COMPLIANCE AND SECURITY INFORMATION MANAGEMENT FOR PCI DSS REQUIREMENT

Document created by Ishtiyaq Shah Employee on Mar 22, 2016
Version 1Show Document
  • View in full screen mode

In Today's highly competitive environment, business owners are constantly required to ensure their services and offerings are audited and reported for compliance and regulation conformance. Below is an attempt to understand how RSA portfolio helps map such requirements to help monitor PCI-DSS controls with use of technology deployments.

 

Introduction

The Payment Card Industry (PCI) Data Security Standard (DSS) imposes a broad range of reporting requirements, which become of paramount importance during the annual PCI DSS audit. In addition, through Requirement 10, PCI DSS specifically requires that merchants, banks and payment processors “track and monitor all access to network resources and cardholder data.”

As businesses step back and recognize the reporting and monitoring implications of the PCI DSS, the following question arises: “While compliance is critical, how my organization can become more proactive than reactive, and how can we ensure that time and resource investments will extend beyond our PCI DSS initiative?”

Moving Beyond Compliance with RSA Technology

  • Violations of policy and security happen without warning. Regardless of whether these are innocent mistakes or illegal attempts at accessing private information, you need immediate visibility into such behaviors in order to respond. Such visibility and responsiveness is critical to achieving PCI DSS compliance, and from a broader perspective, it is necessary to ensure all of your organization’s private business, customer and partner information is secure.
  • RSA Security Analytics gives security teams the ability to collect and use endpoint and network data, in addition to logs, to spot incidents that logs alone can’t. RSA Security Analytics also provides out–of-the-box reporting, intelligence and rules to let security teams start finding incidents immediately without weeks of configuration and customization.
  • RSA Security Analytics has over 90 report templates covering dozens of major regulatory requirements like SOX, HIPAA & PCI, eliminating the tedium from generating compliance reports.

Moving Beyond Compliance

 

Beyond PCI compliance, RSA Security Analytics does away with the business data silos that are created in many organizations. It collects, analyzes and manages all the data, and provides a platform that helps inform virtually anyone in your organization. Not only will compliance auditors have a complete set of data to meet compliance issues, but risk management and security operations can see security alerts in real time. And everyone from desktop operations, to the help desk, to applications management and network management personnel can access the reports they need at any time.

  • RSA Security Analytics leverages the Netwitness Database (NWDB) for collecting and analyzing your company’s compliance and security information. The Netwitness NWDB maintains a digital chain of custody for all data that assures that once data is committed to the database, it can never be altered–unlike most data schemas used in relational database management system (RDBMS)-based solutions.
  • RSA Security Analytics provides a single monitoring platform to gain the visibility organizations need, combining logs (both from cloud environments and on premise), network (both packets and NetFlow) and endpoint visibility to see what is happening across the enterprise. This makes it easier to view the environment in totality, rather than in piecemeal, making the analyst more efficient with a much greater chance of detecting attacks. Since all these capabilities are in a single tool, there is also less deployment risk due to incompatibility and cross-product integration.

Key Platform Benefits

With RSA Security Analytics technology, you will have the opportunity to:

  • Detect and analyze even the most advanced of attacks before they can impact the business
  • Investigate, prioritize, and remediate incidents with unprecedented precision and speed.
  • Unleash the potential of the existing security team to get the upper hand on attackers
  • Evolve existing SIEMs and monitoring toolset with better visibility and workflow

 

PCI DSS Requirement and RSA Security Analytics

PCI DSS requirement 10 states that companies must “track and monitor all access to network resources and cardholder data.” RSA Security Analytics enables customers to ease the audit process by establishing a centralized point for tracking and monitoring access to cardholder data throughout a PCI environment. Specific capabilities RSA Security Analytics delivers which address the PCI DSS standard include;

PCI DSS REQUIREMENT

RSA ASOC CAPABILITY

Requirement 10.1 Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user.

RSA Security Analytics enables customers to track administrative user activity and provides oversight to help verify a user is acting in accordance with established policy. Additionally, the system may send an alert to a user’s supervisor if behaviors violate policy.

RSA Security Analytics  offers out-of-the-box reporting that displays all successful administrative privilege escalations on monitored UNIX and Linux systems.

Report: “PCI–Administrative Privilege Escalation–UNIX/Linux”

Requirement 10.2 Implement automated audit trails for all system components to reconstruct the following Events

RSA Security Analytics appliance helps companies to implement automated audit trails that detail user access to cardholder data, actions taken by users with root/administrative privileges, access to audit trails, invalid logical access attempts, use of  identification/authentication mechanisms, audit log initialization and creation/deletion of system-level objects.

