Detailed Analysis Achieving PCI Compliance with SkyView Partners Products for AIX



Similar documents
Detailed Analysis Achieving PCI Compliance with SkyView Partners Products for Open Systems

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

2: Do not use vendor-supplied defaults for system passwords and other security parameters

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

74% 96 Action Items. Compliance

1.3 Prohibit Direct Public Access - Prohibit direct public access between the Internet and any system component in the cardholder data environment.

Using PowerBroker Identity Services to Comply with the PCI DSS Security Standard

PCI Compliance Can Make Your Organization Stronger and Fitter. Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc.

SonicWALL PCI 1.1 Implementation Guide

PCI DSS Requirements - Security Controls and Processes

Corporate and Payment Card Industry (PCI) compliance

Qualified Integrators and Resellers (QIR) Implementation Statement

Policies and Procedures

March

Parallels Plesk Panel

Did you know your security solution can help with PCI compliance too?

Introduction. PCI DSS Overview

Implementation Guide

Catapult PCI Compliance

Cyber-Ark Software and the PCI Data Security Standard

General Standards for Payment Card Environments at Miami University

LogRhythm and PCI Compliance

Windows Azure Customer PCI Guide

Why PCI DSS Compliance is Impossible without Privileged Management

Achieving PCI-Compliance through Cyberoam

PCI and PA DSS Compliance Assurance with LogRhythm

A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

GFI White Paper PCI-DSS compliance and GFI Software products

MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE

RACF & Payment Card Industry (PCI) Data Security Standards RUGONE May 2012

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

PCI COMPLIANCE Protecting Against External Threats Protecting Against the Insider Threat

Payment Card Industry (PCI) Compliance. Management Guidelines

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

Credit Card Security

University of Sunderland Business Assurance PCI Security Policy

Automate PCI Compliance Monitoring, Investigation & Reporting

Controls for the Credit Card Environment Edit Date: May 17, 2007

How Reflection Software Facilitates PCI DSS Compliance

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline Payment Card Industry Technical Requirements

Achieving PCI Compliance for: Privileged Password Management & Remote Vendor Access

PCI Requirements Coverage Summary Table

Becoming PCI DSS Compliant

Becoming PCI Compliant

Presented By: Bryan Miller CCIE, CISSP

PCI Requirements Coverage Summary Table

Information Technology Standard for PCI systems Syracuse University Information Technology and Services PCI Network Security Standard (Appendix 1)

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Meeting the PCI Standard

Best Practices for PCI DSS V3.0 Network Security Compliance

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

PCI 3.0 Compliance for Power Systems Running IBM i

Achieving PCI Compliance for: Privileged Password Management & Remote Vendor Access

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 3

Josiah Wilkinson Internal Security Assessor. Nationwide

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

AUTOMATING AUDITS AND ENSURING CONTINUOUS COMPLIANCE WITH ALGOSEC

ISO PCI DSS 2.0 Title Number Requirement

PCI DSS requirements solution mapping

SOLUTION BRIEF THE CA TECHNOLOGIES SOLUTION FOR PCI COMPLIANCE. How Can the CA Security Solution Help Me With PCI Compliance?

PCI DSS Compliance & Your Database

An Oracle White Paper January Using Oracle Enterprise Manager Configuration Management Pack for PCI Compliance

<Insert Picture Here> PCI DSS-Payment Card Industry. Security Summit Master Principal Sales Consultant - Alfredo Valenza - Oracle Italia

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Payment Application Data Security Standards Implementation Guide

Payment Card Industry Data Security Standard

PCI Data Security and Classification Standards Summary

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

PCI DSS Requirements Version 2.0 Milestone Network Box Comments. 6 Yes

Improving PCI Compliance with Network Configuration Automation

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

A Rackspace White Paper Spring 2010

How To Achieve Pca Compliance With Redhat Enterprise Linux

Payment Card Industry Data Security Standard

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

PCI implementation guide for L-POS

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Accelerating PCI Compliance

Achieving PCI Compliance Using F5 Products

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

Policy Pack Cross Reference to PCI DSS Version 3.1

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Using the AppGate Network Segmentation Server TO ACHIEVE PCI COMPLIANCE

