Scribd Logo
Carica

Benvenuto in Scribd!

  • PCI DSS 1.2 Detailed Matrix

    Caricato da

    mcskumar
    87 visualizzazioni9 pagine
    Cardholder data is an example of a more sensitive area within a company's trusted network. A Firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria. Firewalls are a key protection mechanism for any computer network.

    Descrizione originale:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Formati disponibili

    PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    Cardholder data is an example of a more sensitive area within a company's trusted network. A Firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria. Firewalls are a key protection mechanism for any computer network.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    87 visualizzazioni9 pagine

    PCI DSS 1.2 Detailed Matrix

    Caricato da

    mcskumar
    Cardholder data is an example of a more sensitive area within a company's trusted network. A Firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria. Firewalls are a key protection mechanism for any computer network.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 9

    Tripwire Enterprise Support of PCI DSS 1.

    2 Specification

    Enhanced File Integrity Monitoring

    Configuration Assessment
    Test & Remediation Advice

    File Integrity Monitoring

    Detect, Analyze & Reconcile

    PCI DSS Requirements (verbatim)


    REQUIREMENT1 InstallandMaintainaFirewallConfigurationtoProtectCardholderData Firewallsarecomputerdevicesthatcontrolcomputertrafficallowedbetweenacompanysnetwork(internal)anduntrustednetworks(external),as wellastrafficintoandoutofmoresensitiveareaswithinacompanysinternaltrustednetwork.Thecardholderdataenvironmentisanexampleofa moresensitiveareawithinthetrustednetworkofacompany.Afirewallexaminesallnetworktrafficandblocksthosetransmissionsthatdonotmeet thespecifiedsecuritycriteria.Allsystemsmustbeprotectedfromunauthorizedaccessfromuntrustednetworks,whetherenteringthesystemviathe Internetasecommerce,employeesInternetaccessthroughdesktopbrowsers,employeesemailaccess,dedicatedconnectionsuchasbusinessto businessconnections,viawirelessnetworks,orviaothersources.Often,seeminglyinsignificantpathstoandfromuntrustednetworkscanprovide unprotectedpathwaysintokeysystems.Firewallsareakeyprotectionmechanismforanycomputernetwork. 1.1 FirewallandRouterConfigurationEstablishfirewallandrouterconfigurationstandardsthatincludethefollowing: 1.1.1ConfigurationApprovalandTestingProcessAformalprocessforapprovingandtestingallnetworkconnectionsandchangestothefirewall androuterconfigurations 1.1.5NetworkServiceJustificationDocumentationandbusinessjustificationforuseofallservices,protocols,andportsallowed,including documentationofsecurityfeaturesimplementedforthoseprotocolsconsideredtobeinsecure. 1.1.6NetworkDeviceRuleSetReviewPeriodRequirementtoreviewfirewallandrouterrulesetsatleasteverysixmonths. 1.2.1AllowOnlyNecessaryTrafficRestrictinboundandoutboundtraffictothatwhichisnecessaryforthecardholderdataenvironment. 1.2.2ConfigurationFileMaintenanceSecureandsynchronizerouterconfigurationfiles. 1.3.1DMZImplementaDMZtolimitinboundandoutboundtraffictoonlyprotocolsthatarenecessaryforthecardholderdataenvironment. 1.3.2RestrictInboundTrafficLimitinboundInternettraffictoIPaddresseswithintheDMZ. 1.3.3NoDirectRoutestoCardholderDataDonotallowanydirectroutesinboundoroutboundfortrafficbetweentheInternetandthecardholder dataenvironment. 1.3.4NoInboundPrivateAddressesDonotallowinternaladdressestopassfromtheInternetintotheDMZ. 1.3.5OutboundDMZAddressingOnlyRestrictoutboundtrafficfromthecardholderdataenvironmenttotheInternetsuchthatoutboundtrafficcan onlyaccessIPaddresseswithintheDMZ. 1.3.6ConfigureStatefulInspectionImplementstatefulinspection,alsoknownasdynamicpacketfiltering.(Thatis,only"establishedconnections areallowedintothenetwork.) 1.3.8EnableIPMasqueradingImplementIPmasqueradingtopreventinternaladdressesfrombeingtranslatedandrevealedontheInternet,using RFC1918addressspace.Usenetworkaddresstranslation(NAT)technologiesforexample,portaddresstranslation(PAT). 1.4Mobile/EmployeeownedDeviceFirewallInstallpersonalfirewallsoftwareonanymobileand/oremployeeownedcomputerswithdirect connectivitytotheInternet(forexample,laptopsusedbyemployees),whichareusedtoaccesstheorganizationsnetwork.

