Detailed Analysis Achieving PCI Compliance with SkyView Partners Products for Open Systems



Similar documents
Detailed Analysis Achieving PCI Compliance with SkyView Partners Products for AIX

2: Do not use vendor-supplied defaults for system passwords and other security parameters

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

Introduction. PCI DSS Overview

74% 96 Action Items. Compliance

Using PowerBroker Identity Services to Comply with the PCI DSS Security Standard

1.3 Prohibit Direct Public Access - Prohibit direct public access between the Internet and any system component in the cardholder data environment.

PCI Compliance Can Make Your Organization Stronger and Fitter. Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc.

SonicWALL PCI 1.1 Implementation Guide

Corporate and Payment Card Industry (PCI) compliance

PCI DSS Requirements - Security Controls and Processes

Policies and Procedures

Qualified Integrators and Resellers (QIR) Implementation Statement

March

Did you know your security solution can help with PCI compliance too?

General Standards for Payment Card Environments at Miami University

Implementation Guide

LogRhythm and PCI Compliance

PCI COMPLIANCE Protecting Against External Threats Protecting Against the Insider Threat

Windows Azure Customer PCI Guide

GFI White Paper PCI-DSS compliance and GFI Software products

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

Achieving PCI Compliance for: Privileged Password Management & Remote Vendor Access

Achieving PCI-Compliance through Cyberoam

Why PCI DSS Compliance is Impossible without Privileged Management

PCI Requirements Coverage Summary Table

How Reflection Software Facilitates PCI DSS Compliance

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Credit Card Security

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

Catapult PCI Compliance

PCI Requirements Coverage Summary Table

Cyber-Ark Software and the PCI Data Security Standard

A Rackspace White Paper Spring 2010

Automate PCI Compliance Monitoring, Investigation & Reporting

A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

How To Achieve Pca Compliance With Redhat Enterprise Linux

Payment Card Industry Data Security Standard

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 3

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

RACF & Payment Card Industry (PCI) Data Security Standards RUGONE May 2012

University of Sunderland Business Assurance PCI Security Policy

PCI Data Security Standards (DSS)

Payment Card Industry (PCI) Compliance. Management Guidelines

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE

PCI and PA DSS Compliance Assurance with LogRhythm

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

Becoming PCI Compliant

PCI 3.0 Compliance for Power Systems Running IBM i

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

ISO PCI DSS 2.0 Title Number Requirement

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

AUTOMATING AUDITS AND ENSURING CONTINUOUS COMPLIANCE WITH ALGOSEC

Enforcing PCI Data Security Standard Compliance

Best Practices for PCI DSS V3.0 Network Security Compliance

Information Technology Standard for PCI systems Syracuse University Information Technology and Services PCI Network Security Standard (Appendix 1)

PCI DSS Requirements Version 2.0 Milestone Network Box Comments. 6 Yes

Accelerating PCI Compliance

Improving PCI Compliance with Network Configuration Automation

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

PCI DSS requirements solution mapping

PCI DSS Reporting WHITEPAPER

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

PCI implementation guide for L-POS

Presented By: Bryan Miller CCIE, CISSP

WHITEPAPER. Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI

PCI Data Security and Classification Standards Summary

Josiah Wilkinson Internal Security Assessor. Nationwide

Passing PCI Compliance How to Address the Application Security Mandates

Policy Pack Cross Reference to PCI DSS Version 3.1

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

An Oracle White Paper January Using Oracle Enterprise Manager Configuration Management Pack for PCI Compliance

The Comprehensive Guide to PCI Security Standards Compliance

CSP & PCI DSS Compliance on HP NonStop systems

05.0 Application Development

Payment Application Data Security Standards Implementation Guide

Payment Card Industry Data Security Standard

Central Agency for Information Technology

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Using the AppGate Network Segmentation Server TO ACHIEVE PCI COMPLIANCE

How To Manage A Privileged Account Management

Retail Stores Networks and PCI compliance

Tripwire PCI DSS Solutions: Automated, Continuous Compliance

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 2

Visa U.S.A. Cardholder Information Security Program (CISP) Security Audit Procedures and Reporting

Case 2:13-cv ES-JAD Document Filed 12/09/15 Page 1 of 116 PageID: Appendix A

Transcription:

