Transcription

PCI Requirementsand Netwrix Auditor Mappingwww.netwrix.com Toll-free: 888-638-9749

About PCI DSS v3.2Anyone who accepts credit, debit or prepaid cards over the internet, telephone, or terminals aspayment; stores card data, or processes card transactions is responsible to be PCI compliant. Failureto comply with PCI may result in fines, loss of reputation, and inability to accept major credit cards.Appropriate policies and procedures, technical measures, administrative efforts, and physical securityshould supplement each other in the organization in order to ensure continuous compliance with PCIRequirements. Please note that the efforts and procedures required to establish compliance in each section may varyin different organizations depending on their systems configuration, internal procedures, nature ofbusiness, and other factors.Implementation of the described controls will not guarantee organizational compliance. Not all thecontrols that Netwrix can possibly support are included. This mapping should be used as a referenceguide for implementation of an organization tailored policies and procedures.2

Mapping of Processes and Report Categories to PCIControlsRequirement 3: Protect stored cardholder dataControlHow to Comply?3.1 Keep cardholder datastorage to a minimum byimplementing data retentionand disposal policies,procedures and processes3.2 Do not store sensitiveauthentication data afterauthorization (even ifencrypted). If sensitiveauthentication data is received,render all data unrecoverableupon completion of theauthorization process.Monitor all designatedlocations for data creation anddeletions to confirm thatretention and disposal policiesare effective.Processes and Report CategoriesData GovernanceData ChangesRequirement 5: Use and regularly update anti-virus software or programs5.3 Ensure that anti-virusConfigure Group policiesPrivileged Users Managementmechanisms are activelyappropriately as to not allowConfiguration Changesrunning and cannot bedisabled or altered by users,unless specifically authorizedby management on a case-bycase basis for a limited timeperiod.not authorized users to disableor change antivirus software.Audit all changes to sensitivesystems to ensure thatantivirus mechanisms have notbeen tempered with.Requirement 6: Develop and maintain secure systems and applications6.3.1 Remove development,test and/or custom applicationaccounts, user IDs, andpasswords before applicationsbecome active or are releasedto customers.6.4 Follow change controlprocesses and procedures forall changes to systemcomponents. The processesmust include the following:Audit user account states andchanges to verify that notest/development useraccounts are present in theproduction systems.Account ManagementAccount ChangesAccount StatesSupport this requirement byreferring to the complete audittrail provided by NetwrixAuditor to verify that allchanges are authorized inaccordance with organizationdefined policies andprocedures. Review Statusmechanism can be utilized.Audit TrailAll Changes3

6.4.1 Separatedevelopment/testenvironments from productionenvironments, and enforce theseparation with accesscontrols.6.4.2 Separation of dutiesbetween development/test andproduction environments6.4.4 Removal of test data andaccounts from systemcomponents before the systembecomes active/goes intoproduction.6.4.5.2 Documented changeapproval by authorized parties.Audit all access rights changes,activities of users withdevelopment/test user accessrights, across all informationsystems to ensure nounauthorized access toproduction environments ispossible.Access ControlGroup Membership ChangesGroup Membership StatesAll ChangesAll StatesValidate that all test useraccounts are removed andcreated temporary data isdeleted in accordance with therequirements.Utilize the audit trail providedby Netwrix Auditor to supplyreference of activities. Inaddition, Review Statusmechanism can be utilized.Account ManagementAccount ChangesAccount StatesAudit TrailAll ChangesRequirement 7: Restrict access to cardholder data by business need to know7.1 Limit access to systemAudit access to informationAccess Controlcomponents and cardholdersystems in order to confirmSystem Accessdata to only those individualsthat no access by unauthorized Data Accesswhose job requires suchpersonnel is taking place.Account Managementaccess.Account ChangesAccount States7.1.3 Assign access based onCombine audit trail provided by Account Managementindividual personnel’s jobNetwrix Auditor and HRAccount Changesclassification and function.department records to validatePrivileged Users Managementthat assigned access isAccount Changes7.1.4 Require documentedapproval by authorized partiesspecifying required privileges.7.2 Establish an access controlsystem(s) for systemscomponents that restrictsaccess based on a user’s needto know, and is set to “deny all”unless specifically allowed.necessary and appropriate.Compare Netwrix Auditorrecords of assignments ofprivileges and changes withinternal authorizationdocuments for each case of theprivileges assignment.Audit user access rights, filesfolders and their permissionsacross the entire ITinfrastructure for earlydetection of unauthorizedchanges to security settings(e.g. granting of newpermissions, elevation ofprivileges, etc.)Account ManagementAccount ChangesAccount StatesAccess ControlPolicy ChangesPolicy StatesSystem AccessUser ActivityIntegrity MonitoringSystem Integrity4

