Network Detective PCI Compliance Module Using the PCI Module Without Inspector 2015 RapidFire Tools, Inc. All rights reserved. V20150819 Ver 5T
Contents Purpose of this Guide... 4 About Network Detective PCI Compliance Module... 4 PCI Risk Assessment Depth Modes and Configurations... 5 Overview... 6 PCI Assessment Project Initial Set-up... 7 Creating a Site... 7 Starting a PCI Assessment... 8 PCI Risk Assessment... 9 PCI Risk Profile... 9 Using the Checklist Feature for Assessment Process Guidance... 10 Planning the On-site Data Collection... 13 Automated Scans Performed During the PCI Assessment Process... 14 Optional Computer Scans... 15 PHASE A INITIAL DATA COLLECTION... 16 Phase A - Step 1: Complete the Pre-Scan Questionnaire... 16 Assessment Status and Checklist Updates and Progress Tracking... 18 Phase A - Step 2: Initiate External Vulnerability Scan... 20 Phase A Step 3: Initiate the PCI Network Scan Using the PCI Data Collector and Import Results... 23 Running the PCI Data Collector - Network Scan... 23 Importing the PCI Network Scan Data... 34 Phase A - Step 4: Use Push Deploy Tool to Initiate Push Quick Local Scan for PCI for Selected Systems and Import Scans... 36 Run the PCI Quick Data Local Computer Scan using the Push Deploy Tool based scanner... 36 Importing the PCI Quick Local Computer Scan Data into the PCI Assessment... 43 Phase A - Step 5: Run PCI Data Collector selecting Quick Local Scan on the Computers that Were Unreachable (OPTIONAL)... 47 Phase A - Step 6: Complete the Gate 1 Completion Verification Worksheet... 48 Phase A - Step 7: Complete the PCI Post-Scan Questionnaire... 50 PHASE B - CARDHOLDER DATA ENVIRONMENT (CDE) DEEP SCAN... 52 Phase B Step 1: Complete the Cardholder Data Environment ID Worksheet... 52 Phase B Step 2: Complete the Deep Scan Selection Worksheet... 55 Phase B Step 3: Use Push Deploy Tool to Initiate Push Deep Local Scan for PCI for Selected Systems and Import Scans... 58 1
Run PCI Deep Local Computer Scan with the PCI Push Deploy Tool... 58 Importing the PCI Deep Local Computer Scan Data into the PCI Assessment... 65 Phase B Step 4: Run the PCI Deep Scan on the Selected Systems Manually (OPTIONAL)... 69 Phase B Step 5: Complete the Gate 2 Completion Worksheet... 70 PHASE C GET SECONDARY DATA... 73 Phase C- Step 1: Complete the User ID Worksheet... 73 Phase C- Step 2: Complete the Anti-Virus Capability Worksheet... 76 Phase C- Step 3: Complete the Necessary Functions Identification Worksheet... 78 Phase C- Step 4: Complete the Server Function ID Worksheet... 80 Phase C- Step 5: Complete the PAN Scan Verification Worksheet... 82 Phase C- Step 6: Complete the External Port Security Worksheet... 85 Phase C- Step 7: Complete the PCI Verification Worksheet... 87 PHASE D DOCUMENT EXCEPTIONS... 89 Complete the Compensating Controls Worksheet (Optional)... 89 GENERATING REPORTS... 91 Customize Your Reports... 92 Using the Reports... 94 Risk Assessment and Management Plans... 94 PCI Policy and Procedure Document... 94 PCI Risk Analysis... 94 PCI Risk Profile... 95 PCI Management Plan... 95 Cardholder Data Environment (CDE) Network Diagram and Details Report... 95 Evidence of PCI Compliance... 96 Documented Questionnaires and Worksheets... 97 PCI Pre-scan Questionnaire... 97 Post-Scan Questionnaire... 97 Cardholder Data Environment ID Worksheet... 97 Deep Scan Selection Worksheet... 97 User Identification Worksheet... 97 Antivirus Capability Worksheet... 98 Necessary Function ID Worksheet... 98 Server Function ID Worksheet... 98 2
PAN Scan Worksheet... 99 External Port Security Identification Worksheet... 99 PCI Verification Questionnaire... 99 Compensating Controls Worksheet (CCW)... 99 External Vulnerability Scan Detail Report... 100 Appendix I Group Policy Reference... 101 Forward and Introduction... 101 Policies for Windows Firewall... 101 Policies for Windows Services... 101 3 rd party Firewalls and Group Policy Considerations... 102 Appendix II Site Assessment Reports and Supporting Documents Locations... 103 Appendix III PCI Risk Profile Use for Ongoing PCI Compliance Assessments... 106 Appendix IV Adding an Inspector to a Site... 107 Appendix V Key Terminology 1... 109 Appendix VI Run the PCI Computer Data Collector Quick Local Computer Scan... 110 Appendix VII Run PCI Deep Scan Using the PCI Data Collector... 116 Appendix VIII Time Saving Features to Reduce Questionnaire and Worksheet Completion Time... 125 Completing Worksheet and Questionnaires... 125 Entering Assessment Responses into Questionnaires and Worksheets... 125 Questionnaire and Worksheet Question Response Types... 125 Time Savings Tips to Reduce Questionnaire and Worksheet Data Input Time... 126 Automatic Pre-population of Default Responses to Topic Questions and Information Requests... 126 Saving Time Inputting Reponses in Worksheets Through the Use of Shift+Select... 127 3
Purpose of this Guide This document is intended for users of Network Detective PCI Compliance Module. It will guide you through the initial use of the software as well as the more advanced features. To become familiar with some of the definitions of the terms used throughout this guide book, please refer to Appendix V Key Terminology found on page 109. About Network Detective PCI Compliance Module The Payment Card Industry Data Security Standard (PCI DSS) is an actionable security framework to help Merchants that accept credit/debit cards to prepare for, prevent, detect, and respond to security breaches. Per PCI Requirement 12.2, an annual Risk Assessment is a key requirement that must be met to comply with PCI. The Risk Assessment must identify the vulnerabilities to the security of the Cardholder Data Environment (CDE) whereby threats that can act on IT system component and software application vulnerabilities, including the likelihood and the impact if that occurs. Network Detective s PCI Compliance module is the first professional tool to combine and integrate automated data collection, with a structured framework for collecting supplemental assessment information not available through automated tools. The PCI Compliance module is the first solution to allow for the automatic generation of the key Evidence of Compliance documents that are necessary to demonstrate compliance with PCI requirements. This module includes comprehensive checklists that cover a number of the Administrative, Physical, and Technical safeguards defined within the PCI Requirements. The PCI module produces more than just the documents to satisfy a compliance requirement. Network Detective PCI module provides factual evidence, expert advice, and direction to individuals performing PCI Risk Assessments in order minimize or eliminate the risk of a data breach. 4
PCI Risk Assessment Depth Modes and Configurations There are two depth levels of PCI assessments that can be performed with the PCI Module. Option 1 - PCI Module combined with Inspector Mode - Highest PCI Compliance Assessment value Option 2 - PCI Module standalone Mode Basic PCI Compliance Assessment value Select Option 1 when you: 1) have Inspector. 2) require that the Risk Assessment includes an Internal Vulnerability Scan. 3) require a Layer 2/3 Network Diagram of your customer s Cardholder Data Environment (CDE). Select Option 2 when you: 1) do not have Inspector. 2) have other tools that are used to perform an Internal Vulnerability Scan and produce a network diagram of the CDE. In the case whereby there are internal computer network and system components used to store and/or transmit cardholder data, per PCI Data Security Standard guidelines, it is a requirement that an Internal Vulnerability scan be performed on these devices to ensure that the risk assessment criteria of the PCI DSS standard is being met and that any identified vulnerabilities can be remediated in order to prevent a breach of the CDE. When Inspector is used in combination with the PCI Module, PCI compliance assessments can include an Internal Vulnerability Assessment and a Layer 2/3 Network Diagram to provide a more thorough assessment of a Merchant s IT-based Cardholder Data Environment (CDE) as required by the PCI DSS requirements. 5
Overview Network Detective PCI Compliance Module is composed of the PCI data collector, Network Detective Application, Surveys, Worksheets, and, when available, the Inspector appliance. The process to create a PCI assessment involves four major steps: Phase A) Initial data collection, Phase B) Cardholder Data Environment (CDE) deep scan, Phase C) Get secondary data, and Phase D) Document exceptions in the form of compensating controls. Phases of a PCI Assessment Using the PCI Module (note: The Internal Vulnerability Scan is only included in the Risk Assessment process when using the PCI Module with a RapidFire Tools Inspector Appliance.) There are two types of PCI assessments that can be performed: 1) PCI Risk Assessment 2) PCI Risk Profile The Risk Assessment is a complete assessment that includes all worksheets and surveys. You should plan on a day to complete a full assessment on a typical 15 user network. The Risk Profile requires selecting a prior Risk Assessment and reduces the time to complete the assessment by using worksheets and surveys from the Risk Assessment. 6
PCI Assessment Project Initial Set-up Creating a Site The first step in the assessment is creating a Site. All Network Detective assessments are organized into Sites. A Site can be a physical location or a logical grouping, such as a customer account name. Before making a selection you must decide on your assessment strategy. See the Network Detective User Guide for information on sites. a. For a single location you will create one site. b. For organizations with multiple locations you must decide if you want one set of reports, or separate reports for each location. Select New Site Enter the Site name. For sites with multiple locations, enter a more detailed description. After you are finished entering the Site name, select the Ok button to create the New Site. 7
Starting a PCI Assessment From the Home screen, select the site you wish to start. Click on the Start button. Select either a PCI Risk Assessment for an Annual or Quarterly assessment or a PCI Risk Profile for a monthly update. A completed PCI Risk Assessment is required prior to running a monthly assessment using the PCI Risk Profile. For more details, refer to Appendix III - PCI Risk Profile Use found on page 106. 8
PCI Risk Assessment PCI Risk Profile Required at least Annually Recommended Quarterly as part of a Quarterly Compliance Review Requires that all manual WORKSHEETS be completed Example 15-user network in 4 6 hours Monthly Review Does NOT require WORKSHEETS Requires selecting a prior RISK ASSESSMENT (will use existing worksheets) MUCH faster with little manual input Example- 15-user network in less than one hour Enter a Label to identify the assessment. Enter a Comment to help further identify the assessment. Select the Next button to proceed to create/start the new assessment. 9
Using the Checklist Feature for Assessment Process Guidance The Checklist will guide you through the assessment process and ensure you have gathered enough data to produce the best assessment possible. As you import scans, complete questionnaires, and fill out worksheets, the Checklist will automatically be revised adding additional suggestions and indicating where additional information may help produce richer results. Select Show Checklist to create a document to track your activities throughout the assessment. As you progress through the assessment process additional items will be added to the Checklist. The assessment s Checklist is always available on the Assessment Window. 10
The Checklist will be updated continuously as you complete your PCI Compliance Assessment. Throughout the assessment process, the Checklist will update the list of Open Items and Completed Items to present to you a list of assessment actions that have been completed and a list of outstanding actions. Required actions will be referenced throughout the Checklist. 11