Requirements(2.1, 2.2, 2.2.2, 2.2.3, 2.2.4) Standardized images should  represent hardened versions of the underlying operating system and the applications installed on the system, such as those released by the NIST, NSA, Defense Information Systems Agency (DISA), Center for Internet Security (CIS), and others. This hardening would typically include removal of unnecessary accounts, as well as the disabling or removal of unnecessary services. Such hardening also involves, among other measures, applying patches, closing open and unused network ports, implementing intrusion detection systems and/or intrusion prevention systems, and erecting host-based firewalls.

 

RSA ECAT enables security teams to :

  • Monitor & alert in real-time:
  • Gain a MRI view through unique scan techniques
  • Collect a full inventory & profile of the endpoint in a matter of minutes with no impact to end users
  • Automatically scan when unknown files load

Requirement 10.2.1 All individual user accesses to cardholder data.

RSA SA delivers built-in reporting capabilities that display all successful file access attempts to file objects in the “Cardholder Data” device group; this device group is a subset of the PCI device group, and should contain only the servers used in the storing of cardholder data.

Report: “PCI: Individual User Accesses to Cardholder Data–Windows”

Requirement 10.2.2 All actions taken by any individual with root or administrative privileges

RSA SA enables customers to report on all actions taken by users logged in as “root.” In  addition, organizations may customize this report to include any additional usernames that have been granted full user monitoring administrative privileges in your environment.

Report: “PCI–All Actions by Individuals with Root or Administrative Privileges–UNIX/Linux” RSA SA reporting enables customers to monitor all actions taken by users logged in as “Administrator.” Customers may further bolster security by including any additional usernames that have been granted full administrative privileges in your environment.

Report: “PCI–All Actions by Individuals with Root or Administrative Privileges–Windows”

Requirement 10.2.3

Access to all audit trails

RSA SA offers built-in reports that enable customers to easily monitor all successful logins to RSA Security Analytics.

Report: “PCI–Access to All Audit Trails”

Requirement 10.2.4

Invalid logical access Attempts

RSA SA enables customers to easily report all access attempts that have been denied due to access control list restrictions.

Report: “PCI–Invalid Logical Access Attempts–ACL Denied Summary”

Requirement 10.2.5

Use of identification and authentication mechanisms

RSA SA may enable organizations to easily view a report detailing all users accessing the PCI device group that authenticate using RSA Authentication Manager servers.

Report: “PCI–Use of Identification and Authentication Systems–RSA”

Requirement 10.2.6

Initialization of the audit logs

RSA SA delivers out-of-the-box reports which provide a view into the initialization of audit logs in Windows, UNIX, Linux, AIX and HPUX operating systems.

Report: “PCI–Initialization of Audit Logs”

Requirement 10.2.7

Creation and deletion of system-level objects

RSA SA reporting capabilities enable customers to view the deletion of all system-level objects in monitored Windows systems, run against the “PCI” device group.

Report: “PCI–Deletion of System-level Objects–Windows”

Requirement 10.3

Record at least the following audit trail entries for all system  components for each event

RSA SA will record the events as reported by associated devices. In addition, RSA SA saves event metadata, which may be analyzed and revised to determine type of event.

Requirement 10.3.1

User identification

RSA SA enables organizations to record user identification information for each event associated

with the PCI device group.

Requirement 10.3.2

Type of event

RSA SA enables organizations to identify event-type information for each event associated with the PCI device group. If the device does not report event type, RSA SA still supports reporting by saving metadata that may be analyzed and revised to determine type of event.

Requirement 10.3.3

Date and time

RSA SA enables organizations to record date and time information for each event associated with the PCI device group.

Requirement 10.3.4

Success or failure indication

RSA SA enables organizations to record success/failure indication information for each event associated with the PCI device group.

Requirement 10.3.5

Origination of event

RSA SA enables organizations to record event origination information for each event associated with the PCI device group.

Requirement 10.3.6

Identity or name of affected data, system component, or resource

RSA SA enables organizations to record the name or other identity of affected systems, data, components or other PCI resource.

Requirement 10.5

Secure audit trails so they cannot be altered

RSA SA delivers mirrored, unfiltered data to its Netwitness Database(NWDB), which provides the ability to retain data in its original format. Further, “write once, read many” capabilities help ensure that the mirrored copy remains intact, even if the original data is compromised. RSA SA-captured event logs are stored on a hardened operating system in a compressed form and protected via lightweight encryption.

Requirement 10.5.1

Limit viewing of audit trails to those with a job-related need

RSA SA enables organizations to assign privileges so only authorized users may access and view the audit trail.