Requirement 8: Assign a unique ID to each person with computer access8.1 Define and implementComplement administrativeAccount Managementpolicies and procedures toefforts of various departmentsConfiguration Statesensure proper userof organization and built-inAccounts Statesidentification management forcapabilities of Active DirectoryAccount Changesnon-consumer users andfor identity management withPolicy Changesadministrators on all systemenhanced visibility, completePolicy Statescomponents as follows:audit trail of states andPrivileged Users Managementchanges and other featuresUser Activity8.2 In addition to assigning aprovided by Netwrix Auditor.Access Controlunique ID, ensure proper userauthentication managementSystem Accessfor non-consumer users andadministrators on all systemcomponents8.1.1 Assign all users a uniqueID before allowing them toaccess system components orcardholder data.Complete auditing of useraccounts and logons to analyzeviolations and prevent usage ofthe same ID by multiplepersons (e.g. from differentcomputers) Compare audit trailwith HR records.8.1.2 Control addition, deletion,and modification of user IDs,credentials, and other identifierobjects.Audit user creations, deletions,password resets, andmodifications to all accountpolicies and attributes acrossall information systems.8.1.3 Immediately revokeaccess for any terminatedusers.Manage user accounts incoordination with HRdepartment. Auditing ofdisabled accounts, automatedde-provisioning of inactive useraccounts.Utilize Netwrix Auditor built-inautomated disabling andremoval with full reporting.8.1.4 Remove/disable inactiveuser accounts within 90 days.8.1.5 Manage IDs used by thirdparties to access, support, ormaintain system componentsvia remote access.Audit user access and alloperations with accounts inorder to establish and maintaincontrol of system componentsthat allow remote access.8.1.6 Limit repeated accessattempts by locking out theuser ID after not more than sixattempts.Analyze Netwrix Auditor auditlogs of to confirm that ADaccount lockout policy (AccountLockout Threshold) isconfigured and functioningproperly.Access ControlSystem AccessData AccessAccount ManagementAccounts StatesAudit TrailUser ActivityAccount ManagementAccount ChangesCredentials ManagementPassword ChangesPassword Policy ChangesAccount ManagementAccount ChangesAccount StatesAccount ManagementAccount ChangesAccount StatesAccess ControlSystem AccessAccount ManagementAccount ChangesAccount StatesAccess ControlSystem AccessPolicy ChangesPolicy StatesSecurity Changes5

8.1.7 Set the lockout durationto a minimum of 30 minutes oruntil an administrator enablesthe user ID.8.1.8 If a session has been idlefor more than 15 minutes,require the user to reauthenticate to re-activate theterminal or session.8.2.1 Using strongcryptography, render allauthentication credentials(such as passwords/phrases)unreadable duringtransmission and storage on allsystem components.8.2.3 Passwords/passphrasesrequire a minimum length of atleast seven characters andcontain both numeric andalphabetic characters orequivalent parameters arespecified.8.2.4 Change userpasswords/passphrases atleast once every 90 days.8.2.5 Do not allow an individualto submit a newpassword/passphrase that isthe same as any of the last fourpasswords/passphrases he orshe has used.8.2.6 Setpasswords/passphrases forfirst-time use and upon reset toa unique value for each user,and change immediately afterthe first use.Analyze Netwrix Auditor auditlogs of to confirm that ADaccount lockout policy (Accountlockout duration) is configuredand functioning properly.Analyze Netwrix Auditor auditlogs to confirm that Grouppolicy for time-out settings fordisconnected, active, and idlesessions (Idle session limit) isconfigured and functioningproperly.Utilize built-in encryptionfeatures of Active Directory andvalidate proper policy statesand functionality by analyzingaudit trail provided by NetwrixAuditor.Audit state and changes ofActive Directory passwordpolicy settings to ensurecompliance with therequirement. Refer to the audittrail of all password changes tovalidate that policy wasenforced properly.Configuration ChangesUser ActivityAccess ControlPolicy ChangesPolicy StatesCredentials ManagementPassword ChangesPassword Policy ChangesConfiguration ManagementPolicy StatesConfiguration StatesAudit all newly created useraccounts, logons and passwordchanges to confirm complianceand/or prevent violation .6