    Out-of-box policies

    Customer specific policies

    Tripwire Enterprise Support of PCI DSS 1.2 Specification

    Enhanced File Integrity Monitoring

    Configuration Assessment
    Test & Remediation Advice

    File Integrity Monitoring

    Detect, Analyze & Reconcile

    PCI DSS Requirements (verbatim)


    REQUIREMENT2 Donotusevendorsupplieddefaultsforsystempasswordsandothersecurityparameters. Maliciousindividuals(externalandinternaltoacompany)oftenusevendordefaultpasswordsandothervendordefaultsettingstocompromise systems.Thesepasswordsandsettingsarewellknownbyhackercommunitiesandareeasilydeterminedviapublicinformation. 2.1.0BuiltinAccounts 2.1.1ChangeWirelessVendorDefaults 2.2.1OneFunctionPerServerImplementonlyoneprimaryfunctionperserver. 2.2.2DisableUnnecessaryServicesandProtocolsDisableallunnecessaryandinsecureservicesandprotocols(servicesandprotocolsnotdirectly neededtoperformthedevicesspecifiedfunction). 2.2.3SystemSecurityConfigurationConfiguresystemsecurityparameterstopreventmisuse. 2.2.4RemoveAllUnnecessaryFunctionalityRemoveallunnecessaryfunctionality,suchasscripts,drivers,features,subsystems,filesystems,and unnecessarywebservers. 2.3EncryptNonconsoleAdministrativeAccessEncryptallnonconsoleadministrativeaccess.UsetechnologiessuchasSSH,VPN,orSSL/TLSfor webbasedmanagementandothernonconsoleadministrativeaccess. 2.4SegregateThirdpartyCardholderDataSharedhostingprovidersmustprotecteachentityshostedenvironmentandcardholderdata.These providersmustmeetspecificrequirementsasdetailedinAppendixA:AdditionalPCIDSSRequirementsforSharedHostingProviders. REQUIREMENT3 ProtectStoredCardholderData Protectionmethodssuchasencryption,truncation,masking,andhashingarecriticalcomponentsofcardholderdataprotection.Ifanintruder circumventsothernetworksecuritycontrolsandgainsaccesstoencrypteddata,withoutthepropercryptographickeys,thedataisunreadableand unusabletothatperson.Othereffectivemethodsofprotectingstoreddatashouldbeconsideredaspotentialriskmitigationopportunities.For example,methodsforminimizingriskincludenotstoringcardholderdataunlessabsolutelynecessary,truncatingcardholderdataiffullPANisnot needed,andnotsendingPANinunencryptedemails.PleaserefertothePCIDSSGlossaryofTerms,Abbreviations,andAcronymsfordefinitionsof strongcryptographyandotherPCIDSSterms. 3.1MinimizeCardholderDataStorageKeepcardholderdatastoragetoaminimum.Developadataretentionanddisposalpolicy.Limitstorage amountandretentiontimetothatwhichisrequiredforbusiness,legal,and/orregulatorypurposes,asdocumentedinthedataretentionpolicy. 3.4.1CryptographicKeysNotTiedToUserAccountIfdiskencryptionisused(ratherthanfileorcolumnleveldatabaseencryption),logicalaccess mustbemanagedindependentlyofnativeoperatingsystemaccesscontrolmechanisms(forexample,bynotusinglocaluseraccountdatabases). Decryptionkeysmustnotbetiedtoauseraccount. 3.5ProtectEncryptionKeysProtectcryptographickeysusedforencryptionofcardholderdataagainstbothdisclosureandmisuse: 3.5.1RestrictAccessRestrictaccesstocryptographickeystothefewestnumberofcustodiansnecessary. 3.5.2StorageStorecryptographickeyssecurelyinthefewestpossiblelocationsandforms.