05.0 Application Development

Enforcing PCI Data Security Standard Compliance

The Comprehensive Guide to PCI Security Standards Compliance

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing

Retail Stores Networks and PCI compliance

CSP & PCI DSS Compliance on HP NonStop systems

PCI Data Security Standards (DSS)

PCI DSS 3.1 Security Policy

PLACE GROUP UK LONDON STUDENT HOUSING GROUP PAYMENT CARD INDUSTRY DATA SECURITY STANDARD COMPLIANCE STATEMENT PCI DSS (09) VERSION: 2009PCIDSSP4S01

Passing PCI Compliance How to Address the Application Security Mandates

Managed File Transfer and the PCI Data Security Standards

SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements

Auditor s Checklist. A XYPRO Solution Paper. MAY, 2009 XYPRO Technology Corporation

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Transcription:

Detailed Analysis Achieving PCI Compliance with SkyView Partners Products for AIX The Payment Card Industry has a published set of Data Security Standards to which organization s accepting and storing credit card information must comply. Since these Data Security Standards are written in generic terms, one must do some interpretation to determine how the requirements apply to IBM AIX servers. Using the requirements directly from the Payment Card Industry s Data Security Standards, the requirements are translated into AIX terminology and a description of how SkyView products assist is provided. SkyView product description: SkyView Policy Minder for AIX is an IBM AIX security compliance tool that compares your systems' current settings against your organization s security policy requirements. Your policy implementation is documented and non-compliant items are identified. Using the FixIt function, non-compliant items can be set back to match policy settings. Policy Minder automates the process of keeping your AIX servers security configuration in compliance with your security policy. PCI Requirements Section 2.2.1 and 2.2.3, 2.3, 4.1 and 8.4 Implement only one primary function per server to prevent functions that require different security levels (2.2.1) Configure system security parameters to prevent misuse. (2.2.3) Encrypt all non-console administrative access (2.3) Use strong cryptography and protocols (4.1) Render all password unreadable during transmission Solution: Use the Daemons category of Policy Minder to ensure only those daemons are active that support the intended purpose (role) of the server. You can also use this category to ensure non-encrypted services (such as non-ssl-enabled telnet) are not active and that SSH is in use. This will ensure passwords are encrypted during transmission and admin access is over an encrypted session. Use the Configuration policy category to ensure configuration settings remain configured appropriately. If a daemon is activated or a configuration setting is changed, a compliance check will identify it as non-compliant. Run FixIt to start or stop the daemon to match the policy requirements. PCI Requirements Section 2.1 and 6.3.6: Always change vendor-supplied defaults before installing a system on the network (2.1) Removal of custom application accounts, user IDs, and passwords before applications become active or are released to customers. (6.3.6) Solution: Use Policy Minder to check user account configuration settings. Policy Minder can also be used to ensure the configuration settings aren t changed from your policy requirements during the installation of a vendor package. Page 1 of 5

PCI Requirements Section 3.5.2: Store encryption keys in the fewest locations possible. (3.5.2) Solution: Use the Files category of Policy Minder to search for files of specific names or file extensions. If a legitimate source for storing encryption keys, use the Files category to ensure the permissions on the file remain set correctly. PCI Requirements Section 6.1: Ensure patches are up-to-date (6.1) Solution: Use the Script category of Policy Minder to run a script against all servers to ensure they are at the patch level required by your policy. PCI Requirements Section 7.1, 7.1.1 and 7.1.2: Limit access to system components and cardholder data to only those individuals whose job requires such access. Access limitations must include the following: (7.1) o Restriction of access rights to privileged user IDs to least privileges necessary to perform job responsibilities (7.1.1) o Assignment of privileges is based on individual personnel s job classification and function (7.1.2) Solution: Policy Minder provides an automated method for the discovery of new user accounts with admin rights or members of groups with admin rights. In addition, the User account category in Policy Minder allows you to define the appropriate attributes for each type of user account admin, operator, developer, etc. Compliance checks identify the account and its attributes that are out of compliance with the definition. Policy Minder s FixIt function allows administrators to change the user account attributes to be in compliance with the definition and provides a report of the change. PCI Requirements Section 7.2, 7.2.1, 7.2.2 and 7.2.3: Establish an access control system for systems components with multiple users that restrict access based on a user s need to know, and is set to deny all unless specifically allowed. This access control system must include the following: (7.2) o Coverage of all system components (7.2.1) o Assignment of privileges to individuals based on job classification and function (7.2.2) o Default deny-all setting (7.2.3) Solution: Use the File category in Policy Minder to maintain compliance for the permissions settings on files and directories. Compliance checks will identify the each item out of compliance (that is, with the incorrect permission settings) along with the details of what s causing the non- Page 2 of 5