Requirement 10.5.2

Protect audit trail files from unauthorized modifications

RSA SA logs cannot be altered through the graphical user interface (GUI); changes may only occur via administrative access to the RSA SA appliance itself. In addition, RSA SA data access and archival APIs are read only, so logs may not be altered in the system.

Requirement 10.5.3

Promptly back-up audit trail files to a centralized log server or media that is difficult to alter

RSA SA enables back-ups of the audit trail to be scheduled as often as needed to a centralized log server or other media–e.g., every 10 minutes or every hour, depending on the needs of the customer. RSA SA offers a networker Backup client that allows users to schedule back-ups on a device or device group (e.g., PCI device group). Customer would have the ability, for example, to schedule PCI back-ups every 10 minutes, while devices outside the scope of PCI might be backed-up daily.

Requirement 10.5.5

Use file integrity monitoring and change detection software on logs to ensure that existing log data cannot be changed without  generating alerts (although new data being added should not cause an alert)

RSA SA is capable of creating alerts which ensure supervisors and others are aware if any changes to the logs take place. In addition, the appliance-based RSA SA technology is based on a hardened operating system which delivers higher degrees of security.

Requirement 10.7 Retain audit trail history for at least one year, with a minimum of three months online availability

RSA SA enables organizations to record event origination information for each event associated with the PCI device group.

 

PCI DSS Reporting & Auditing and RSA SA

 

Beyond its core ability to help customers address PCI DSS Requirement 10, RSA SA technology provides a robust platform for collecting, correlating and auditing access to a wide range of PCI systems–from firewalls to wireless networks to authentication mechanisms and more. The technology helps customers to address key PCI DSS requirements by:

  • Delivering a robust set of firewall activity reports for quickly validating compliance with Requirement 1 (“Install and maintain a firewall configuration to protect cardholder data”).
  • Enabling customers to address key portions of Requirement 2 (“Do not use vendor supplied defaults for system password and other security parameters”) by easily reporting on configuration changes made to wireless environments.
  • Helping ease the process of reporting on updates to enterprise anti-virus systems in support of Requirement 5 (“Use and regularly update antivirus software”).
  • Supporting efforts to prove compliance with Requirement 6 (“Develop and maintain secure systems and applications”) by reporting on patch and service applications.

PCI DSS REQUIREMENT

RSA ASOC CAPABILITY

Requirement 1.3.2

Not allowing internal addresses to pass from the Internet into the DMZ

RSA SA delivers built-in templates which enable customers to easily report on all inbound Internet traffic on non-standard ports within the PCI device group in detail and summary form.

Report: “PCI–Inbound Internet Traffic on Non-standard Ports–Detail”

Requirement 1.3.6

Securing and synchronizing router configuration files. For example, running configuration files (for normal functioning of the routers), and start-up configuration files (when machines are re-booted) should have the same secure configuration

RSA SA offers a built-in report that summarizes all outbound traffic by destination.

Report: “PCI–Outbound Traffic Summary”

RSA SA reports detail all outbound traffic for a specific internal IP address.

Report: “PCI–Outbound Traffic Detail by Source Address”

Requirement 2.1.1

For wireless environments, change wireless vendor defaults,  including but not limited to, wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords, and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and  authentication when WPA-capable.

RSA SA offers built-in reporting which details all configuration changes made to wireless routers, enabling customers to easily demonstrate to an auditor that vendor defaults–including WEP keys, default SSID, password, SNMP community strings and disabling of SSID broadcasts–were changed before the wireless router was introduced to the payment-card environment.

Report: “PCI–Wireless Environment Configuration Changes”

Requirement 3.6

Fully document and implement all key management processes and procedures for keys used for encryption of cardholder data

RSA SA delivers pre-built reports which enable customers to detail all the generation and period changing of encryption keys used in the secure storage and transfer of payment-card data as well as summarizing access control details, such as successful and failed logins, policy enforcement and regular reporting.

Requirement 4.1

Use strong cryptography and security protocols such as secure sockets layer (SSL) / transport layer security (TLS) and Internet protocol security (IPSec) to safeguard sensitive cardholder

data during transmission over open, public networks. Examples of open, public networks that are in scope of the PCI DSS are the Internet, WiFi (IEEE 802.11x), global system for mobile communications (GSM),and general packet radio service (GPRS).

RSA SA reporting capabilities enables customers to access all cryptographic operations where the use of the cryptography failed or was disabled by the user.