Detailed Analysis Achieving PCI Compliance with SkyView Partners Products for Open Systems The Payment Card Industry has a published set of Data Security Standards to which organization s accepting and storing credit card information must comply. Version 3.0 of the PCI DSS was released in November 2013. The Data Security Standards are not written for a specific operating system or environment so one must do some interpretation to determine how the requirements apply to the AIX and Linux operating systems. Using the requirements directly from the Payment Card Industry s Data Security Standards, the requirements are translated into AIX and Linux terms and a description of how SkyView solutions assist with PCI compliance is provided. The major changes of the latest Version of the Standard revolve around making security a business-as-usual activity. In other words, adherence to the requirements of the standard is constant, ensuring the security of the data, rather than ensuring compliance at the time of the audit. We have long talked about compliance needing to be a lifestyle rather than an event and the emphasis of this latest version is in line with this viewpoint. SkyView Solutions: SkyView Managed Security Services is a service performed by industry experts where critical security administration issues are checked on a monthly basis. If issues are identified, that, non-compliant items are identified, the organization is notified. In addition, an annual risk assessment is performed, resulting in a formal risk assessment document where issues are identified as High, Medium or Low risk items. SkyView Security Check-up is a service performed by industry experts that analyzes the security configuration of your servers against industry standards such as the CIS Benchmark and produces a formal risk assessment document. SkyView Policy Minder for OPEN is an IBM AIX and Linux (RHEL, Ubuntu and CENTOS) security compliance and administration tool that compares your systems' current settings against your organization s security policy requirements. Your policy implementation is documented and non-compliant items are identified. Using the FixIt function, noncompliant items can be set back to match policy settings. Policy Minder automates the process of monitoring and keeping your AIX and Linux servers security configuration in compliance with your security policy. PCI Requirements Section 2.1, 2.2, 2.3, 4.1 and 8.2.1 Disable unnecessary default accounts (2.1) Implement only one primary function per server to prevent functions that require different security levels (2.2.1) Configure system security parameters to prevent misuse. (2.2.4) Encrypt all non-console administrative access (2.3) Use strong cryptography and protocols (4.1) Render all password unreadable during transmission (8.2.1) Page 1 of 6

Solutions: Use the Daemons category of Policy Minder to ensure only those daemons are active that support the intended purpose (role) of the server. You can also use this category to ensure nonencrypted services (such as non-ssl-enabled telnet) are not active and that SSH is in use. This will ensure passwords are encrypted during transmission and admin access is over an encrypted session. Use the Configuration policy category to ensure configuration settings remain configured appropriately. If a daemon is activated or a configuration setting is changed, a compliance check will identify it as non-compliant. Run FixIt to start or stop the daemon to match the policy requirements. Have a Security Check-up performed or subscribe to SkyView s Managed Security Services to ensure the servers are configured according to industry best practices. PCI Requirements Section 2.1 and 6.3.1: Always change vendor-supplied defaults before installing a system on the network (2.1) Removal of custom application accounts, user IDs, and passwords before applications become active or are released to customers. (6.3.1) Solution: Use Policy Minder to check user account configuration settings. Policy Minder can also be used to ensure the configuration settings aren t changed from your policy requirements during the installation of a vendor package. PCI Requirements Section 3.5.3: Store encryption keys in the fewest locations possible. (3.5.3) Solution: Use the Files category of Policy Minder to search for files of specific names or file extensions. If a legitimate source for storing encryption keys, use the Files category to ensure the permissions on the file remain set correctly. PCI Requirements Section 6.2: Ensure patches are up-to-date (6.2) Solution: Use the Script category of Policy Minder to run a script against all servers to ensure they are at the patch level required by your policy. PCI Requirements Section 7.1, 7.1.2 and 7.1.3: Page 2 of 6

Limit access to system components and cardholder data to only those individuals whose job requires such access. Access limitations must include the following: (7.1) o Restriction of access rights to privileged user IDs to least privileges necessary to perform job responsibilities (7.1.2) o Assignment of privileges is based on individual personnel s job classification and function (7.1.3) Solution: Policy Minder provides an automated method for the discovery of new user accounts with admin rights or members of groups with admin rights. In addition, the User account category in Policy Minder allows you to define the appropriate attributes for each type of user account admin, operator, developer, etc. Compliance checks identify the account and its attributes that are out of compliance with the definition. Policy Minder s FixIt function allows administrators to change the user account attributes to be in compliance with the definition and provides a report of the change. PCI Requirements Section 7.2, 7.2.1, 7.2.2 and 7.2.3: Establish an access control system for systems components with multiple users that restrict access based on a user s need to know, and is set to deny all unless specifically allowed. This access control system must include the following: (7.2) o Coverage of all system components (7.2.1) o Assignment of privileges to individuals based on job classification and function (7.2.2) o Default deny-all setting (7.2.3) Solution: Use the File category in Policy Minder to maintain compliance for the permissions settings on files and directories. Compliance checks will identify the each item out of compliance (that is, with the incorrect permission settings) along with the details of what s causing the noncompliance status. Policy Minder s FixIt function can be used by administrators to change the settings to match the requirements and provides a documented record of the change. Use the Configuration policy category to ensure the default umask value is set to deny all or no access. PCI Requirement Section 8.1.2: Control addition, deletion and modification of user IDs, credentials and other identifier objects. Solution: Use the Configuration policy category of Policy Minder to maintain the default configuration settings for the creation of new user accounts. Use the User account category to ensure user account settings are not overridden from global settings. Finally use the User account category to ensure appropriate configuration of all user accounts on the server. Compliance checks identify changes to accounts and attributes which do not match policy requirements. In addition, FixIt can be used to fix the non-compliant user account attributes or configuration policy settings. Page 3 of 6

