Test Networks PCI Requirement 10: Track and monitor all access to network resources and cardholder data Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult, if not impossible, without system activity logs. Requirement 10.2 10.2 Implement automated audit trails for all system components to reconstruct the following events: 10.2.1 All individual accesses to cardholder data 10.2.2 All actions taken by any individual with root or administrative privileges 10.2.3 Access to all audit trails 10.2.4 Invalid logical access attempts 10.2 5 Use of identification and authentication mechanisms 10.2.6 Initialization of the audit logs 10.2.7 Creation and deletion of systemlevel objects Configuration Change Monitoring maintains a detailed, read-only audit trail with full accountability for any configuration change made to supported devices. Ensuring Compliance with PCI DSS 10/13

Requirement 10.3 10.3 Record at least the following audit trail entries for all system components for each event: 10.3.1 User identification 10.3.2 Type of event 10.3.3 Date and time 10.3.4 Success or failure indication 10.3.5 Origination of event 10.3.6 Identity or name of affected data, system component, or resource. SecureTrack maintains an audit trail for full accountability and keeps track of the following details in firewall policy changes: Name of user that changed a security policy IP address originating the change Change nature (policy save, policy install events) Date and time Success or failure indication Affected device(s) Requirement 10.5 Secure audit trails so they cannot be altered. 10.5.1 Limit viewing of audit trails to those with a job-related need. 10.5.2 Protect audit trail files from unauthorized modifications. 10.5.3 Promptly back up audit trail files to a centralized log server or media that is difficult to alter. 10.5.4 Write logs for external-facing technologies onto a log server on the internal LAN. 10.5.5 Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). SecureTrack access to all audit trails through the user interface is in read-only mode. SecureTrack s database is encrypted to ensure that unauthorized or out-of-band changes to audit trails can not occur. SecureTrack supports back up of the configuration audit trail to a storage repository. Requirement 10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from back-up). SecureTrack s database can store audit trail and configuration change data for a minimum of 12 months, typically much longer. Configuration change reports can be easily generated for all monitored firewalls and other devices by vendor type and/or time range. Ensuring Compliance with PCI DSS 11/13

PCI Requirement 11: Regularly test security systems and processes Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security controls continue to reflect a changing environment. Requirement 11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). SecureTrack features a set of vulnerability tests that analyze whether any potential security risks appear. It can be run after any change to the network. Maintain an Information Security Policy PCI Requirement 12: Maintain a policy that addresses information security for employees and contractors A strong security policy sets the security tone for the whole entity and informs personnel what is expected of them. All personnel should be aware of the sensitivity of data and their responsibilities for protecting it. For the purposes of Requirement 12, personnel refers to full-time and part-time employees, temporary employees, contractors and consultants who are resident on the entity s site or otherwise have access to the cardholder data environment. Requirement 12.1 Establish, publish, maintain, and disseminate a security policy that accomplishes the following: 12.1.1 Addresses all PCI DSS requirements. 12.1.2 Includes an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment. (Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800-30.) 12.1.3 Includes a review at least annually and updates when the environment changes. SecureTrack helps IT departments assess their compliance with PCI DSS. Compliance Policy enables security managers to define security policies based on PCI requirements and other industry standards and enforce these policies on every configuration change, or periodically. Ensuring Compliance with PCI DSS 12/13

Conclusion: Automating PCI DSS Compliance The PCI DSS standards provide guidelines for organizations that process card payments in order to help them prevent credit card fraud, cracking and other security threats. By aligning with the industry best practices defined by PCI DSS, companies can increase the trust of both customers and partners. A large number of the PCI DSS requirements concern network security to prevent external access to personal data and to restrict internal access to need to know. In addition to defining tools and technologies such as firewalls and encryption the standards demand that organizations define, document, enforce and audit operational procedures. Preparing for a PCI audit is an expensive, time-consuming project. Tufin SecureTrack is helping organizations around the world to comply with PCI DSS painlessly and costeffectively. With a specially designed PCI Audit report, SecureTrack makes it fast and simple to prepare for an internal or external audit. Providing in-depth information about the company s PCI compliance level, the automated PCI Audit report shows where improvements are needed and recommends how to address them. The PCI Audit centralizes many of the capabilities of SecureTrack in a single, convenient solution, to make it easier than ever to comply with PCI DSS. With SecureTrack, organizations are eliminating repetitive, manual tasks to cut the time and cost involved with PCI DSS audits by as much as half. No less important, SecureTrack s realtime change monitoring and compliance alerts enable security teams to achieve continuous compliance, the ultimate goal of PCI DSS. Learn more about Tufin SecureTrack at www.tufin.com. 2008, 2009, 2010, 2011, 2012 Tufin Software Technologies, Ltd. Tufin, SecureChange, SecureTrack, Automatic Policy Generator, and the Tufin logo are trademarks of Tufin Software Technologies Ltd. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. Ensuring Compliance with PCI DSS 13/13

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information