    Out-of-box policies

    Customer specific policies

    Tripwire Enterprise Support of PCI DSS 1.2 Specification

    Enhanced File Integrity Monitoring

    Configuration Assessment
    Test & Remediation Advice

    File Integrity Monitoring

    Detect, Analyze & Reconcile

    PCI DSS Requirements (verbatim)


    3.6KeymanagementDocumentationFullydocumentandimplementallkeymanagementprocessesandproceduresforcryptographickeysusedfor encryptionofcardholderdata,includingthefollowing: 3.6.1GenerationGenerationofstrongcryptographickeys. 3.6.3SecureStorageSecurecryptographickeystorage. 3.6.4ProactiveKeyAgingPeriodiccryptographickeychanges: *Asdeemednecessaryandrecommendedbytheassociatedapplication(forexample,rekeying); *preferablyautomatically *Atleastannually. 3.6.7PreventUnauthorizedKeySubstitutionPreventionofunauthorizedsubstitutionofcryptographickeys. REQUIREMENT4 EncryptTransmissionofCardholderDataAcrossOpen,PublicNetworks Sensitiveinformationmustbeencryptedduringtransmissionovernetworksthatareeasilyaccessedbymaliciousindividuals.Misconfiguredwireless networksandvulnerabilitiesinlegacyencryptionandauthenticationprotocolscanbecontinuedtargetsofmaliciousindividualswhoexploitthese vulnerabilitiestogainprivilegedaccesstocardholderdataenvironments. 4.1.0UseStrongCryptographyandSecurityProtocolsOverNonwirelessNetworks 4.1.1UseStrongCryptographyandSecurityProtocolsOverWirelessEnsurewirelessnetworkstransmittingcardholderdataorconnectedtothe cardholderdataenvironment,useindustrybestpractices(forexample,IEEE802.11i)toimplementstrongencryptionforauthenticationand transmission. *Fornewwirelessimplementations,itisprohibitedtoimplementWEPafterMarch31,2009. *Forcurrentwirelessimplementations,itisprohibitedtouseWEPafterJune30,2010. REQUIREMENT5 UseandRegularlyUpdateAntivirusSoftwareorPrograms Malicioussoftware,commonlyreferredtoasmalwareincludingviruses,worms,andTrojansentersthenetworkduringmanybusinessapproved activitiesincludingemployeesemailanduseoftheInternet,mobilecomputers,andstoragedevices,resultingintheexploitationofsystem vulnerabilities.Antivirussoftwaremustbeusedonallsystemscommonlyaffectedbymalwaretoprotectsystemsfromcurrentandevolvingmalicious softwarethreats. 5.2UptodateAntivirusMechanismsEnsurethatallantivirusmechanismsarecurrent,activelyrunning,andcapableofgeneratingauditlogs.