This Checklist will have new Open Items (i.e. assessment tasks) added to the Checklist based on the phase and/or steps that have been performed by the user within the assessment process. These Checklist items created and updated within the list are related to the performance of scans, the answering of questionnaires, or the completion of worksheets that are dynamically created throughout the assessment process. 12
Planning the On-site Data Collection There are various ways to collect data for a PCI Compliance Risk Assessment. These methods can vary based on time, cost, client expectation, level of detail needed to identify remediation needs, etc. Initial Assessment Types of collections: PCI Risk Assessment Quick Audit Full Audit + External Scan + Network Scan + Computer Scan on 1-3 computers + All worksheets + External Scan + Network Scan + Computer Scan on all computers + All worksheets PCI Risk Profile Quick Audit + External Scan + Network Scan + Computer Scan on 1-3 computers + NO worksheets Full Audit + External Scan + Network Scan + Computer Scan on all computers + NO worksheets 13
Automated Scans Performed During the PCI Assessment Process The Initial Data Collection phase of the PCI Compliance Assessment consists of the following required and optional scans: External Vulnerability Scan PCI Network Scan (using the PCI Data Collector) PCI Scans on Local Computers (using the Push Deploy Tool to Push Local Scans for PCI and the PCI Data Collector tool for unreachable computers) Optional Local Computer Scans (using the PCI Data Collector) The Inspector and the PCI Data Collector scans make use of multiple technologies/approaches for collecting information on the client network, including: Network Scan Active Directory WMI Remote Registry ICMP File System Scanning Windows Registry Windows Shares and Permissions Security Center 14
Optional Computer Scans Throughout the assessment process, the Checklist within the Assessment Window may suggest that Optional scans be undertaken based on the availability of servers and workstations during automated and network scans, or based on a need to sample scan machines outside of the Cardholder Data Environment (CDE) that you are assessing. These scans would include: Optional Scan Type Run PCI Data Collector selecting Quick Local Scan on the Computers that were unreachable Run the PCI Deep Scan on the Selected Systems Manually Description Run the 'Quick' local scan any computers that cannot be scanned remotely (i.e. blocked by a firewall, not connected to the domain, or otherwise inaccessible). Run the Local Scan directly the computer itself. On systems indicated in the Deep Scan Worksheet that were unable to be scanned remotely, run the PCI Deep Scan locally. 15
PHASE A INITIAL DATA COLLECTION Phase A - Step 1: Complete the Pre-Scan Questionnaire Completing the Pre-Scan Questionnaire is the first step in the PCI compliance assessment process. To access the Pre-Scan Questionnaire select the edit PCI Pre-Scan Questionnaire option available within the Inform section of the Network Detective s PCI Module Assessment Window here: Questionnaire and Worksheet Question Response Types Throughout the PCI risk assessment process the Network Detective s InForm-based Questionnaires and Worksheets used throughout the PCI Module must be completed and typically support three types of responses: Response Type Description Example Use Text Response Free-form text response Describe the condition of the data center. Multiple Choice Multiple fixed responses Does the firewall have IPS? - Yes - No Checklist Item An item that is marked off if done Check the security of the door locks When stepping throughout the Questionnaire and Worksheet completion process throughout your assessment, you are required to provide answers to the Topics presented. In each row within the Questionnaire or Worksheet, there are Instructions presented. To complete a Questionnaire or Worksheet, review the Topics and Instructions listed in a Questionnaire or Worksheet and document the answers accordingly. TIME SAVINGS TIP: To learn more about how to save time completing Questionnaires and Worksheets, please see Appendix VIII Time Saving Features to Reduce Questionnaire and Worksheet Completion Time section found on page 125. 16
Completing the PCI Pre-Scan Questionnaire Upon editing (opening) the PCI Pre-Scan Questionnaire, the following window is presented: To document the responses to the Instructions/Questions presented in this questionnaire: 1. Select and Review the Topic. 2. Review the Instructions. Instructions provide guidance and are not included in the reports. 3. Enter the Response. A Response must be given for each entry to complete the all of the surveys within the PCI assessment process with the exclusion of the Exception Management process that is performed from within the Compensating Controls Worksheet found later in the PCI Module s assessment process. 4. Enter any Notes relevant to the topic s response. 5. Enter the name of individual that responded or provided information to respond to the topics question or requirement in the Responded By field. 6. Save your answers periodically and Save and Close when you are done. 17
You can return to the Pre-Scan Questionnaire by selecting edit. Assessment Status and Checklist Updates and Progress Tracking As questionnaires, scans, and worksheets are completed throughout the PCI Module s Data Collection process, the assessment s Status and Checklist information presented within the Network Detective Assessment Window updates throughout the assessment process. For example, once the PCI Pre-Scan Questionnaire is completed, the Status and Check List tracking data for the Assessment will be updated to show the number of Active Completed and Open Checklist items. You can view the Completed items and the Open items that are additional steps to be completed within the Checklist tracking document selecting the Checklist s View link. Refer to the figure below. After each step in the data collection and assessment process, it is recommended that the Status and Check List information be reviewed at regular intervals in order to plan and execute the next steps that are to be performed within the assessment. Initiated and Completed Scans Impact on Checklist Items Status Information Checklist items and their status that reference the collection of data collection through automated scans will not be updated to the Completed status until the scan is imported or downloaded into the Active Assessment. As scan data files are imported into the Assessment, the scan data files are listed within the Imported Scans section of the Assessment Window. 18
For status information on scans such as the External Vulnerability scan, the PCI Network scan, Quick Local Computer for PCI scan, and the Deep Local Computer for PCI scan, these scan statuses are tracked and listed within the Checklist as Open and/or Completed Items lists. The status and checklist information for these scans will be updated as completed after each scans data files are imported into the assessment itself and listed within the Imported Scans section of the Assessment Window. Status Information Associated with Questionnaires and Worksheets Added to the Assessment Process As new questionnaires and worksheets are added to the InForm list, or as questionnaires and worksheets are completed, their status will be updated with a New or Completed status label. The Inform list window below presents questionnaire and worksheet status information. 19
Phase A - Step 2: Initiate External Vulnerability Scan Select Initiate External Scan Enter the range of IP addresses you would like to scan. You may enter up to 16 external addresses. 20
Select Add to add a range of external IP addresses to the scan. If you do not know the external range, you can use websites such as whatismyip.com to determine the external IP address of a customer. Enter the IP range for the scan. For just one address, enter the same value for the Starting and Ending IP Address. You can initiate the External Vulnerability Scan before visiting the client s site to perform the data collection. This way, the External Scan data should be available when you are ready to generate the client s reports. 21
In the Initiate External Vulnerability Scan window, enter an email address to be notified when the scan is completed. Click Next to send the request to the servers that will perform the scan. Scans can take several hours to complete. You will receive an e-mail when the scan is complete. Note that the Assessment Window will be updated to reflect the External Vulnerability Scan has been initiated. Refer to the Imported Scans list within the Assessment Window detailed in the figure below. The scan s status of pending will be updated to complete once the scan is completed and you will receive the scan is complete email message. Note the External Vulnerability Scan s complete status below. 22
Phase A Step 3: Initiate the PCI Network Scan Using the PCI Data Collector and Import Results Running the PCI Data Collector - Network Scan NOTE: THE FOLLOWING LOCAL COMPUTER SCANNING PROCESS IS ONLY USED WHEN INSPECTOR IS NOT USED WITH THE PCI MODULE. The PCI Data Collector is a self-extracting zip file that executes an.exe and is completely noninvasive it is not installed on the domain controller or any other machine on the client s network, and does not make any changes to the system. The PCI Data Collector makes use of multiple technologies/approaches for collecting information on the client network, including: Network Scan Active Directory WMI Remote Registry ICMP File System Scanning Windows Registry Windows Shares and Permissions Security Center Step 1- Install the PCI Data Collector Visit the RapidFire Tools software download website and download and run the PCI Data Collector executable program. The PCI Data Collector s self-extracting ZIP file that does not install on the client computer. Use the unzip option to unzip the files into a temporary location and start the collector. Step 2 Configure the PCI Data Collector Network Scan Starting the PCI Data Collector application will present the following screen. 23
If you are running on a computer in the network, such as the domain controller, to run a network scan, select the PCI Network Data Collector option. Select the Next button and the Credentials window will be presented. Step 3 Configure the PCI Data Collector Network Scan The Credentials window will be displayed to enable you to configure the type of network you are scanning (either an Active Directory domain or Workgroup). Then you can assign the required administrative credentials necessary to access the network environment during the scanning process. 24
Enter the Credentials by performing these steps: 1. Enter the type of network you are scanning (Active Directory Domain or Workgroup). 2. Enter a username and password with administrative rights to connect to the local Domain Controller and Active Directory. If in a domain, clicking the Next button will test a connection to the local Domain Controller and Active Directory to verify your credentials. If you are scanning a Workgroup environment enter credentials which can access the individual workstations as a local administrator. 3. Select the Next button. At this point in the process, the Local Domains window will be presented. Note: If you select to scan a Workgroup, then the Local Domains select step in this process will be skipped. 25
Step 4 Configure the Local Domains Select the Domains to gather information from by performing these steps: 1. Select to gather information from ALL domains detected or from Domains and OUs you select. 2. Select the Next button. You will then be requested to confirm the Domain and OU when the Domain and OU Confirmation window is presented as seen below. 26