Report: “PCI–Encrypted Transmission Failures”

Requirement 1.1.1

A formal process for  approving and testing all external network connections and changes to the firewall configuration

RSA SA supports compliance by delivering out-of-the-box reports that display all configuration

changes made to firewalls within the PCI device group.

Report: “PCI–Firewall Configuration Changes”

Requirement 1.1.5

Documented list of services and ports necessary for business

RSA SA delivers built in reporting to summarize all firewall traffic by port into the PCI device

  1. group.

Report: “PCI–Traffic by Port–PCI Device Group”

Requirement 1.1.6

Justification and documentation for any available protocols besides hypertext transfer protocol (HTTP), and secure sockets layer (SSL),

secure shell (SSH), and virtual private network (VPN)

RSA SA provides ready-to-run report templates that detail all firewall traffic by port to the IP address specified as a run-time parameter where the port used is not directly justified by PCI.

Report: “PCI–Traffic to Nonstandard Ports–Detail”

RSA SA reporting summarizes all firewall traffic by port by destination computer, where the port used is not directly justified by PCI.

Report: “PCI–Traffic to Non-standard Ports–Summary”

Requirement 1.1.8

A quarterly review of firewall and router rule sets

RSA SA reporting eases compliance by delivering out-of-the-box reports that display all configuration

changes made to firewalls within the PCI device group.

Report: “PCI–Firewall Configuration Changes”

Requirement 1.1.9

Configuration standards for routers

RSA SA templates enable customers to easily display all configuration changes made to routers within the PCI device group.

Report: “PCI–Router Configuration Changes”

Requirement 1.3.1

Restricting inbound Internet traffic to Internet protocol (IP)  addresses within the DMZ (ingress filters)

RSA SA reporting capabilities enable customers to automatically list all inbound Internet traffic on non-standard ports within the PCI device group in detail and summary form. Report: “PCI–Inbound Internet Traffic on Non-standard Ports–Detail”

Requirement 5.2

Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs

RSA SA offers reporting templates that make it simple for administrators and auditors to review update procedures for anti-virus systems.

Report: “PCI–Anti-virus Update Procedures”

Requirement 6.1

Ensure that all system components and software have the latest vendor-supplied security patches installed. Install relevant security patches within one month of release

RSA SA delivers built-in reports that provide a view into all patch and service pack applications to Microsoft Windows-based systems.

Report: “PCI–Vendor-supplied Patch Application”

Potential RSA Solutions for PCI 3.0

 

Section 2.4

Significant change

Maintain an inventory of system components that are in scope for PCI DSS.

RSA Archer

Pre-written policies, standards, procedures & automated assessments

Section 8.5.1

Significant change

Service providers with remote access to customer premises must use a unique authentication credential for each customer.

  • RSA SecurID; RSA Adaptive Authentication
    • Two-factor / multifactor authentication using device forensics, behavioral analysis, and fraud intelligence
  • RSA Identity Management & Governance (IMG)
    • Integrates identity and access governance, provisioning and authentication to manage the complete lifecycle of user access to applications and data

Section 12.9

Significant change

Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes or transmits on behalf of the customer, or to the extent that they could impact the

security of the customer's cardholder data environment.

  • RSA Archer

Pre-written policies, standards, procedures & automated assessments

Section 5.1.2

Minor change

For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require antivirus software.

  • RSA ECAT

Detects advanced malware already resident on endpoints and enables you to quickly respond, leveraging innovative live memory analysis

  • RSA Security Analytics

Provides enterprise-wide visibility into network traffic and log event data to reduce attacker free time from weeks to hours

  • RSA Archer

Manage Threats and Vulnerabilities. Perform End to end Security Incident management

Section 8.8

Minor change

Ensure that security policies and operational procedures for identification and authentication are documented, in use and known to all affected parties.

  • RSA Identity Management & Governance (IMG)
    • Integrates identity and access governance, provisioning and authentication to manage the complete lifecycle of user access to applications and data
  • RSA Archer 
    • Pre-written policies, standards, procedures & automated assessments

Section 11.3.4

Minor change

If segmentation is used to isolate the cardholder data environment (CDE) from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from in-scope systems.

  • RSA Adaptive Directory *

Delivers a global view of identity by providing simple, logical, standards-based access to all identities, regardless of the number of identity sources

  • RSA Advanced Cyber Defense (ACD) practice area

 

Note: This is a draft attempt and has not  been officially prepared or purchased by RSA. As i am not any PCI expert, therefore any mis-interpretations or references in this document can be highlighted and discussed. Review of this document is sought from all members to make it more valid and reproducible going forward.

 

Openly reaching out to larger community for valuable feedback.

2 people found this helpful

Attachments

    Outcomes