compliance status. Policy Minder s FixIt function can be used by administrators to change the settings to match the requirements and provides a documented record of the change. Use the Configuration policy category to ensure the default umask value is set to deny all or no access. PCI Requirement Section 8.5.1: Control addition, deletion and modification of user IDs, credentials and other identifier objects. Solution: Use the Configuration policy category of Policy Minder to maintain the default configuration settings for the creation of new user accounts. Use the User account category to ensure user account settings are not overridden from global settings. Finally use the User account category to ensure appropriate configuration of all user accounts on the server. Compliance checks identify changes to accounts and attributes which do not match policy requirements. In addition, FixIt can be used to fix the non-compliant user account attributes or configuration policy settings. PCI Requirement Section 8.5.4: Immediately revoke access for any terminated users. Solution: Policy Minder s User account category can be used in conjunction with the FixIt function revoke user account access. FixIt produces a report which can be used as proof to your auditor that terminated users accounts are set so that they cannot be used. PCI Requirement Section 8.5.5: Remove/disable inactive user accounts at least every 90 days. Solution: Policy Minder can simplify the discovery and automate the removal of inactive accounts. You can use Policy Minder to find and take action on inactive accounts, such as configuring the account so that it can t log in. To simplify the processing of these profiles, you can omit profiles that are an exception that is, should never have action take on them. This way, the list of profiles only contains those on which action should be taken. When printing this policy, profiles omitted are documented.) PCI Requirement Section 8.5.6: Enable accounts used by vendors for remote maintenance only during the time period needed. Solution: The user account category of Policy Minder can be configured to examine the status of specific vendor accounts. The FixIt function can be scheduled (using the integrated cron function) to run nightly to set any user account (including vendors) so that it cannot be used for sign on. Page 3 of 5

PCI Requirements Section 8.5.9, 8.5.10, 8.5.11, 8.5.12, 8.5.13, and 8.5.15: Change user passwords at least every 90 days (8.5.9) Require a minimum password length of at least seven characters (8.5.10) Use passwords containing both numeric and alphabetic characters (8.5.11) Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used. (8.5.12) Limit repeated access attempts by locking out the user ID after not more than six attempts. (8.5.13) If a session has been idle for more than 15 minutes, require the user to re-enter the password to re-activate the terminal. (8.5.15) Solution: Use the Configuration policy category of Policy Minder to check the password and session time-out system values to ensure they meet these requirements. In addition, use the User account category to examine user account settings to ensure these values have not been overridden in the user account configuration file. PCI Requirement Section 11.5 Deploy file-integrity monitoring software to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly. (11.5) Solutions: Use the monitoring feature of the File category in Policy Minder to establish a checksum over critical files. Run regular compliance checks to determine whether the files have been changed. PCI Requirements Section 12.1, 12.1.1, 12.1.2, 12.1.3: Establish, publish, maintain, and disseminate a security policy that accomplishes the following: (12.1) o Addresses all PCI DSS requirements. (12.1.1) Solutions: Use Policy Minder to document the AIX implementation of your security policy requirements. Risk acceptance statements can be added to the policy definitions as well as cross-references to specific sections of your organization s security policy. All of these can be printed in PDF format and given to your auditor as documentation of your policy implementation. Page 4 of 5

PCI Requirement Section 12.2: Develop daily operational security procedures that are consistent with requirements in this specification (12.2) Solution: Use the integrated cron function of Policy Minder to schedule regular compliance checks on a frequency that means your policy and compliance requirements. These are just some of the ways SkyView Partners products can reduce the cost and complexities of maintaining your AIX compliance requirements. For more information, please visit the SkyView Partners website at www.skyviewpartners.com. Who is SkyView Partners? SkyView Partners Inc. is a firm specializing in policy-based security compliance management and assessment software as well as security services for IBM i (AS/400 and iseries) and AIX customers. Page 5 of 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information