Select the OK button to confirm the Domain and OUs you have selected. At this point in the process, the External Domains screen will be presented. Step 5 Configure the External Domains Enter the name(s) of the organization s External Domains. A Whois query and MX (mail) record detection will be performed upon selecting the Next button. The IP Ranges screen will be presented. Step 6 Configure the Network IP Address Range to be Scanned Enter the Starting and Ending IP Addresses for the range(s) you want to scan in the fields that are highlighted in blue. 27
Scans may affect network performance. Select Perform minimal impact scan if this is an issue. Then select the Next button. The SNMP Information screen will be presented. 28
Step 7 Configure the SNMP Community String Information Enter any additional SNMP community strings used on the network. Then click on the Next button. The Microsoft Base Security Analyzer (MSSA) screen will be presented. 29
Step 8 Configure the Scan to Run MBSA and the Patch Analysis Microsoft Baseline Security Analyzer (MBSA) window enables you to select to run the MBSA and Patch Analysis during the Network Scan. If MBSA is needed, please follow instructions to install the MBSA software as directed in the MBSA window. In the case that the MBSA is installed at this step, please be sure to select the Refresh button to include MBSA in the data collection scan. Select the MBSA and Patch Analysis for the most informative scan. Then select the Next button. 30
Step 9 Verify and Run the Scan Select the folder that you want to store the scan data file in after the scan is completed. You may change the scan s Output Assessment File Folder location and Basename for the scan data. Enter any Comments and then select Start. The Collection Progress window will then be displayed as presented below. 31
Step 10 Monitor the Network Scan s Collection Progress The Network Scan s status is detailed in the Collection Progress window. The Collection Progress window presents the progress status of a number of scanning processes that are undertaken. MBSA is an external program provided by Microsoft. It can take 1-5 minutes per node to run. More than one node is checked at a time. Usually 256 nodes take about 30 minutes. Patch analysis can take more than 8 minutes per computer. At any time you can Cancel Data Collection which will not save any data. By selecting Wrap It Up you can terminate the scan and generate reports using the incomplete data collected. Upon the completion of the scan, the Finish window will be displayed. 32
Step 11 Complete the PCI Data Collector Network Scan Process The Finish window indicates that the scan is complete and enables you to review the scan output file s location and the scan s Results Summary. Click on Done button to close the PCI Data Collector window. Note the location where the scan s output file is stored. 33
Importing the PCI Network Scan Data The final step in this process is to import the data collected during the PCI Network Scan into the Active PCI assessment. Click on the Import File button in the Network Detective Assessment window: The Select the Scan Results window will be displayed thereby allowing you to import the.pci file produced by the PCI Network Data Scan into the Assessment. Browse and select the PCI Network Scan data file. Then click the Next button to import the scan data. The success of the scan s import will be confirmed by the Scan Archive Created window being displayed as presented below. 34
Select the Finish button to complete the scan file import process. After the.pci file import, the Assessment Window will be updated to reflect the addition of the PCI Network Scan data under the Import Scans section of the Assessment Window. In addition, the Status and Check List information indicators will be updated to present the assessment s current status. Refer to the figure below. After the network scan file is imported, the Imported Scan section of the Assessment window will be updated to list the files imported into the assessment as seen below. 35
Phase A - Step 4: Use Push Deploy Tool to Initiate Push Quick Local Scan for PCI for Selected Systems and Import Scans Run the PCI Quick Data Local Computer Scan using the Push Deploy Tool based scanner NOTE: THE FOLLOWING LOCAL COMPUTER SCANNING PROCESS IS ONLY USED WHEN INSPECTOR IS NOT USED WITH THE PCI MODULE. Steps to Run the PCI Quick Data Local Computer Scan Using the Push Deploy Tool The PCI Push Deploy Tool pushes the local data collector to machines in a specified range and saves the scan files to a specified directory (which can also be a network share). The benefit of the tool is that a local scan can be run simultaneously on each computer from a centralized location. The output files (.PCI and.pcd files) from the local scans can either be stored on a USB drive and taken off site to be imported into the active assessment within Network Detective or be automatically uploaded to the RapidFire Tools secure cloud storage area using the Client Connector Network Detective add-on and later downloaded from the secure cloud storage area to the Network Detective application for use in report generation. Step 1 Install and Run the PCI Push Deploy Tool To perform a local computer scan, install and run the PCI Push Deploy Tool.ZIP file and extract the contents either to a USB drive or directly to any machine on the target network. Then run PushDeployToolPci.exe contained within the folder named PushDeployTool that was created by the.zip file extraction. 36
Step 2 Configure Push Deploy Tool to Perform Quick Local Computer Scan and Add Credentials Starting the Push Deploy Tool will present the following window. Set the Storage Folder location and select the PCI Quick Data (PCI) scanning option. 37
Next, type in the administrator level Username and Password Credentials necessary to access the local computers on the network to be scanned. Next, select the Computers and Collection Status tab. Step 3 Add the Computers to Scan The Computers and Collection Status window allows you to: Add a Single Computer to be scanned Add (computers) from File that are to be scanned Add (computers) from IP Range that are to be scanned Or. to Save Computers to File in order to export a list of computers to be scanned again in future assessments Process to Configure Computers to be Scanned Method As previously referenced, there are three methods to creating/adding a list of computers to be scanned by the Push Deploy tool. 38
Method 1 - Add a Single Computer to be Scanned To use the Add Single Computer method to select computers to be scanned, then type in the computer s IP address as shown below, then click on the Add Single Computer link to the right of the IP address entry field. Method 2 - Add (computers) from File that are to be Scanned Click on the Add from File link and select the text file that contains the computer IP addresses that are to be included within the scanning process. Select the file that contains the IP addresses to be scanned, and then click on the Open button. 39
The file that contains the IP addresses can be created using the Push Deploy Tools Save Computers to File feature, or created manually with a text editor using the required text formatting structure so that the IP addresses are recognized by the Push Deploy Tool. Upon the file s selection and opening the IP address and computer information will be imported into the Push Deploy Tool and presented in the Computers and Collection Status window for verification prior to starting the scan. Method 3 - Add (computers) from IP Range that are to be Scanned Click on the Add from IP Range and to define the Starting and Ending computer IP addresses range that are to be included within the scanning process. When you have input the IP address range into the IP Range window, select the OK button. After one or more of the abovementioned methods have been used to define the computer IP addresses to be scanned, the computer names and IP addresses will be listed in the Computer and Collection Status window. Step 4 Initiating the Scan After creating/adding a list of one or more computers to scan, the scan can be initiated by selecting the Start Data Collection button. The status of each computer s scan activity will be highlighted within the Computers and Collection Status window as presented below. 40
Upon the completion of all of the scheduled scans, the scan data collected is stored within the Storage Location folder presented in the Collected Data Files window of the PCI Push Deploy Tool. Step 5 Verify that the Quick Local Computer Scan Data has been Collected To verify the inclusion of the scan data produced by the PCI Push Deploy Tool within your assessment, select the Collected Data Files tab within the PCI Push Deploy Tool. The Collected Data Files window will be displayed. 41
Step 6 Verify that PCI Quick Local Computer Scan Files are Available from Scan Process Refresh the list of files presented by clicking on the Refresh Data Files link. This action will update the list of files available within the Current Storage Folder containing scan data. After all of the Quick Local Computer Scans are complete for the computers that were selected to undergo this scan, the next phase in the process is to import the scan data files produced by the Quick Local Scan into the current PCI Assessment. 42
Importing the PCI Quick Local Computer Scan Data into the PCI Assessment The final phase in this process is to import the data collected during the PCI Computer Scan performed by the PCI Push Deploy Tool s local computer scanner into the PCI Assessment. To import the scan data, click on the Import File button within the Imported Scans section of the Assessment Window: The following Select Scan Results window will be displayed. This window enables you to Browse, select, and import the.pci scan file into the Assessment. Click on the Browse button in the Network Detective Wizard s Select the Scan Results window to select the scan data file to import. The Open Network Assessment Data File window will then be displayed. 43
Select the file that you would like to import and click the Open button. This action will display the Select the Scan Results window in the Wizard noting the file name of the file selected for import. 44
Select the Next button to start the import (data Merge) process. The Network Detective Merger window will be displayed. Select the Merge Now button. The Scan Archive Created window below will be displayed indicating that the Merge (import) process is complete. 45
Next, select the Finish button in the Scan Archive Created window. Upon reviewing the Imported Scans list within the Assessment Window, the.cdf,.sdf, and.wdf files have been added the Computer Scan, Security Scan, and WiFi Scan data collected by the PCI Push Deploy Tool scanning process to the PCI Assessment.. 46
Phase A - Step 5: Run PCI Data Collector selecting Quick Local Scan on the Computers that Were Unreachable (OPTIONAL) Using the PCI Data Collector, run the local scan any computers that cannot be scanned remotely (i.e. blocked by a firewall, not connected to the domain, or otherwise inaccessible). If you do not need to scan any computers that were unreachable, then proceed to the next step Phase A Step 6: Complete the Gate 1 Verification Worksheet found on the next page. Use the PCI Data Collector to run the PCI Quick Local Scan on selected computer systems manually. To use the PCI Data Collector to run the Quick Local Scan, please refer to Appendix VI - Run the PCI Data Collector Quick Local Computer Scan found on page 110. 47