    Out-of-box policies

    Customer specific policies

    Tripwire Enterprise Support of PCI DSS 1.2 Specification

    Enhanced File Integrity Monitoring

    Configuration Assessment
    Test & Remediation Advice

    File Integrity Monitoring

    Detect, Analyze & Reconcile

    PCI DSS Requirements (verbatim)


    REQUIREMENT6 DevelopandMaintainSecureSystemsandApplications Unscrupulousindividualsusesecurityvulnerabilitiestogainprivilegedaccesstosystems.Manyofthesevulnerabilitiesarefixedbyvendorprovided securitypatches,whichmustbeinstalledbytheentitiesthatmanagethesystems.Allcriticalsystemsmusthavethemostrecentlyreleased, appropriatesoftwarepatchestoprotectagainstexploitationandcompromiseofcardholderdatabymaliciousindividualsandmalicioussoftware. Note:Appropriatesoftwarepatchesarethosepatchesthathavebeenevaluatedandtestedsufficientlytodeterminethatthepatchesdonotconflict withexistingsecurityconfigurations.Forinhousedevelopedapplications,numerousvulnerabilitiescanbeavoidedbyusingstandardsystem developmentprocessesandsecurecodingtechniques. 6.1UptodateSecurityPatchesEnsurethatallsystemcomponentsandsoftwarehavethelatestvendorsuppliedsecuritypatchesinstalled.Install criticalsecuritypatcheswithinonemonthofrelease. NOTE:Anorganizationmayconsiderapplyingariskbasedapproachtoprioritizetheirpatchinstallations. Forexample,byprioritizingcriticalinfrastructure(forexample,publicfacingdevicesandsystems,databases)higherthanlesscriticalinternaldevices, toensurehighprioritysystemsanddevicesareaddressedwithinonemonth,andaddressinglesscriticaldevicesandsystemswithinthreemonths. 6.2VulnerabilityDiscoveryEstablishaprocesstoidentifynewlydiscoveredsecurityvulnerabilities(forexample,subscribetoalertservicesfreely availableontheInternet).UpdateconfigurationstandardsasrequiredbyPCIDSSRequirement2.2toaddressnewvulnerabilityissues. 6.3PCIDSSCompliantSoftwareDevelopmentDevelopsoftwareapplicationsinaccordancewithPCIDSS(forexample,secureauthenticationand logging)andbasedonindustrybestpractices,andincorporateinformationsecuritythroughoutthesoftwaredevelopmentlifecycle.Theseprocesses mustincludethefollowing: 6.3.1TestingEffectsofSecurityPatchesTestingofallsecuritypatches,andsystemandsoftwareconfigurationchangesbeforedeployment, includingbutnotlimitedtothefollowing: 6.3.1.3SecureCryptographicStorageValidationofsecurecryptographicstorage. 6.3.1.4SecureCommunicationsValidationofsecurecommunications. 6.3.1.5RolebasedAccessControlValidationofproperrolebasedaccesscontrol(RBAC). 6.3.2SegregationofTestandDevelopmentSeparatedevelopment/testandproductionenvironments. 6.3.3SeparationofDutiesSeparationofdutiesbetweendevelopment/testandproductionenvironments. 6.3.5ProductionSystemCleansingRemovaloftestdataandaccountsbeforeproductionsystemsbecomeactive. 6.3.6ProductionApplicationCleansingRemovalofcustomapplicationaccounts,userIDs,andpasswordsbeforeapplicationsbecomeactiveorare releasedtocustomers. 6.4ChangeControlProceduresFollowchangecontrolproceduresforallchangestosystemcomponents.Theproceduresmustincludethe following: 6.4.3FunctionalTestingTestingofoperationalfunctionality.

    Out-of-box policies

    Customer specific policies

    Tripwire Enterprise Support of PCI DSS 1.2 Specification

    Enhanced File Integrity Monitoring

    Configuration Assessment
    Test & Remediation Advice

    File Integrity Monitoring

    Detect, Analyze & Reconcile

    PCI DSS Requirements (verbatim)


