In addition to Requirement 10 of PCI DSS, EventLog Analyzer also houses reports that cater to most other requirements. With an easily-comprehendible interface and unparalleled log-sweeping capabilities, EventLog Analyzer's compliance reports make PCI DSS compliance possible within a few clicks.
Cardholder Data is the holy grail of PCI DSS. Encryption is a critical component of cardholder data protection. If an intruder circumvents other network security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of protecting stored data should be considered as potential risk mitigation opportunities. For example, methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full PAN is not needed, and not sending PAN in unencrypted e-mails.
Restrict access to (encryption) keys to the fewest number of custodians necessary.
The first stage of protecting cardholder data is to have then encrypted, thereby rendering the data unusable unless the interceptor has the keys to decrypt it. The second stage is to restrict the access to the encryption keys. This will ensure that not everyone can decrypt the cardholder data, and this will considerably reduce the risks of subjecting cardholder data to criminal usage, as the keys to decrypt the data will no longer be accessible.
The straightforward method to achieve compliance to this requirement is to restrict the access to the encryption keys, and this can be done be the usual access control methods.
To prove compliance to this requirement, EventLog Analyzer presents The Report on Object Access shows the complete list of users who have accessed the objects on the network, with details like the username and the timestamp, along with the object access details This report can be filtered to show information on the accesses to encryption keys. With this information, it is easy to arrive at the list of all users who have access to the encryption keys: an information manadated by PCI DSS Requirement 3.5.1
Sensitive resources like cardholder data and PAN numbers are housed in networks that handle a vast number of users and other objects. In such networks, security threats are directly proportional to the size. Therefore it becomes imperative on the part of the organization to restrict accesses to cardholder data. Also, to make it more systematic, PCI DSS also mandates that access to cardholder data can be allowed only on a business-level need-to-know. This will ensure that no unauthorized users access the network. This also takes care that even authorized personnel access the data only per business requirements.
This requirement branches in to two sub-sections to fulfil the above purpose:
Limit access to computing resources and cardholder information only to those individuals whose job requires such access.
This requirement emphasizes the need to restrict access to cardholder data and also the computing resources to only those with job-related requirement. One implication of this requirement is that the access need not be on the basis of the user-privilege on the network, but independent of the user-type. This will also mean that not every administrative user will have access to cardholder data. This will serve to protect sensitive information from being accessed by unauthorized users.
The needful measures to restrict access to sensitive areas of the network can be effected by using simple access control methods. However, to prove the effectiveness of these methods, it takes an extra step.
EventLog Analyzer presents four reports that can help you establish your organization's compliance to PCI DSS Requirement 7.1:
Establish a mechanism for systems with multiple users that restricts access based on a user's need to know and is set to "deny all" unless specifically allowed.
This requirement is of vital importance when it comes to muctiple users accessing the same system. In this case, the privileges have to be user-specific and not system-specific. This will ensure that, irrespective of the system in which the users are logged in to, only the users who have the sufficient privileges can access the resources. This requirement also mandates not defaulting any user in to accessing sensitive areas of the network. This is important so that no newly created user is defaulted in to accessing all the network resources.
As in every case, the permissions for each user can be configured using the access control lists. To prove the effeectiveness of these access control measures and in turn, to establish compliance to PCI DSS Requirement 7.2, Eventlog Analyzer presents two reports:
This requirement of PCI DSS demands a unique identifier to be assigned to each person who has access to the network computers. Though this requirement might seem basic and taken-for-granted, it has profound repercussions on network security. Only if a unique identifier exists for each user with computer access, each action performed using the credentials can be back-tracked to the user. This will help trace causes of security-breaches to the point-blank range.
Requirement 8.5 specifically talks about using proper user-authentication and password mechanisms. This Requirement is further divided in to sub-sections and each one plays a part in acheiving the end-goal of being able to uniquely identify users.
Control addition, deletion, and modification of user IDs, credentials, and other identifier objects.
User-Authentication and Security of Login Credentials have a direct impact on cardholder data security. Securing user-access and security of login credentials will greatly enhance the security of cardholder data. Therefore it is important to keep a tab on user-administration activities. For this reason, PCI DSS manadates that there should be complete control over addition and modification of user ids and any other identifier object.
Even outside PCI DSS Point of view, it is import to have controls over creation and modification of users. These controls can be effecting by defining the powers of each users using standard access control methods. To establish compliance to PCI DSS, it is important to prove that the access controls methods are effective
EventLog Analyzer comes pre-loaded with Change Audit Reports that will help in this respect. Using EventLog Analyzer's Change Audit Reports, the exact policy changes can be traced. This can help track the effect of each policy change - the users or the roles that were authorized to perform modifications on the user IDs can be identified. This data can help establish compliance to PCI DSS.