Phase A - Step 6: Complete the Gate 1 Completion Verification Worksheet After completing the initial phase of the PCI assessment process, the Gate 1 Completion Worksheet is added to the InForm section of the Assessment Window. The purpose of the Gate 1 Completion Worksheet is to confirm that the initial phase of the PCI assessment has been performed, including all optional scans, before proceeding to the next phase of the assessment process. To complete the Gate 1 Completion Worksheet, click on the edit link next to the Gate 1 Completion Worksheet entry in the InForm Questionnaire/Worksheet list. The Gate 1 Completion Worksheet window will be displayed. 48
If you are ready to proceed to the next step in the assessment process, complete this worksheet by selecting the Yes response in the Response field and save the worksheet. After the Gate 1 Completion Worksheet is saved with an affirmative answer indicating that the initial data collection process is complete, the worksheet/questionnaire list within the InForm section of the Assessment Window will be updated to include the addition of the following questionnaires and worksheets: PCI Post-Scan Questionnaire Cardholder Data Environment ID Worksheet. The Checklist will also be updated to include the additional work items that must be completed. 49
Phase A - Step 7: Complete the PCI Post-Scan Questionnaire The PCI Post-Scan Questionnaire contains questions that have been formulated as a result of the PCI Data Collector s scans have taken place during an assessment in order to build a comprehensive assessment. Answers will be included in the appropriate reports. To access the PCI Post-Scan Questionnaire select the edit PCI Post-Scan Questionnaire option available with the Inform section of the Network Detective s PCI Module here: Upon visiting the PCI Post-Scan Questionnaire, the following window is presented: To document the responses to the Instructions/Questions presented in this questionnaire: 1. Select and Review the Topic. 50
2. Review the Instructions. Instructions provide guidance and are not included in the reports. 3. Enter the Response. A Response must be given for each entry to complete the survey. 4. Enter any Notes relevant to the topic s response. 5. Enter the name of individual that responded or provided information to respond to the topics question or requirement in the Responded By field. Save your answers periodically and Save and Close when you are done. You can return to the Post-Scan Questionnaire by selecting edit from within the InForm section of the Assessment Window. After completing the PCI Post-Scan Questionnaire, the word complete will be displayed next so this questionnaire s label in the InForm section of the Assessment Window. TIME SAVINGS TIP: To learn more about how to save time completing Questionnaires and Worksheets, please see Appendix VIII Time Saving Features to Reduce Questionnaire and Worksheet Completion Time section found on page 125. 51
PHASE B - CARDHOLDER DATA ENVIRONMENT (CDE) DEEP SCAN In this critical phase of the PCI assessment process, there are both Worksheets and Scans that must be completed and performed in order to accomplish the goal of assessing PCI compliance of the Cardholder Data Environment system components and computers. Phase B Step 1: Complete the Cardholder Data Environment ID Worksheet The Cardholder Data Environment ID Worksheet contains a list of the system components that have been identified during the network scan phase of the automated data collection. The system components identified are operating within a particular domain or workgroup as well an include non-domain devices. In this worksheet, you document the purpose of the equipment identified, if the equipment is part of the Cardholder Data Environment (CDE), and if the equipment is within the scope of PCI compliance requirements. Alternatively you can confirm that the equipment components are not part of the CDE. To access the Cardholder Data Environment ID Worksheet, select the edit Cardholder Data Environment ID Worksheet option available with the InForm section of the Network Detective s PCI Module here: Upon editing the Cardholder Data Environment ID Worksheet, the following window is presented: 52
Within this worksheet there is a list of system components that have been identified during the network scanning process. These devices are either in a Domain, Workgroup, or are Nondomain devices. For each device, either the machine name or IP address of the device is displayed in the Topic column. There additional details about the devices listed in the worksheet that are documented in the Notes field, including OS version, IP address, Description data, and possibly a CPU version. To document the responses to the Instructions/Questions presented in this worksheet: 1. Select and Review the Topic. 2. Review the Instructions. Instructions provide guidance and are not included in the reports. 3. Enter the Response. A Response must be given for each entry to complete the survey. 4. Enter any Notes relevant to the topic s response. 5. Enter the name of individual that responded or provided information to respond to the topics question or requirement in the Responded By field. 6. Save your answers periodically and Save and Close when you are done. You can return to the Cardholder Data Environment ID Worksheet by selecting edit. 53
After saving the Cardholder Data Environment Worksheet, the list of questionnaires and worksheets in the InForm section of the Assessment Window is updated to include the Deep Scan Selection Worksheet. TIME SAVINGS TIP: To learn more about how to save time completing Questionnaires and Worksheets, please see Appendix VIII Time Saving Features to Reduce Questionnaire and Worksheet Completion Time section found on page 125. 54
Phase B Step 2: Complete the Deep Scan Selection Worksheet The PCI Deep Scan, which includes a process to search for Primary Account Number (PAN) data (i.e. Cardholder Data) on workstations and servers, should be run on all computers in the Cardholder Data Environment (CDE) that can be accessed along with a sampling of computers outside of the CDE. After completing the initial phase of the PCI assessment process, the Deep Scan Selection Worksheet is added to the InForm section of the Assessment Window. The PCI Deep Scan determines if PAN data is potentially present on any IT system workstation or server. Note: The computers selected in this worksheet will be scanned using the PCI Data Collector Computer Scan with the Deep Scan mode turned on so that a detailed search for files containing PAN data is undertaken during the scanning process. To select which systems are to be scanned by the Deep Scan process, click on the Deep Scan Selection Worksheet edit option to open the worksheet from within the InForm section of the Assessment Window. Upon editing the Deep Scan Selection Worksheet, the following window is presented: 55
To document the responses to the Instructions/Questions presented in this worksheet: 1. Select and Review the Topic. 2. Review the Instructions. Instructions provide guidance and are not included in the reports. 3. Enter the Response. A Response must be given for each entry to complete the survey. Note: Answer each instruction/question with Yes, if the previously identified workstations or servers are to undergo the Deep Scan. 4. Enter any Notes relevant to the topic s response. 5. Enter the name of individual that responded or provided information to respond to the topics question or requirement in the Responded By field. Save your answers periodically and Save and Close when you are done. You can return to the Deep Scan Selection Worksheet by selecting edit. 56
TIME SAVINGS TIP: To learn more about how to save time completing Questionnaires and Worksheets, please see Appendix VIII Time Saving Features to Reduce Questionnaire and Worksheet Completion Time section found on page 125. 57
Phase B Step 3: Use Push Deploy Tool to Initiate Push Deep Local Scan for PCI for Selected Systems and Import Scans A full PCI assessment requires running a Deep scan using the Local Computer Data Collector on all computers. Run PCI Deep Local Computer Scan with the PCI Push Deploy Tool Steps to Run the PCI Deep Data Local Computer Scan Using the Push Deploy Tool If the Push Deploy Tool has already been installed in order to perform the PCI Quick Local Scan, then skip this step and proceed to Step 2. The PCI Push Deploy Tool pushes the local data collector to machines in a specified range and saves the scan files to a specified directory (which can also be a network share). The benefit of the tool is that a local scan can be run simultaneously on each computer from a centralized location. The output files (.PCI and.pcd files) from the local scans can either be stored on a USB drive and taken off site to be imported into the active assessment within Network Detective or be automatically uploaded to the RapidFire Tools secure cloud storage area using the Client Connector Network Detective add-on and later downloaded from the secure cloud storage area to the Network Detective application for use in report generation. Step 1 Install and Run the PCI Push Deploy Tool To perform a local computer scan, install and run the PCI Push Deploy Tool.ZIP file and extract the contents either to a USB drive or directly to any machine on the target network. Then run PushDeployToolPci.exe contained within the folder named PushDeployTool that was created by the.zip file extraction. 58
Step 2 Configure Push Deploy Tool and Add Credentials Starting the PCI Push Deploy Tool will present the following window. Click on the Settings and Configuration tab to configure the Storage Folder settings necessary store scan data and the Credentials. 59
Set the Storage Folder location and select the PCI Deep Data (PCI) scanning option. Next, type in the administrator level Username and Password Credentials necessary to access the local computers on the network to be scanned. Next, select the Computers and Collection Status tab. Step 3 - Add the Computers to Scan The Computers and Collection Status window allows you to: Add a Single Computer to be scanned Add (computers) from File that are to be scanned Add (computers) from IP Range that are to be scanned Or. to Save Computers to File in order to export a list of computers to be scanned again in future assessments Process to Configure Computers to be Scanned Method As previously referenced, there are three methods to creating/adding a list of computers to be scanned by the Push Deploy tool. 60
Method 1 - Add a Single Computer to be Scanned To use the Add Single Computer method to select computers to be scanned, then type in the computer s IP address as shown below, then click on the Add Single Computer link to the right of the IP address entry field. Method 2 - Add (computers) from File that are to be Scanned Click on the Add from File link and select the text file that contains the computer IP addresses that are to be included within the scanning process. Select the file that contains the IP addresses to be scanned, and then click on the Open button. 61
The file that contains the IP addresses can be created using the Push Deploy Tools Save Computers to File feature, or created manually with a text editor using the required text formatting structure so that the IP addresses are recognized by the Push Deploy Tool. Upon the file s selection and opening the IP address and computer information will be imported into the Push Deploy Tool and presented in the Computers and Collection Status window for verification prior to starting the scan. Method 3 - Add (computers) from IP Range that are to be Scanned Click on the Add from IP Range and to define the Starting and Ending computer IP addresses range that are to be included within the scanning process. When you have input the IP address range into the IP Range window, select the OK button. After one or more of the abovementioned methods have been used to define the computer IP addresses to be scanned, the computer names and IP addresses will be listed in the Computer and Collection Status window. Step 4 Initiating the Scan After adding a list of one or more computers to scan, the scan can be initiated by selecting the Start Data Collection button. The status of each computer s scan activity will be highlighted within the Computers and Collection Status window. 62