    6.5WebApplicationDevelopmentDevelopallwebapplications(internalandexternal,andincludingwebadministrativeaccesstoapplication)based onsecurecodingguidelinessuchastheOpenWebApplicationSecurityProjectGuide.Coverpreventionofcommoncodingvulnerabilitiesinsoftware developmentprocesses,toincludethefollowing: NOTE:Thevulnerabilitieslistedat6.5.1through6.5.10werecurrentintheOWASPguidewhenPCIDSSv1.2waspublished.However,ifandwhenthe OWASPguideisupdated,thecurrentversionmustbeusedfortheserequirements. 6.5.2MaliciousInjectionInjectionflaws,particularlySQLinjection.AlsoconsiderLDAPandXpathinjectionflawsaswellasotherinjectionflaws. 6.5.3MaliciousFileExecution 6.5.5CrosssiteRequestForgery(CSRF) 6.5.7BrokenAuthenticationandSessionManagement 6.5.9InsecureCommunications 6.6OngoingThreatModelingForpublicfacingwebapplications,addressnewthreatsandvulnerabilitiesonanongoingbasisandensurethese applicationsareprotectedagainstknownattacks. REQUIREMENT7 RestrictAccesstoCardholderDatabyBusinessNeedtoKnow Toensurecriticaldatacanonlybeaccessedbyauthorizedpersonnel,systemsandprocessesmustbeinplacetolimitaccessbasedonneedtoknow andaccordingtojobresponsibilities.Needtoknowiswhenaccessrightsaregrantedtoonlytheleastamountofdataandprivilegesneededto performajob. 7.1AccessRestrictionsLimitaccesstosystemcomponentsandcardholderdatatoonlythoseindividualswhosejobrequiressuchaccess.Access limitationsmustincludethefollowing: 7.1.1EnforceLeastPrivilegeRestrictionofaccessrightstoprivilegeduserIDstoleastprivilegesnecessarytoperformjobresponsibilities. 7.1.2RolebasedPrivilegeAssignmentAssignmentofprivilegesisbasedonindividualpersonnelsjobclassificationandfunction. 7.1.3AuthorizationFormRequirementforanauthorizationformsignedbymanagementthatspecifiesrequiredprivileges. 7.1.4AutomatedAccessControlImplementationofanautomatedaccesscontrolsystem. 7.2AccessControlSystemEstablishanaccesscontrolsystemforsystemscomponentswithmultipleusersthatrestrictsaccessbasedonausers needtoknow,andissettodenyallunlessspecificallyallowed.Thisaccesscontrolsystemmustincludethefollowing: 7.2.1SystemComponentCoverageCoverageofallsystemcomponents. 7.2.2PrivilegeAssignmentAssignmentofprivilegestoindividualsbasedonjobclassificationandfunction. 7.2.3DefaultdenyallSetting

    Out-of-box policies

    Customer specific policies

    Tripwire Enterprise Support of PCI DSS 1.2 Specification

    Enhanced File Integrity Monitoring

    Configuration Assessment
    Test & Remediation Advice

    File Integrity Monitoring

    Detect, Analyze & Reconcile

    PCI DSS Requirements (verbatim)


