Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite
7. Restrict access to cardholder data by business need to know PCI Article (PCI DSS 3) Report Mapping How we help 7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access. Active Directory / Active Directory Reports -> Admin Group Modification Active Directory / Active Directory Security Reports -> Permission, Owner LepideAuditor For File Server / Permission Using our Auditor suite we can help organizations determine what uses are accessing which systems and which data us being accessed. We can also alert and report on permission changes to relevant data. While we aren t controlling access we are providing visibility around access. While our auditor suite does not technically restrict or Limit access it provides visibility through alerts, reports etc. to allow you to what s occurring on specific parts of your IT environment. 7.2 Establish an access control system for systems components that restricts access based on a user s need to know, and is set to deny all unless specifically allowed. /All Database Object - > Object Modification Reports -> Group Policy Object Modified LepideAuditor For File Server / Permission SQL Server / Login Reports -> Login Modified By providing a log trail of changes made to systems such as Active Directory, File Servers, SQL Servers, SharePoint and Exchange servers we can show you unauthorized changes being made to these platforms which help mitigate the risk of violation, and enable you to determine the best cause of remediation in such an event. We allow you to see changes to permissions, modification to logons or changes made to group policy which helps monitor and alert on changes that could take an organization out of compliance in this area.
8. Identify and authenticate access to system components 8.1 Define and implement policies and procedures to ensure proper user identification management for non-consumer users and administrators on all system components as follows: PCI Article (PCI DSS 3) Report Mapping How we help 8.1.1 Assign all users a unique ID before allowing them to access system components or cardholder data. Active Directory / Logon, Logoff reports - > Object By reviewing the Logon and Logoff audit reports we can show if a user is logging from more than one computer. We can alert and report on this and allow corrective action to be taken. Modification 8.1.2 Control addition, deletion, and modification of user IDs, credentials, and other identifier objects. Active Directory / User Reports -> User Created - > Object While we don't directly control these things we provide the necessary auditing of events such as user creation, deletion, and modification which helps review and validate if specified operations are in line with defined policies. SQL Server / Login Reports -> Login Modified
8.1.3 Immediately revoke access for any terminated users. Active Directory / User Reports -> User Status We can show you user permission changes and report on Inactive Users to help verify that the access of Inactive Users is revoked accordingly. 8.1.5 Manage IDs used by vendors to access, support, or maintain system components via remote access as follows: Enabled only during the time period needed and disabled when not in use Monitored when in use 8.1.6 Limit repeated access attempts by locking out the user ID after not more than six attempts. Active Directory / User Reports -> User, User Status SQL Server / Login Reports -> Login Modified Active Directory / User Reports -> User, User Status We can help audit the enabling and disabling of accounts and track the respective activities of designated users to support this mandate. We can alert and report on account lockout events to ensure no deviation in configuration and enable you to spot specific trends to allow you to re-mediate as needed.
8.1.7 Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID. Modification Reports -> All Account Lockout Policy Modified Analyze the audit log to verify that the AD account lockout policy is configured and working properly. PCI Article (PCI DSS 3) Report Mapping How we help 8.2.3 Passwords/phrases must meet the following: Require a minimum length of at least seven characters Contain both numeric and alphabetic characters Modification Reports -> Password Policy Modified By auditing the change in password policy settings in active directory we can help you verify that password policy is defined according to the compliance requirement. Alternatively, the passwords/phrases must have complexity and strength at least equivalent to the parameters specified above.
8.2.4 Change user passwords/passphrases at least every 90 days. Modification Reports -> Password Policy Modified By auditing the change in password policy settings in active directory we can help you review to verify that password policy is defined according to compliance requirement. 8.2.6 Set passwords/phrases for first-time use and upon reset to a unique value for each user, and change immediately after the first use. Active Directory / User Reports -> User, User Status By auditing all newly created accounts, logon and password changes we can help you verify that no violation is occurring. 8.5 Do not use group, shared, or generic IDs, passwords, or other authentication methods as follows: Generic user IDs are disabled or removed. Shared user IDs do not exist for system administration and other critical functions. Shared and generic user IDs are not used to administer any system components. -> Object We can audit activities and events undertaken by the same user from different locations at a given point in time. This allows you to track shared passwords which could result in potential security issues.
10. Track and monitor all access to network resources and cardholder data PCI Article (PCI DSS 3) Report Mapping How we help 10.1 Implement audit trails to link all access to system components to each individual user. -> Object Group Policy Modification Reports -> Group Policy Object Modified We provide detailed auditing of access to the all the respective systems and users throughout Active Directory, File Servers and SQL Servers. /All Database Object 10.2 Implement automated audit trails for all system components to reconstruct the following events: 10.2.1 All individual user accesses to cardholder data 10.2.2 All actions taken by any individual with root or administrative privileges 10.2.4 Invalid logical access attempts -> Object, All Database Object to the system components made by individual can be audited by Auditor. After defining the auditing criteria auditing takes place automatically. Audit trails can be generated for users of all types and privilege levels across any part of the IT environment. We also track and alert on failed access attempts. Also audit all the activities performed by users having administrative or any other privileges. If any invalid access to the specified location is tried or occurred is also logged by auditor and audit report can be viewed.
PCI Article (PCI DSS 3) Report Mapping How we help 10.2 5 Use of and changes to identification and authentication mechanisms- including but not limited to creation of new accounts and elevation of privileges- and all changes, additions, or deletions to accounts with root or administrative privileges. -> Object Exchange Server / Exchange Modification Reports -> MS Exchange Modification Reports -> All in Exchange Server All the changes to user accounts and user permissions in Active Directory, Exchange Server, Group Policy, File System and SQL Server are logged as needed. We also audit all the changes to all the users including those users having root or administrative permissions. / All Database Object 10.2.6 Initialization, stopping, or pausing of the audit logs LepideAuditor For File Server / Software Activity Reports -> Activity Details Activities performed on auditor like defining audit criteria, starting audit, stopping audit is also monitored by LepideAuditor for File System. Audit report for auditor activities can be reviewed whenever required.
10.2.7 Creation and deletion of systemlevel objects -> Object LepideAuditor audits all the modifications to critical files as specified, Active Directory Objects, SQL Server and database Objects (like tables, stored procedures etc.)., All Database Object PCI Article (PCI DSS 3) Report Mapping How we help 10.3 Record at least the following audit trail entries for all system components for each event: 10.3.1 User identification 10.3.2 Type of event 10.3.3 Date and time 10.3.4 Success or failure indication 10.3.5 Origination of event 10.3.6 Identity or name of affected data, system component, or resource. -> Object Exchange Server / Exchange Modification Reports -> MS Exchange Modification Reports -> All in Exchange Server Reports made to the system components in Active Directory objects, Group Policy Objects, Files and Folders at File system, SQL Server objects (like Database, tables, user etc.), SharePoint and Exchange server objects are recorded. Audit reports can be generated that detail User identification, Type of event, Date and time, Success or failure indication, Origination of event, identity or name of affected data, components, or resources etc. SharePoint / All SharePoint Modification Reports /All Database Object
10.6 Review logs and security events for all system components to identify anomalies or suspicious activity. 10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis. All reports All reports 'All Systems' Audit report can be reviewed daily, weekly, monthly or as required. There also an extensive list of preset reports or the ability to build your own report as needed. Audit logs can be retained for any specified duration.