Upon the completion of all of the scheduled scans, the scan data collected is stored within the Storage Location folder presented in the Collected Data Files window of the PCI Push Deploy Tool. Step 5 Verify that the Deep Local Computer Scan Data has been Collected To verify the inclusion of the scan data produced by the PCI Push deploy Tool within your assessment, select the Collected Data Files tab within the PCI Push Deploy Tool. The Collected Data Files window will be displayed. 63
Step 6 Verify that PCI Deep Local Computer Scan Files are Available from Scan Process Refresh the list of files presented by clicking on the Refresh Data Files link. This action will update the list of files available within the Current Storage Folder containing scan data. After all of the Deep Local Computer Scans are complete for the computers that were selected to undergo this scan, the next phase in the process is to import the scan data files produced by the Deep Local Scan into the current PCI Assessment. 64
Importing the PCI Deep Local Computer Scan Data into the PCI Assessment The final phase in this process is to import the data collected during the PCI Deep Data Scan performed by the PCI Push Deploy Tool s local computer scanner into the PCI Assessment. To import the scan data, click on the Import File button within the Imported Scans section of the Assessment Window: The following Select Scan Results window will be displayed. This window enables you to Browse, select, and import the.pcd scan file into the Assessment. Click on the Browse button in the Network Detective Wizard to select the scan data file to import. The Open Network Assessment Data File window will then be displayed. 65
Select the file that you would like to import and click the Open button. This action will display the Select the Scan Results window in the Wizard noting the file name of the file selected for import. 66
Select the Next button to start the import (data Merge) process. Select the Merge Now button. The Scan Archive Created window below will be displayed indicating that the Merge (import) process is complete. 67
Next, select the Finish button in the Scan Archive Created window. Upon reviewing the Imported Scans list within the Assessment Window, the.cdf,.sdf, and.wdf files have been added the Computer Scan, Security Scan, and WiFi Scan data collected by the PCI Push Deploy Tool scanning process to the PCI Assessment. The final steps of the process are to click on the Refresh Checklist option in the Assessment Window and view the Checklist for any new items. 68
Phase B Step 4: Run the PCI Deep Scan on the Selected Systems Manually (OPTIONAL) Before proceeding to complete the Gate 2 Completion Worksheet in the next step, it may be necessary to collect PCI Deep Scan data from any computers that were unavailable during the Push Deep Local Scan for PCI data collection process performed by Inspector. If you do not need to scan any computers that were unreachable, then proceed to the next step Phase B Step 5: Complete the Gate 2 Completion Worksheet found on the next page. Use the PCI Data Collector to run the PCI Deep Scan on selected computer systems manually. For instructions on how to use the PCI Data Collector to perform the PCI Deep Scan, please refer to Appendix VII - Run PCI Deep Scan Using the PCI Data Collector found on page 116. 69
Phase B Step 5: Complete the Gate 2 Completion Worksheet The purpose of the Gate 2 Complete Worksheet is for you to confirm that you have completed all PCI Deep scans you wish to perform and include within the PCI assessment process. After completing the deep scanning phase of the PCI assessment process, the Gate 2 Completion Worksheet is added to the InForm section of the Assessment Window. The completion of the Gate 2 Completion Worksheet confirms that the second phase of the PCI assessment has been performed before proceeding to the next phase of the assessment process. To complete the Gate 2 Completion Worksheet, click on the edit link next to the Gate 2 Completion Worksheet entry in the InForm questionnaire/worksheet list. The Gate 2 Completion Worksheet window will be displayed. 70
If you are ready to move on to the next phase of the assessment process, answer the question regarding the completion of the deep scans in the affirmative with a Yes response and click on Save. Then Close this worksheet s window. After completing the Gate 2 Worksheet, click on the Refresh Checklist link within the Assessment Window to update the Checklist. Completing the Gate 2 Worksheet will also add several new worksheets to the InForm section of the Assessment Window. These new worksheets represent the next steps in the PCI assessment process. 71
These new worksheets will include User ID Worksheet. Antivirus Capability Worksheet Necessary Functions Worksheet Server Function ID Worksheet PAN Scan Verification Worksheet External Port Security Worksheet TIME SAVINGS TIP: To learn more about how to save time completing Questionnaires and Worksheets, please see Appendix VIII Time Saving Features to Reduce Questionnaire and Worksheet Completion Time section found on page 125. 72
PHASE C GET SECONDARY DATA Phase C- Step 1: Complete the User ID Worksheet The User ID Worksheet enables you to identify each user and document if they are authorized to access the Cardholder Data Environment (CDE) that you are assessing. The User ID Worksheet contains a list of users that have been identified as having network/system access rights during the network scan phase of the automated data collection. In this worksheet, you document the type of user account (for example: Employee CDE access, Employee no CDE access, General Account, Vendor CDE access, Vendor no CDE access, etc.). To access the User ID Worksheet select the edit User ID Worksheet option available within the InForm section of the Network Detective s PCI Module here: From the Assessment Window, edit the User Identification Worksheet. 73
To document the responses to the Instructions/Questions presented in this worksheet: 1. Select and Review the Topic. 2. Review the Instructions. Instructions provide guidance and are not included in the reports. 3. Enter the Response. A Response must be given for each entry to complete the survey. To save time you may select from a list of responses contained within the list provided in the Response field to pre-populate each user record. 74
For each user you can select the Response field and change the default response to the response required. The Remote Access to CDE topic enables to you document employees and/or vendors that have the rights necessary to remotely access the CDE. Complete the worksheet for all of the users listed. 4. Enter any Notes relevant to the topic s response. 5. Enter the name of individual that responded or provided information to respond to the topics question or requirement in the Responded By field. Save your answers periodically and Save and Close when you are done. You can return to the User Identification Worksheet by selecting edit. TIME SAVINGS TIP: To learn more about how to save time completing Questionnaires and Worksheets, please see Appendix VIII Time Saving Features to Reduce Questionnaire and Worksheet Completion Time section found on page 125. 75
Phase C- Step 2: Complete the Anti-Virus Capability Worksheet The Anti-Virus Capability Worksheet is used to assess and document the PCI compliant features that are contained in any Anti-Virus and/or Anti-Spyware software installed on servers and workstations operating within the environment scanned by the PCI Module. To access the Antivirus Capability Worksheet select the edit Antivirus Capability Worksheet option available with the Inform section of the Network Detective s PCI Module assessment window as seen here: Upon editing the Antivirus Capability Worksheet, the following window is presented: The Antivirus Capability Worksheet presents a list of the Anti-Virus and Anti-Spyware applications installed within the assessed IT environment. These Anti-Virus and Anti-Spyware applications are listed in the worksheet to enable you to document an examination of the features contained within the applications. The final Antivirus Capability assessment will be a 76
result of responses to a series of questions used to document the features of each of these Anti-Virus and Anti-Spyware applications. To document the responses to the Instructions/Questions presented in this worksheet: 1. Select and Review the Topic. 2. Review the Instructions. Instructions provide guidance and are not included in the reports. 3. Enter the Response. A Response must be given for each entry to complete the survey. Note: Answer each instruction/question with Yes, if the Anti-Virus/Anti-Spyware meets the each of the criteria detailed within this survey worksheet. 4. Enter any Notes relevant to the topic s response. 5. Enter the name of individual that responded or provided information to respond to the topics question or requirement in the Responded By field. Save your answers periodically and Save and Close when you are done. You can return to the Antivirus Capability Worksheet by selecting edit. TIME SAVINGS TIP: To learn more about how to save time completing Questionnaires and Worksheets, please see Appendix VIII Time Saving Features to Reduce Questionnaire and Worksheet Completion Time section found on page 125. 77
Phase C- Step 3: Complete the Necessary Functions Identification Worksheet The Necessary Functions Identification Worksheet is used to assess, validate, and document the need of services, drivers, and features that are installed and/or running on servers and workstations that are operating within the CDE scanned by the PCI Module. To access the Necessary Functions Identification Worksheet select the edit Necessary Functions Worksheet option available with the Inform section of the Network Detective s PCI Module assessment window as seen here: Upon editing the Necessary Functions Worksheet, the following window is presented: This worksheet presents the process used to document the services, drivers, and features installed and operating on each server and/or workstation within the assessed IT environment. 78
The equipment that has been identified is listed in the worksheet to enable you to answer if a service, driver, or feature that is operating on a given server or workstation is necessary. To save you time, by default, the Response is set to Yes, to indicate that the service, driver, or feature is necessary. If the item listed is not required, then, you should change the response to No. To document the responses to the Instructions/Questions presented in this worksheet: 1. Select and Review the Topic. 2. Review the Instructions. Instructions provide guidance and are not included in the reports. 3. Enter the Response. A Response must be given for each entry to complete the survey. Note: Answer each instruction/question with the documented purpose/function of each service, driver, or feature that is operating on a given server or workstation in an effort to document the applications, drivers, and services that are operating on system components within the Cardholder Data Environment (CDE) per the PCI requirements. 4. Enter any Notes relevant to the topic s response. 5. Enter the name of individual that responded or provided information to respond to the topics question or requirement in the Responded By field. Save your answers periodically and Save and Close when you are done. You can return to the Necessary Functions Worksheet by selecting edit. TIME SAVINGS TIP: To learn more about how to save time completing Questionnaires and Worksheets, please see Appendix VIII Time Saving Features to Reduce Questionnaire and Worksheet Completion Time section found on page 125. 79