    REQUIREMENT8 AssignaUniqueIDtoEachPersonWithComputerAccess. Assigningauniqueidentification(ID)toeachpersonwithaccessensuresthateachindividualisuniquelyaccountableforhisorheractions.Whensuch accountabilityisinplace,actionstakenoncriticaldataandsystemsareperformedby,andcanbetracedto,knownandauthorizedusers. 8.1UniqueIDAssignallusersauniqueIDbeforeallowingthemtoaccesssystemcomponentsorcardholderdata. 8.2AuthenticationMethodInadditiontoassigningauniqueID,employatleastoneofthefollowingmethodstoauthenticateallusers: *Passwordorpassphrase *Twofactorauthentication(forexample,tokendevices,smartcards,biometrics,orpublickeys). 8.3TwofactorAuthenticationforRemoteAccessIncorporatetwofactorauthenticationforremoteaccess(networklevelaccessoriginatingfrom outsidethenetwork)tothenetworkbyemployees,administrators,andthirdparties.Usetechnologiessuchasremoteauthenticationanddialin service(RADIUS);terminalaccesscontrolleraccesscontrolsystem(TACACS)withtokens;orVPN(basedonSSL/TLSorIPSEC)withindividual certificates. 8.4PasswordsRenderedUnreadableforTransmissionandStorageRenderallpasswordsunreadableduringtransmissionandstorageonallsystem componentsusingstrongcryptography(definedinPCIDSSGlossaryofTerms,Abbreviations,andAcronyms). 8.5CredentialManagementEnsureproperuserauthenticationandpasswordmanagementfornonconsumerusersandadministratorsonall systemcomponentsasfollows: 8.5.1PositiveCredentialControlControladdition,deletion,andmodificationofuserIDs,credentials,andotheridentifierobjects. 8.5.4TerminatedUserCredentialsImmediatelyrevokeaccessforanyterminatedusers. 8.5.5InactiveUserCredentialsRemove/disableinactiveuseraccountsatleastevery90days. 8.5.6VendorCredentialsEnableaccountsusedbyvendorsforremotemaintenanceonlyduringthetimeperiodneeded. 8.5.7CredentialPolicyCommunicationCommunicatepasswordproceduresandpoliciestoalluserswhohaveaccesstocardholderdata. 8.5.8ProhibitionOnGroupCredentials 8.5.9PasswordAgeingChangeuserpasswordsatleastevery90days. 8.5.10PasswordLengthRequireaminimumpasswordlengthofatleastsevencharacters. 8.5.11PasswordComplexityUsepasswordscontainingbothnumericandalphabeticcharacters. 8.5.12PasswordHistoryDonotallowanindividualtosubmitanewpasswordthatisthesameasanyofthelastfourpasswordsheorshehasused. 8.5.13AccountLockoutThresholdLimitrepeatedaccessattemptsbylockingouttheuserIDafternotmorethansixattempts. 8.5.14AccountLockoutDurationSetthelockoutdurationtoaminimumof30minutesoruntiladministratorenablestheuserID.

    Out-of-box policies

    Customer specific policies

    Tripwire Enterprise Support of PCI DSS 1.2 Specification

    Enhanced File Integrity Monitoring

    Configuration Assessment
    Test & Remediation Advice

    File Integrity Monitoring

    Detect, Analyze & Reconcile

    PCI DSS Requirements (verbatim)


    8.5.15IdleSessionTimeoutThreshold - Ifasessionhasbeenidleformorethan15minutes,requiretheusertoreenterthepasswordtoreactivate theterminal. 8.5.16DatabaseAuthenticationAuthenticateallaccesstoanydatabasecontainingcardholderdata.Thisincludesaccessbyapplications, administrators,andallotherusers. REQUIREMENT9 RestrictPhysicalAccesstoCardholderData Anyphysicalaccesstodataorsystemsthathousecardholderdataprovidestheopportunityforindividualstoaccessdevicesordataandtoremove systemsorhardcopies,andshouldbeappropriatelyrestricted. 9.4VisitorLogUseavisitorlogtomaintainaphysicalaudittrailofvisitoractivity. Documentthevisitorsname,thefirmrepresented,andtheemployeeauthorizingphysicalaccessonthelog.Retainthislogforaminimumofthree months,unlessotherwiserestrictedbylaw. REQUIREMENT10 TrackandMonitorAllAccesstoNetworkResourcesandCardholderData Loggingmechanismsandtheabilitytotrackuseractivitiesarecriticalinpreventing,detecting,orminimizingtheimpactofadatacompromise.The presenceoflogsinallenvironmentsallowsthoroughtracking,alerting,andanalysiswhensomethingdoesgowrong.Determiningthecauseofa compromiseisverydifficultwithoutsystemactivitylogs. 10.1SystemComponentAccessLoggingEstablishaprocessforlinkingallaccesstosystemcomponents(especiallyaccessdonewithadministrative privilegessuchasroot)toeachindividualuser. 10.2AuditTrailAutomationImplementautomatedaudittrailsforallsystemcomponentstoreconstructthefollowingevents: 10.2.0EnableAudit 10.2.1IndividualAccessAllindividualaccessestocardholderdata. 10.2.2PrivilegedUserActionAllactionstakenbyanyindividualwithrootoradministrativeprivileges. 10.2.3AuditTrailAccessAccesstoallaudittrails. 10.2.4InvalidAccessAttemptsInvalidlogicalaccessattempts. 10.2IdentificationandAuthenticationMechanismsUseofidentificationandauthenticationmechanisms. 10.2.6AuditLogInitializationInitializationoftheauditlogs. 10.2.7ObjectCreationandDeletionCreationanddeletionofsystemlevelobjects. 10.3SystemComponentAuditEventsRecordatleastthefollowingaudittrailentriesforallsystemcomponentsforeachevent: 10.3.1UserIdentification