What Is It?
Do not use group, shared, or generic accounts and passwords.
The implications of this requirement are too obvious: Using group, shared or generic accounts and passwords defeats the entire purpose of assigning a unique user ID, and therefore the actions performed using generic credentials cannot be traced to a single user. Hence, from a security perspective, it is of utmost importance to comply to this PCI-DSS Requirement.
The only way to prove that your organization is compliant to the above-mentioned requirement is to list out all the user-names with accesses to network resources, and prove that there's no generic name in the list.
EventLog Analyzer with itsSuccessful Logon Reports will help prove your compliance to this requirement. Using EventLog Analyzer's Successful Logon Reports, all the users who successfully logged in to the network can be obtained. Using the user-names in the list, it can be proved that no generic names were used to log-in to the system or the network.
Limit repeated access attempts by locking out the user ID after not more than six attempts.
Access to cardholder data and other sensitive resources cannot be left to chance; this requirement of PCI DSS seals such loop holes. Per this requirement, to achieve compliance, it is mandated that a user-id cannot attempt a log on with not more than six unsuccessful attempts. With this requirement in place, any unauthorized user who tries to access a restricted resource by guessing the password cannot continue the game for infinitesimal attempts.
The primary method to enforce this measure woould be to enforce strong password policies and define the number of unsuccessful logon attempts before the user is denied access in to the resource he's trying to access.
EventLog Analyzer with its Successful Logon Reports will help prove your compliance to this requirement. Using EventLog Analyzer's Successful Logon Reports, all the users who successfully logged in to the network can be obtained. Using the user-names in the list, it can be proved that no generic names were used to log-in to the system or the network.
Authenticate all access to any database containing cardholder data. This includes access by applications, administrators, and all other users.
With this requirement in place, it is impossible to circumvent the authentication process when accessing resources through some application. This will also ensure that there's no default authentication in to the sensitive areas of the network, even through applications or other consoles. Additionally, this also forbids an administrator from having blanket credentials that allow blind access to all the network resources.
The intial authentication mechanisms have to be configured in such a way that there's no possibility to beat the straight way using an authenticating interface.
EventLog Analyzer presents two reports that can prove compliance to this Requirement.
Successful Logon Reports will help prove your compliance to this requirement. Using EventLog Analyzer's Successful Logon Reports, all the users who successfully logged in to the network can be obtained. This will ensure that there was no unauthenticated entry in to the critical resources of the network.
The Report on Individual Actions will list out all the activities of all the users on the network, by user. Using the data obtained from this report, the administrator can find out the areas accessed by that particular user. Coupling the data from this report with the former, compliance to PCI DSS Requirement 8.5.16 can be established.
Test security controls, limitations, network connections, and restrictions annually to assure the ability to adequately identify and to stop any unauthorized access attempts. Use a wireless analyzer at least quarterly to identify all wireless devices in use.
This requirement talks about testing security measures on an annual bases, so the security devices are up to date, if not advanced, to thwart the ever-evolving attacks by brute forces that attempt to access classified data. This requirement also demands testing wireless devices in use, on a quarterly basis, as vulnerabilities are higher for wireless devices.
The only way to establish compliance to this section of PCI DSS is to manually test the securities of all the connections and controls.
EventLog Analyzer presents three reports that can help you establish your organization's compliance to PCI DSS Requirement 11.1:
Requirement 12 of PCI DSS is the icing for all the above requirements - per this requirement, there has to be a security policy place that addresses information security for employees and contractors alike. This requirement serves to have a constitution that will address the breaching of thee protocol by employees and contractors. This requirement is the precursor to all the above requirements, as this is the one that will give the various policies that govern information security.
This requirement is further divided in to a few sub-requirements:
Develop daily operational security procedures that are consistent with requirements in this specification (for example, user account maintenance procedures, and log review procedures)
Requirement 12.2 makes PCI DSS compliance more as an everyday affair and not as a specific activity. Compliance to this requirement would mean that all procedures that will help establish compliance to PCI DSS that are in place will help in organizational and information security.
The only way to establish compliance to this section of PCI DSS is to manually test the securities of all the connections and controls.
EventLog Analyzer presents three reports that can help you establish your organization's compliance to PCI DSS Requirement 112.2:
EventLog Analyzer's Reports are created with your organization's PCI DSS Requirements in mind. With these many reports in place, it is now a child's play to establish your organization's compliance to PCI DSS. EventLog Analyzer also provides reporting solutions for various Government Regulatory Acts like SOX, HIPAA, FISMA and GLBA too!