Phase C- Step 4: Complete the Server Function ID Worksheet The Server Function Identification Worksheet is used to assess and document the function that a server operating within the Cardholder Data Environment (CDE) performs. To access the Server Function Identification Worksheet select the edit Server Function ID Worksheet option available with the Inform section of the Network Detective s PCI Module assessment window as seen here: Upon editing the Server Function Identification Worksheet, the following window is presented: This worksheet presents the process used to document the role of each server operating within the assessed IT environment. The equipment that has been identified is listed in the worksheet to enable you to answer a series of questions to document the function and purpose of each server that is specifically operating within your customer s IT Environment. 80
To document the responses to the Instructions/Questions presented in this worksheet: 1. Select and Review the Topic. 2. Review the Instructions. Instructions provide guidance and are not included in the reports. 3. Enter the Response. A Response must be given for each entry to complete the survey. Note: Answer each instruction/question with the documented purpose/function of each server in an effort to ensure that each server is only performing the number of IT functions allowed within the Cardholder Data Environment (CDE) as per the PCI specification. 4. Enter any Notes relevant to the topic s response. 5. Enter the name of individual that responded or provided information to respond to the topics question or requirement in the Responded By field. Save your answers periodically and Save and Close when you are done. You can return to the Server Function ID Worksheet by selecting edit. TIME SAVINGS TIP: To learn more about how to save time completing Questionnaires and Worksheets, please see Appendix VIII Time Saving Features to Reduce Questionnaire and Worksheet Completion Time section found on page 125. 81
Phase C- Step 5: Complete the PAN Scan Verification Worksheet During the deep scanning process used by the PCI Data Collector and the Push Deploy Tool, these scanning processes search for Primary Account Number (PAN) data that may be stored in files through the assessed IT environment. The Primary Account Number (PAN) Scan Verification Worksheet contains a list of the locations where files containing what appears to be Cardholder Data have been identified as being stored on a workstation or a server. In this step, you are to view this list of file locations and the actual documents themselves to determine whether or not the files do or do not contain Cardholder Data. Any False Positives should be documented. To access the PAN Scan Verification Worksheet select the edit option available with the InForm section of the Network Detective s PCI Module here: Upon editing the PAN Scan Verification Worksheet, the following window is presented: 82
At this point in the process, the worksheet may present a list of files that are stored on a number of servers and workstations that are suspected of containing PAN data. These files were identified during a deep scan PAN search. Any files that the PAN scanner deems as containing cardholder data are logged. The locations of the file suspected of containing PAN data and the suspected PAN itself is documented and logged. The file locations of the files suspected of contain PAN data that have been identified on one or more workstations and/or servers are listed in the PAN Scan Verification worksheet. The PCI risk assessment process requires that each of the identified files and associated PAN data are to be inspected. You then can document whether the suspected PAN data is an actual card number of a false positive. This process can be accomplished by responding with a Yes or a No to a question asking if the file found on a particular workstation or server contains Primary Account Numbers (i.e. PANs). To document the responses to the Instructions/Questions presented in this worksheet: 1. Select and Review the Topic. 2. Review the Instructions. Instructions provide guidance and are not included in the reports. 3. Enter the Response. A Response must be given for each entry to complete the survey. 83
4. Enter any Notes relevant to the topic s response. 5. Enter the name of individual that responded or provided information to respond to the topics question or requirement in the Responded By field. Save your answers periodically and Save and Close when you are done. You can return to the PAN Scan Verification Worksheet by selecting edit. TIME SAVINGS TIP: To learn more about how to save time completing Questionnaires and Worksheets, please see Appendix VIII Time Saving Features to Reduce Questionnaire and Worksheet Completion Time section found on page 125. 84
Phase C- Step 6: Complete the External Port Security Worksheet The External Port Security Worksheet contains a list of the External Ports that have been identified during the External Vulnerability Scan phase of the automated data collection. In the Worksheet, you document the business justification for each external port s usage and document whether or not the port is considered an insecure port. To access the External Port Security Worksheet select the edit External Port Security Worksheet option available within the InForm section of the Network Detective s PCI Module assessment window: Upon editing the External Port Security Worksheet, the following window is presented: Document the responses to the Instructions/Questions presented. To document the responses to the Instructions/Questions presented in this worksheet: 85
1. Select and Review the Topic. 2. Review the Instructions. Instructions provide guidance and are not included in the reports. 3. Enter the Response. A Response must be given for each entry to complete the survey. 4. Enter any Notes relevant to the topic s response. 5. Enter the name of individual that responded or provided information to respond to the topics question or requirement in the Responded By field. Save your answers periodically and Save and Close when you are done. You can return to the External Port Security Worksheet by selecting edit. TIME SAVINGS TIP: To learn more about how to save time completing Questionnaires and Worksheets, please see Appendix VIII Time Saving Features to Reduce Questionnaire and Worksheet Completion Time section found on page 125. 86
Phase C- Step 7: Complete the PCI Verification Worksheet The PCI Verification Worksheet contains a list of PCI compliance assessment issues flagged by the PCI Module as concerns that require you to provide additional information to ensure that risks are identified or to establish that system components, security measures, and software are PCI compliant. Some of the issues may include: Web-based management interfaces and security, cardholder data environment (CDE) firewall configuration, network diagram verification, security features associated with the use of insecure protocols, and anti-virus verification to just name a few. To access the PCI Verification Worksheet select the edit PCI Verification Worksheet option available with the InForm section of the Network Detective s PCI Module here: Upon editing the PCI Verification Worksheet, the following window is presented: To document the responses to the Instructions/Questions presented in this worksheet: 87
1. Select and Review the Topic. 2. Review the Instructions. Instructions provide guidance and are not included in the reports. 3. Enter the Response. A Response must be given for each entry to complete the survey. Enter any Notes relevant to the topic s response. 4. Enter any Notes relevant to the topic s response. 5. Enter the name of individual that responded or provided information to respond to the topics question or requirement in the Responded By field. Save your answers periodically and Save and Close when you are done. You can return to the PCI Verification Worksheet by selecting edit. TIME SAVINGS TIP: To learn more about how to save time completing Questionnaires and Worksheets, please see Appendix VIII Time Saving Features to Reduce Questionnaire and Worksheet Completion Time section found on page 125. 88
PHASE D DOCUMENT EXCEPTIONS Complete the Compensating Controls Worksheet (Optional) The Compensating Controls Worksheet is an optional worksheet that compiles the issues discovered by the PCI Data Collector, Questionnaires and Assessment Worksheets used throughout the PCI assessment process to enable security exceptions to be specified along with Compensating Controls to manage the exceptions. To access the Compensating Controls Worksheet select the edit Compensating Controls Worksheet option available with the InForm section of the Network Detective s PCI Module here: Upon editing the Compensating Controls Worksheet, the following window is presented: 89
Exceptions are grouped by PCI Data Security Standard Requirement (PCI DSS) category. 1. Select and Review the Topic. 2. Review the Instructions. Instructions provide guidance and are not included in the reports. 3. Enter the Response. A Response must be given for each entry to complete the survey. Enter any Notes relevant to the topic s response. 4. Enter the person providing the information concerning the Compensating Control in the Responded By field. 5. Enter any Notes relevant to a particular Compensating Control topic s response. Please note that the Compensating Controls Worksheet is the only worksheet that does not require a response for each and every topic. Enter your Response if applicable, otherwise, leave the entry blank. Click Save or Save and Close when you are done. You can return to the Compensating Controls Worksheet by selecting edit. TIME SAVINGS TIP: To learn more about how to save time completing Questionnaires and Worksheets, please see Appendix VIII Time Saving Features to Reduce Questionnaire and Worksheet Completion Time section found on page 125. 90
GENERATING REPORTS To generate reports, open an assessment and scroll down to the Reports section of the assessment s Assessment Window. At the bottom of the Network Detective desktop s Assessment Window, the reports that are displayed in black text (versus the gray text) can be generated. To generate a report, click on the Generate button, and the following window will be displayed. 91
PCI Assessment reports are found in the PCI table accessible by selecting the PCI tab. If you own other modules of Network Detective, additional reports may be available to you and can be viewed for selection by clicking each tab within the Select Reports to Generate window. To generate the reports and various supporting documents, select the PCI tab and then select the reports and documents that you would like to generate. Select your reports and click Next and continue through the Customize Your Reports process until the reports and documents are generated. Customize Your Reports Reports can be customized including logos, design themes, and cover images. Enter your information, upload your logo, choose a theme, and select or upload cover images. Then select Generate. After the reports are generated the following window is displayed presenting the PCI folder containing the report document files: 92
To view a list of the report files, the supporting worksheets, and questionnaires double click on the PCI folder: The Supporting Documents folder contains copies of all of the completed worksheets and questionnaires that you completed through the PCI assessment process. 93