    Out-of-box policies

    Customer specific policies

    Tripwire Enterprise Support of PCI DSS 1.2 Specification

    Enhanced File Integrity Monitoring

    Configuration Assessment
    Test & Remediation Advice

    File Integrity Monitoring

    Detect, Analyze & Reconcile

    PCI DSS Requirements (verbatim)


    10.3.2TypeofEvent 10.3.3DateandTime 10.3.4SuccessorFailureIndication 10.3.5OriginationofEvent 10.3.6ObjectIdentityorNameIdentityornameofaffecteddata,systemcomponent,orresource. 10.4TimeSynchronizationSynchronizeallcriticalsystemclocksandtimes. 10.5SecureAuditTrailsSecureaudittrailssotheycannotbealtered. 10.5.1RolebasedAccesstoAuditTrailsLimitviewingofaudittrailstothosewithajobrelatedneed. 10.5.2AuditTrailModificationProtectionProtectaudittrailfilesfromunauthorizedmodifications. 10.5.3AuditTrailBackupPromptlybackupaudittrailfilestoacentralizedlogserverormediathatisdifficulttoalter. 10.5.4LogToInternalLogServerWritelogsforexternalfacingtechnologiesontoalogserverontheinternalLAN. 10.5.5FileintegrityMonitoringorChangeDetectionUsefileintegritymonitoringorchangedetectionsoftwareonlogstoensurethatexistinglog datacannotbechangedwithoutgeneratingalerts(althoughnewdatabeingaddedshouldnotcauseanalert). 10.6LogReviewReviewlogsforallsystemcomponentsatleastdaily.Logreviewsmustincludethoseserversthatperformsecurityfunctionslike intrusiondetectionsystem(IDS)andauthentication,authorization,andaccountingprotocol(AAA)servers(forexample,RADIUS).NOTE:Log harvesting,parsing,andalertingtoolsmaybeusedtomeetcompliancewithRequirement10.6. 10.7AuditTrailRetentionRetainaudittrailhistoryforatleastoneyear,withaminimumofthreemonthsimmediatelyavailableforanalysis(for example,online,archived,orrestorablefrombackup). REQUIREMENT11 RegularlyTestSecuritySystemsandProcesses Vulnerabilitiesarebeingdiscoveredcontinuallybymaliciousindividualsandresearchers,andbeingintroducedbynewsoftware.Systemcomponents, processes,andcustomsoftwareshouldbetestedfrequentlytoensuresecuritycontrolscontinuetoreflectachangingenvironment. 11.2InternalandExternalNetworkVulnerabilityScanningRuninternalandexternalnetworkvulnerabilityscansatleastquarterlyandafterany significantchangeinthenetwork(suchasnewsystemcomponentinstallations,changesinnetworktopology,firewallrulemodifications,product upgrades).Note:QuarterlyexternalvulnerabilityscansmustbeperformedbyanApprovedScanningVendor(ASV)qualifiedbyPaymentCardIndustry SecurityStandardsCouncil(PCISSC).Scansconductedafternetworkchangesmaybeperformedbythecompanysinternalstaff. 11.5DeployFileintegrityMonitoringSoftwarewithAlertingDeployfileintegritymonitoringsoftwaretoalertpersonneltounauthorized modificationofcriticalsystemfiles,configurationfiles,orcontentfiles;andconfigurethesoftwaretoperformcriticalfilecomparisonsatleastweekly. NOTE:Forfileintegritymonitoringpurposes,criticalfilesareusuallythosethatdonotregularlychange,butthemodificationofwhichcouldindicatea