PCI Requirement Section 8.1.3: Immediately revoke access for any terminated users. Solution: Policy Minder s User account category can be used in conjunction with the FixIt function revoke user account access. FixIt produces a report which can be used as proof to your auditor that terminated users accounts are set so that they cannot be used. PCI Requirement Section 8.1.4: Remove/disable inactive user accounts at least every 90 days. Solution: Policy Minder can simplify the discovery and automate the removal of inactive accounts. You can use Policy Minder to find and take action on inactive accounts, such as configuring the account so that it can t log in. To simplify the processing of these profiles, you can omit profiles that are an exception that is, should never have action take on them. This way, the list of profiles only contains those on which action should be taken. When printing this policy, profiles omitted are documented.) PCI Requirement Section 8.1.5: Enable accounts used by vendors for remote maintenance only during the time period needed. Solution: The user account category of Policy Minder can be configured to examine the status of specific vendor accounts. The FixIt function can be scheduled (using the integrated cron function) to run nightly to set any user account (including vendors) so that it cannot be used for sign on. PCI Requirements Section 8.1.6, 8.1.7, 8.1.8, 8.2.3, 8.2.4 and 8.2.5: Change user passwords at least every 90 days (8.2.4) Require a minimum password length of at least seven characters (8.2.3) Use passwords containing both numeric and alphabetic characters (8.2.3) Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used. (8.2.5) Limit repeated access attempts by locking out the user ID after not more than six attempts. (8.1.6) Set the lock-out duration to a minimum of 30 minutes (8.1.7) Page 4 of 6

If a session has been idle for more than 15 minutes, require the user to re-enter the password to re-activate the terminal. (8.1.8) Solution: Use the Configuration policy category of Policy Minder to check the password and session time-out system values to ensure they meet these requirements. In addition, use the User account category to examine user account settings to ensure these values have not been overridden in the user account configuration file. PCI Requirement Section 11.5 Deploy file-integrity monitoring software to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly. (11.5) Solutions: Use the monitoring feature of the File category in Policy Minder to establish a checksum over critical files. Run regular compliance checks to determine whether the files have been changed. PCI Requirements Section 12.1, 12.2: Establish, publish, maintain, and disseminate a security policy (12.1) Implement a risk-assessment process that includes an annual process to identify threats and vulnerabilities and results in a formal risk assessment. (12.2) Solutions: Use Policy Minder to document the AIX and/or Linux implementation sections of your security policy requirements. Risk acceptance statements can be added to the policy definitions as well as cross-references to specific sections of your organization s security policy. All of these can be printed in PDF format and given to your auditor as documentation of your policy implementation and can also be used as an ongoing employee documentation and training resource (which is a focus of Version 3.0). PCI Requirement Section 2.5, 3.7, 4.3, 7.3, 8.8, 11.6 Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties. (2.5) Ensure that security policies and operational procedures for protecting stored cardholder data are documented, in use, and known to all affected parties. (3.7) Ensure that security policies and operational procedures for encrypting transmissions of cardholder data are documented, in use, and known to all affected parties. (4.3) Page 5 of 6

Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties. (7.3) Ensure that security policies and operational procedures for identification and authorization are documented, in use, and known to all affected parties. (8.8) Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties. (11.6) Solutions: Use Policy Minder to document the IBM i implementation of your security policy requirements. Risk acceptance statements can be added to the policy definitions as well as cross-references to specific sections of your organization s security policy. All of these can be printed in PDF format and given to your auditor as documentation of your policy implementation and can also be used as an ongoing employee documentation and training resource. Subscribe to SkyView Managed Security Services to ensure policies are in use. These are just some of the ways SkyView Partners products and services can help you attain compliance with PCI. For more information, please visit the SkyView Partners website at www.skyviewpartners.com. ### Who is SkyView Partners? SkyView Partners Inc. is a firm specializing in policy-based security compliance management and assessment services and products for IBM i (AS/400 and iseries), AIX and Linux customers. Page 6 of 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information