Using the Reports There are a number of reports that are produced as a result of an assessment using the PCI Module. In general these reports fall into three document categories: Risk assessment and management plans Evidence of PCI compliance (including an evidence cross-reference to the specific PCI Requirements). Supporting documents consisting of the completed questionnaires and worksheets used during the assessment process Risk Assessment and Management Plans The following are the risk assessment and management plan reports. PCI Policy and Procedure Document The Network Detective PCI Policy and Procedures guide includes suggested PCI policies and procedures required for compliance. Policies are rules that an organization adopts stating that they will do something. The guide includes both suggested policies and references the specific PCI requirements. Also provided are suggestions for procedures to implement to comply with the policies. Policies, procedures, and end-user training are effective tools to protect against data breaches. They are required for compliance but are important lines of defense against data breaches. PCI Risk Analysis The Payment Card Industry Data Security Standard (PCI DSS) is an actionable security framework to help Merchants that accept credit/debit cards to prepare for, prevent, detect, and respond to security breaches. Per PCI Requirement 12.2, an annual Risk Assessment is a key requirement that must be met to comply with PCI. The Risk Assessment must identify the vulnerabilities to the security of the Cardholder Data Environment (CDE) whereby threats that can act on the vulnerabilities, including the likelihood and the impact if that occurs. 94
The Risk Analysis helps Merchants that accept credit/debit cards and their Service Providers to identify the locations of their protected data, how the data moves throughout the organization. It identifies what protections are in place and where there is a need for more. The Risk Analysis results in a list of items that must be remediated to ensure the security and confidentiality of Cardholder Data that is stored or in transmission. PCI Risk Profile A Risk Analysis is a snapshot in time, while compliance is an ongoing effort. The Network Detective PCI Risk Profile updates a Risk Analysis to show progress in avoiding and mitigating risks. Whether performed monthly or quarterly, the Risk Profile updates the Risk Analysis and documents progress in addressing previously identified risks, and finds new ones that may have otherwise been missed and resulted in a data breach. PCI Management Plan Based on the findings in the Risk Analysis, the organization must create a Risk Management plan with tasks required to minimize, avoid, or respond to risks. Beyond gathering information, Network Detective provides a risk scoring matrix that an organization can use to prioritize risks and appropriately allocate money and resources. The Risk Management plan defines the strategies and tactics the organization will use to address its risks. Cardholder Data Environment (CDE) Network Diagram and Details Report This report allows you to completely visualize how system components are connected within the Cardholder Data Environment (CDE) being assessed. This high-level report shows a layer 2/3 diagram and mapping with section blow-ups that list all major network devices, and segmented diagrams of connected devices. Additional information is also provided to identify which operating systems and device types were found. This report is only available when using Inspector. CDE details include a list of all discovered computers and network devices including those that we were unable to find connectivity information (denoted in gray text within the report). Devices where connectivity information is unavailable may be due to a lack of responsiveness of the computer itself or other "hidden" network devices (i.e., network devices that did not respond to SNMP requests). This report is only available to PCI Module users that are also using Inspector as part of the PCI assessment process. 95
Evidence of PCI Compliance Just performing PCI-compliant tasks is not enough. Post Security Breach forensic audits and investigations may require evidence that compliant tasks have been followed. Therefore it may be advantageous to keep PCI compliance evidence for a number of years after compliance has been documented or after a Security related event or incident occurs. Documentation can be in different forms and stored in various systems. The keys to proper documentation are to be able to access it, and that it contains enough details to satisfy a forensic auditor or investigator. 96
Documented Questionnaires and Worksheets PCI Pre-scan Questionnaire This worksheet contains responses to questions that required investigation outside of an automated scan at the beginning of the assessment process. Post-Scan Questionnaire The Post-Scan Questionnaire contains the documented responses to list of questions that were formulated based on the results of scans that have been performed. Cardholder Data Environment ID Worksheet The Cardholder Data Environment (CDE) Identification Worksheet takes the list of computers and devices gathered by the initial Data Collection process that the assessor identified those computers that store, access, or transmit Cardholder Data. Deep Scan Selection Worksheet The PCI Deep Scan, which includes a Primary Account Number (PAN) scanner used to identify files that are suspected of containing Cardholder Data. This scan should be run on all computers in the Cardholder Data Environment (CDE) that can be accessed along with a sampling of computers outside the CDE. This worksheet enables the documentation of the computers that should be scanned with the PCI Deep Scan. User Identification Worksheet The User Identification Worksheet takes the list of users gathered by the Data Collector and lets you identify whether they are an employee or vendor (i.e. Service Provider). Users who should have been terminated and should have had their access terminated can also be identified. This is an effective tool to determine if unauthorized users have access to protected information. It also is a good indicator of the efforts the organization goes to so terminated employees and vendors have their access quickly disabled. Another benefit is that you can review the user list to identify generic logons, such as Sales, Customer Service, Billing Office, etc., which are not allowed by PCI since each user that handles Cardholder Data is required to be uniquely identified. 97
To save time the system allows you to enter default settings for all users and just change some as needed. Antivirus Capability Worksheet This worksheet enables the PCI readiness specialist to inspect and document the Antivirus Software deployed on computers throughout the Cardholder Data Environment (CDE). PCI compliance requires that Antivirus Software is set-up to: Ensure that users cannot disabled or altered by users Be running at all times Update on a regular basis Perform scans on a regular basis Generate audit logs of Antivirus protection activity and stored per PCI DSS Requirement 10.7 Necessary Function ID Worksheet The Necessary Functions Identification Worksheet contains the documented need of services, drivers, and features that are installed and/or running on servers and workstations that are operating within the CDE scanned by the PCI Module. Server Function ID Worksheet Per PCI DSS Requirement 2.1.1, only one function per server can be implemented in order to prevent functions that require different security levels from co-existing on the same server. The Service Function Identification (SFI) worksheet enables the PCI readiness specialist to document server roles (web server, database server, DNS server, etc.) and the functions activated on each server (real/physical or virtual) within the Cardholder Data Environment (CDE). The benefit of using this worksheet is that it enables the PCI readiness specialist to productively assess and document the inventory of servers, their roles, and activated functions within the Cardholder Data Environment (CDE) to assess compliance with PCI DSS 2.1.1 and produce the necessary Evidence of Compliance. 98
PAN Scan Worksheet The PAN Scan Worksheet lists all files that potentially contain Personal Account Numbers (PAN) files found during the PCI Deep Scan of the system. This worksheet is used to confirm or deny that the files identified contain Cardholder Data. This worksheet is also used to mark false positives. External Port Security Identification Worksheet During the External Vulnerability Scan, a set of listening ports may be detected. Per PCI requirements, the documentation of the business justification and security of each port is required. In the worksheet, the documented business justification for each external port s usage and any necessary references to whether or not the port is considered an insecure port. PCI Verification Questionnaire The PCI Verification Worksheet contains a list of PCI compliance assessment issues that were flagged by the PCI Module throughout the assessment process as concerns that required additional information to be documented. This additional documentation was necessary to address risks that were identified or to establish that system components, security measures, and software are PCI compliant. Some of the issues may include: Web-based management interfaces and security, cardholder data environment (CDE) firewall configuration, network diagram verification, security features associated with the use of insecure protocols, and anti-virus verification to just name a few. Compensating Controls Worksheet (CCW) The report is used present the details associated with security exceptions and how Compensating Controls will be or have been implemented to enable PCI compliance. This worksheet allows the PCI Compliance readiness specialist to document explanations on suspect items. The readiness specialist is enabled to document and explain why various discovered items are not true issues and possible false positives. These exceptions can be documented on an item by item level (For example: at the granularity at users, ports, applications, etc.) The Compensating Control Worksheet compiles the issues discovered by the PCI Compliance Data Collection including the completion of the questionnaires and worksheets. 99
The benefit of this feature is that it adds back in the human element into the assessment and allows for explanation of special circumstances and specific environment requirements. The Compensating Controls Worksheet does not alleviate the need for safe guards but allows for description of alternative means of mitigating the identified security risk. The process is consistent with industry standard PCI assessment and risk management processes External Vulnerability Scan Detail Report The External Vulnerability Scan Detail Report shows the result of a vulnerability scan performed against the external (Internet facing) IP addresses. 100
Appendix I Group Policy Reference Forward and Introduction Some networks are more restrictive than others, and in some cases the Network Detective Data Collector may query a device and have the request blocked or return less information than is required. To obtain more information, Group Policies can be modified, or a Local Data Collection to fill-in-the-blanks can be performed. This document is a reference for modifying Group Policies, and will indicate which Group Policies are needed to ensure a full data collection. This document is for reference only; RapidFire Tools is in no way responsible for, or able to assist with, any modifications to Group Policies made via this document. If you choose to make changes, perform a backup first, only make changes once you ve assessed the overall impact, and of course, exercise caution. Policies for Windows Firewall Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile Windows Firewall: Allow ICMP exceptions Enabled Allow inbound echo request Windows Firewall: Allow file and printer sharing exception Enabled Allow unsolicited incoming messages from local subnet Windows Firewall: Allow remote administration exception Enabled Allow unsolicited incoming messages from local subnet Windows Firewall: Allow local port exceptions Enabled Windows Firewall: Define inbound port exceptions TCP: 135, 139, 445 UDP: 137, 138 Windows Firewall: Allow Remote Desktop exception Enabled Allow unsolicited incoming messages from local subnet Policies for Windows Services Computer Configuration > Windows Settings > Security Settings > System Services Windows Management Instrumentation (WMI) Startup Type: Automatic Remote Registry Startup Type: Automatic Remote Procedure Call (RPC) Startup Type: Automatic 101