    Out-of-box policies

    Customer specific policies

    Tripwire Enterprise Support of PCI DSS 1.2 Specification

    Enhanced File Integrity Monitoring

    Configuration Assessment
    Test & Remediation Advice

    File Integrity Monitoring

    Detect, Analyze & Reconcile

    PCI DSS Requirements (verbatim)


    systemcompromiseorriskofcompromise.Fileintegritymonitoringproductsusuallycomepreconfiguredwithcriticalfilesfortherelatedoperating system.Othercriticalfiles,suchasthoseforcustomapplications,mustbeevaluatedanddefinedbytheentity(thatis,themerchantorservice provider). REQUIREMENT12 MaintainaPolicyThatAddressesInformationSecurityforEmployeesandContractors. Astrongsecuritypolicysetsthesecuritytoneforthewholecompanyandinformsemployeeswhatisexpectedofthem.Allemployeesshouldbe awareofthesensitivityofdataandtheirresponsibilitiesforprotectingit.Forthepurposesofthisrequirement,employeesreferstofulltimeand parttimeemployees,temporaryemployeesandpersonnel,andcontractorsandconsultantswhoareresidentonthecompanyssite. 12.3DevelopTechnologyUsagePoliciesDevelopusagepoliciesforcriticalemployeefacingtechnologies(forexample,remoteaccesstechnologies, wirelesstechnologies,removableelectronicmedia,laptops,personaldata/digitalassistants(PDAs),emailusageandInternetusage)todefineproper useofthesetechnologiesforallemployeesandcontractors.Ensuretheseusagepoliciesrequirethefollowing: 12.3.8AutomaticSessionDisconnectAutomaticdisconnectofsessionsforremoteaccesstechnologiesafteraspecificperiodofinactivity. 12.3.10RemoteDataAccessLimitationsWhenaccessingcardholderdataviaremoteaccesstechnologies,prohibitcopy,move,andstorageof cardholderdataontolocalharddrivesandremovableelectronicmedia. 12.9.5IncidentResponseAlertScopeIncludealertsfromintrusiondetection,intrusionprevention,andfileintegritymonitoringsystems. 12.9.6IncidentResponsePlanAdaptationDevelopprocesstomodifyandevolvetheincidentresponseplanaccordingtolessonslearnedandto incorporateindustrydevelopments. REQUIREMENTA: AdditionalPCIDSSRequirementsforSharedHostingProviders AsreferencedinRequirement12.8,allserviceproviderswithaccesstocardholderdata(includingsharedhostingproviders)mustadheretothePCI DSS.Inaddition,Requirement2.4statesthatsharedhostingprovidersmustprotecteachentityshostedenvironmentanddata.Therefore,shared hostingprovidersmustadditionallycomplywiththerequirementsinthisAppendix. A.1.3EnsureEntityspecificLoggingandAuditEnsureloggingandaudittrailsareenabledanduniquetoeachentityscardholderdataenvironment andconsistentwithPCIDSSRequirement10. A.1.4EnableTimelyForensicInvestigationEnableprocessestoprovidefortimelyforensicinvestigationintheeventofacompromisetoanyhosted merchantorserviceprovider.

    Out-of-box policies

    Customer specific policies

    Potrebbero piacerti anche