8.4 Document andcommunicate authenticationpolicies and procedures to allusers including: Guidance on selecting strongauthentication credentials Guidance for how usersshould protect theirauthentication credentials Instructions not to reusepreviously used passwords Instructions to changepasswords if there is anysuspicion the password couldbe compromised.Utilizing automatic passwordexpiration alerting mechanismof Netwrix Auditor may helpwith this requirement.Access ControlPolicy StatesConfiguration ManagementPolicy StatesConfiguration States8.5 Do not use group, shared,or generic IDs, passwords.Audit actions done under ashared account (e.g. sameuser/different workstations)and help to eliminate its usageAudit access and activities logsacross information systems tovalidate that credentials usedfor POS remote access cannotbe used to access any of theother systems.Access ControlUser ActivityAccount ManagementAccount Changes8.5.1 Additional requirementfor service providers only:Service providers with remoteaccess to customer premises(for example, for support ofPOS systems or servers) mustuse a unique authenticationcredential (such as apassword/phrase) for eachcustomer.Requirement 10: Track and monitor all access to network resources and cardholder data10.1 Implement audit trails toUtilize Netwrix Auditor’s fullyAccess Controllink all access to systemfeatured auditing and reporting System Accesscomponents to each individualof all user activities includingData Accessuser.access to sensitive files, acrossUser Activitythe entire IT infrastructure andAudit Trailrecording of who changedUser Activitywhat, when, and where.10.2 Implement automatedaudit trails for all systemcomponents to reconstruct thefollowing events:10.2.1 All individual useraccesses to cardholder data.This requirement is supportedby built-in functionality ofNetwrix auditor.Audit TrailAll ChangesAll StatesAudit all user access todesignated locations ininformation systems, wherecardholder data is stored.10.2.2 All actions taken by anyindividual with root oradministrative privileges.Audit all activities of users withadministrative privileges acrossinformation systems.Access ControlData AccessData IntegrityUser ActivityPrivileged Users ManagementUser Activity7

10.2.3 Access to all audit trails10.2.4 Invalid logical accessTurn on user activity videorecording feature on systemswith Netwrix Auditorinstallations and capture allinteractions.Audit failed logon attempts.attempts.10.2.5 Use of and changes toidentification andauthentication mechanisms—including but not limited tocreation of new accounts andelevation of privileges—and allchanges, additions, or deletionsto accounts with root oradministrative privileges10.2.6 Initialization, stopping,or pausing of the audit logs10.2.7 Creation and deletion ofsystem-level objects10.3 Record at least thefollowing audit trail entries forall system components foreach event: User identification;Type of event; Date and time;Success or failure indication;Origination of event10.6 Review logs and securityevents for all systemcomponents to identifyanomalies or suspiciousactivity.10.7 Retain audit trail historyfor at least one year, with aminimum of three monthsimmediately available foranalysis (for example, online,archived, or restorable frombackup).Audit user logons, activities andchanges to account policies andmodifications to user accountsincluding elevation ofprivileges.Monitor changes to theauditing policies on criticalsystems, optionally utilize useractivity video recording. Watchfor problems with auditcollection in daily summaryreport of Netwrix Auditor.Audit all modifications tocritical files, database tables,AD objects, registry keys, etc.This requirement is supportedby built-in functionality ofNetwrix auditor.Full-featured reportingfunctionality with predefinedreports and ability to createcustom reports on any type ofcollected data. Out-of-the boxreports scheduled daily andsent via e-mail for review.Unlimited storage capabilitieswith efficient storage use tostore up to 10 years and moreof past audit trails