3 rd party Firewalls and Group Policy Considerations 3rd party firewalls should be disabled or configured similar to Windows Firewall Machines automatically refresh policies every 60-120 minutes, but rebooting a machine or manually performing a gpupdate /force will update policies quicker 102
Appendix II Site Assessment Reports and Supporting Documents Locations The reports document files produced by the PCI Module are stored in a compressed folder located on the hard disk of the computer operating the PCI Module. For example, the figure below illustrates the location of the Assessment Report folder a PCI assessment for a site named Customer G. In the folder path referenced in the Windows Explorer folder window displayed below, the reference to Customer G is a reference to the PCI assessment s Site Name associated with the actual assessment. To access the reports, you would double click on the assessment reports folder which is a Compressed folder (aka zipped folder). In this example the assessment reports folder is named: Assessment 20150511-Reports. Windows Explorer will then display folder named PCI as shown below. 103
The PCI folder is the location where the PCI assessment s report documents, PCI Evidence of Compliance, and supporting questionnaire and worksheet documents are stored. Upon doubling clicking the PCI folder in Windows Explorer, the reports and supporting documents for the assessment are available for viewing and editing. Opening the Supporting Documents folder will enable access to all of the supporting documents as seen below. 104
105
Appendix III PCI Risk Profile Use for Ongoing PCI Compliance Assessments A PCI Risk Analysis should be done no less than once a year. However, the Network Detective includes an abbreviated version of the PCI Risk Analysis assessment and reporting process within the Network Detective PCI Module. This process is called the PCI Risk Profile. The PCI Risk Profile designed to provide interim reporting in a streamlined and almost completely automated manner. Whether performed monthly or quarterly, the Risk Profile updates the Risk Analysis and documents progress in addressing previously identified risks, and finds new ones that may have otherwise been missed and resulted in a data breach. An important aspect of this abbreviated process is the need that the PCI Module has been already used to perform a PCI Risk Assessment of your customer s Cardholder Data Environment (CDE) on a previous occasion. 106
Appendix IV Adding an Inspector to a Site Adding an Inspector to a Site From the Site s dashboard, select Add from the Inspectors bar. Select the Inspector ID of the Inspector from the drop down menu. Note that the Inspector ID can be found on a printed label on the Inspector Appliance. 107
After successfully adding an Inspector it will appear under the Inspectors bar in the Site s dashboard. To view a list of all Inspectors and their associated Sites, navigate to the Inspector tab from the top bar of the Home screen. This will show a summary of all Inspectors, their activity status, and other useful information. To return to the Site that you are using to perform your assessment, click on Home above and select the Site that you are using to perform your assessment. 108
Appendix V Key Terminology 1 Cardholder Data the full Primary Account Number (PAN) is the minimum. Cardholder data may consist of the full PAN, cardholder name, expiration data and/or the service/security code. 1 Cardholder Data Environment The people, processes and technology that store, process, or transmit cardholder data or sensitive authentication data. 2 CDE The acronym for Cardholder Data Environment. 3 Primary Account Number - Unique payment card number (typically for credit or debit cards) that identifies the issuer and the particular cardholder account. Often times referred to as Account Number. 4 PAN The acronym for Primary Account Number. 5 1-5 Source: Payment Card Industry (PCI) Data Security Standard Glossary, Abbreviations and Acronyms, last modified 2015, https://www.pcisecuritystandards.org/security_standards/glossary.php#c 109
Appendix VI Run the PCI Computer Data Collector Quick Local Computer Scan A full PCI assessment requires running the Local Computer Data Collector on all computers. When computers are unreachable during the Push Quick Local Scan process undertaken using Inspection, the PCI Data Collector should be used to perform the scan on each of these computers. NOTE: THIS LOCAL COMPUTER SCANNING PROCESS USING THE PCI DATA COLLECTOR RUNNING ON THE LOCAL MACHINE IS ONLY USED WHEN INSPECTOR IS USED WITH THE PCI MODULE AND ON UNREACHABLE COMPUTERS Step 1 Install the PCI Data Collector To perform a local computer scan, download and run the PCI Data Collector. It is a selfextracting ZIP file that does not install on the client computer. Use the unzip option to unzip the files into a temporary location and start the collector. The Computer Scan will augment data collection when remote protocols are not available from a computer. A full PCI assessment requires running the Local Computer Data Collector on all computers. Select PCI Local Computer Data Collector option and set the Local PCI Scan Type to Quick. Click on the Next button. 110
Step 3 Verify and Run the Scan The Verify and Run window will be displayed. The Verify and Run window enables you to change the output location for the scan data, change the name of the file, and add comments. After setting the Output Assessment File s folder location, the Basename of the scan s output file, and adding a Comment, select Start to initiate the scan. Step 4 Monitor Collection Progress The Collection Progress window will be displayed during the scan process. 111
Track the scan s progress through the Collection Progress window. At any time you may Cancel Data Collection without saving any data. You may select Wrap It Up to stop a scan and use the incomplete data that was collected. Upon the completion of the scan, the Finish window will be displayed. Note the scan output file s location and click on the Done button to complete the process. Step 5 Importing the PCI Computer Scan Data from Local Computer Scan The final step in this process is to import the data collected during the PCI Computer Scan. Click on the Import File button: The following Open Network Data Assessment File window will be displayed. This Import File process enables you to import the.pci scan file and the.sdf file produced by the PCI Computer Data Scan into the Risk Assessment being performed. In the case where an available wireless network can be accessed from the computer being scanned, a.wdf file will also be produced by the PCI Computer Data Scan contained scan data 112
about the available wireless networks. If the.wdf is produced, it is to be included in the import process. During the import of these files, there will be a need to merge the PCI Local Computer Scan data with the PCI Network Scan data that was previously produced and imported. Selecting Open button in the Open Network Assessment Data File window will display the following Network Detective Merger window: 113
To perform the import/merge, select the Merge Now button to perform the import and data merge process. The Scan Archive Created window below will be displayed indicating that the Merge (import) process is complete. 114
Next, select the Finish button in the Scan Archive Created window. After the importing of any and all of the PCI Computer Scan output files collected by the PCI Data Collector, the Assessment Window will update the status of the import scan files included within the assessment. See the assessment s status information below: These assessment status and Checklist updates will include an expanded list of Imported Scans, new Inform Worksheets or Questionnaires, and an updated Checklist document that may be viewed so that you can review the next steps in the assessment process. The next step is to proceed with completing the Gate 1 Completion Verification Worksheet as instructed in Phase A - Step 6: Complete the Gate 1 Completion Verification Worksheet found on page 48. 115
Appendix VII Run PCI Deep Scan Using the PCI Data Collector A full PCI Deep Scan assessment requires running the Local Computer Data Collector on all computers in Deep mode. Step 1- Install the PCI Data Collector Download and run the PCI Data Collector. It is a self-extracting ZIP file that does not install on the client computer. Use the unzip option to unzip the files into a temporary location and start the collector. The Scan Type window will be displayed. The PCI Deep Scan will augment data collection when remote protocols are not available from a computer. Step 2 Configure PCI Local Computer Data Collection and Deep Scan Select PCI Local Computer Data Collector and set the Local PCI Scan Type to Deep. Click on the Next button. 116
Step 3 Verify and Run the Scan (Optional) Change the output location for the scan data, change the name of the file, and add comments. Then select Start to initiate the scan. 117
Step 4 Monitor that Scan Progress Track the scan through the Collection Progress window. At any time you may Cancel Data Collection without saving any data. You may select Wrap It Up to stop a scan and use the incomplete data that was collected. Step 5 Finish and View Scan Output Files To view the output files of the PCI Deep Scan click on the Open Folder button. Click on Done to complete the scan process. 118
Clicking on the Open Folder option starts Windows Explorer and presents the files in the Explorer window. Importing the PCI Computer Deep Scan Data The final step in this process is to import the data collected during the PCI Data Collector Deep Data Scan performed by the PCI Data Collector local computer scanner. To import the scan data, click on the Import File button with the Imported Scans section of the Assessment Window: The following Select Scan Results window will be displayed. This window enables you to Browse, select, and import the deep scan s.pcd scan file into the Assessment. 119
Click on the Browse button in the Network Detective Wizard to select the scan data file to import. The Open Network Assessment Data File window will then be displayed. 120
Select the file that you would like to import and click the Open button. This action will display the Select the Scan Results window in the Wizard noting the file name of the file selected for import. Select the Next button to start the import (data Merge) process. 121
Select the Merge Now button. Depending the number of machine surveyed the merge could take a few minutes. At the end of the process the Scan Archive Created window below will be displayed indicating that the Merge (import) process is complete. 122
Next, select the Finish button in the Scan Archive Created window. Upon reviewing the Imported Scans list within the Assessment Window, the.cdf,.sdf, and.wdf files have been added and/or updated to provide the Computer Scan, Security Scan, and Wi-Fi 33 Scan data collected by the PCI Data Collector s Deep scanning process. In addition, the Gate 2 Completion Worksheet may be added to the list of questionnaires and worksheets in the InForm section of the Assessment Window. 123