PCI DSS Compliance Statement

Published on February 2017 | Categories: Documents | Downloads: 49 | Comments: 0 | Views: 315
of 12
Download PDF   Embed   Report

Comments

Content

1

In today’s competitive world every company wants to give the best service to their customers to make their life easy. One of the most popular facility in today’s world are credit card through which user can borrow money for payment to merchants or as a cash advance to the users. To secure the cardholder’s data is a critical concern for merchants & service providers. For getting the customer’s trust & giving them satisfaction the five major credit card companies (Discover Financial Services, American Express, Visa International JCB, Master-Card Worldwide) united to support the latest independent body recognized as the Payment Card Industry Security Standards Council (PCI SSC), to make stronger security controls among their members. If the business process transmits credit card holder’s data, then the business should comply with PCI compliance security standards. No matter how many credit cards company processes or handles, it must comply with all Payment Card Industry Data Security standards (PCI DSS) and if the businesses fail to comply with PCI DSS compliance then they may be imposed by stiff fines and penalties. So how can the business achieve these stringent new PCI DSS compliance requirements on time, without overburdening IT staff or wasting valuable resources? Secure Auditor can help, with a strategic, identity based approach to PCI DSS compliance that addresses the complete range of requirements. This allows the business to simplify and automate PCI DSS compliance and enhance overall IT Security and operations. Benefits of Secure Auditor PCI Compliance • Improve Network Security & Business • Create a safer environment for the customers • Protect servers and systems • Comprehensive reports • Up-to-date security • Get Customers trust & satisfaction • Secure from penalties • Safe and easy-to-use Payment Card Industry (PCI) Payment Card Industry data Security Standard (PCI DSS) is an international information security standard assembled by the Payment Card Industry Security Standards Council (PCI SSC). The standard was created to help organizations that process card payments to prevent credit card fraud through increased controls around data and its exposure to compromise. Why should you be concerned? A most important priority to the card associations is assuring that cardholder information is handled in a secure manner. All merchants will be required to meet compliance guidelines. Failure to comply with these regulations can result in significant fines for merchants and the possible cancellation of payment processing capabilities. PCI DSS compliance Requirements • Build and maintain a secure IT network • Protect cardholder’s data • Maintain a vulnerability management program • Implement strong access control measures • Regularly monitor and test networks • Maintain an information security policy

Secure Auditor Compliance Statement for PCI DSS compliance

2

Secure Auditor’s Purposed Solution Matrix
Secure Auditor with over 30 embedded utilities has been designed to help organizations to comply PCI DSS Compliance.

PCI Clause No

PCI Clause

Illustration

Compliance statement

PCI/DSS Requirement 1 ( Install and maintain a firewall configuration to protect cardholder data

PCI/DSS 1.1.5

Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.

1.1.5.b Identify insecure services, protocols, and ports allowed; and verify they are necessary and that security features are documented and implemented by examining firewall and router configuration standards and settings for each service. An example of an insecure service, protocol, or port is FTP, which passes user credentials in clear-text.

Secure Auditor’s port scanner allow users to check insecure ports like FTP, HTTP, TFTP and SNMP it also identifies Peer to Peer data sharing application (P2P), Voice over IP (VoIP), Games Ports and Trojan Ports on the host system or network. This helps in checking if the host computer is running any software against policy and to find the Trojans present on the host computer. It also provides information about the Trojan ports to the end users, which they can use to double check whether it is a Trojan port or not and if yes then how to remove the Trojan. Secure Auditor’s Cisco configuration Manager utility allows the user to download ‘Startup’ and ‘Running’ configurations of Cisco Routers and change/compare the configurations of different routers on the network. This utility not only allows the users to change or compare configurations but also creates a date-wise backup each time a configuration is uploaded into a router. This allows the user to have a complete trail of changes made on each router with dates and fulfill compliance requirements. Users can also use embedded TFTP server provided with this utility to save configurations. Secure Auditor’s port scanner provides option to check all TCP ports along with UDP ports.

PCI/DSS 1.2.2

Secure and synchronize router configuration files.

Verify that router configuration files are secure and synchronized for example, running configuration files (used for normal running of the routers) and start-up configuration files (used when machines are rebooted), have the same, secure configurations.

PCI/DSS 1.3.6

Implement stateful inspection, also known as dynamic packet filtering. (That is, only ”established” connections are allowed into the network.

Verify that the firewall performs stateful inspection (dynamic packet filtering). [Only established connections should be allowed in, and only if they are associated with a previously established session (run a port scanner on all TCP ports with “syn reset” or ”syn ack” bits set—a response means packets are allowed through even if they are not part of a previously established session). Verify that the personal firewall software is configured by the organization to specific standards and is not alterable by mobile computer users.

PCI/DSS 1.4

Install personal firewall software on any mobile and/or employee owned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization’s network.

Secure Auditor conducts audit on Windows based machines in which it detects whether desktop firewall software is installed or not. It verifies the presence of personal firewalls on both office and mobile users.

Secure Auditor Compliance Statement for PCI DSS compliance

3 PCI Clause No PCI Clause Illustration Compliance statement

PCI/DSS Requirement 2 ( Do not use vendor-supplied defaults for system passwords and other security parameters

PCI/DSS 2.1

Always change vendor-supplied defaults before installing a system on the network—for example, include passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts.

Choose a sample of system components, critical servers, and wireless access points, and attempt to log on (with system administrator help) to the devices using default Vendor-supplied accounts and passwords, to verify that default accounts and passwords have been changed. (Use vendor manuals and sources on the Internet to find vendor-supplied counts/passwords.)

Secure Auditor provides multiple tools to identify default passwords in a system. Secure Auditor embedded tools like Oracle password Auditor, MSSQL Password Auditor, Oracle Default Password Tester, MSSQL Default Password Tester, MSSQL Password Auditor and Windows Password Auditor, all these tools identify the existence of default passwords in the system and facilitate compliance with PCI clause. With the help of SNMP Browser, user can easily view the entire list of default SNMP enabled devices. SNMP Scanner identifies the default community string enabled on the network. All of these tools facilitate the compliance tasks of an organization with ease of use. SNMP Browser identifies the default SNMP community names on the machines. SNMP Brute Force attacker clearly shows that SNMP default community strings are changed or not.

PCI/DSS 2.1.1

For wireless environments connected to the cardholder data environment or transmitting cardholder data, change wireless vendor defaults, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. Ensure wireless device security settings are enabled for strong encryption technology for authentication and transmission. Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry accepted system hardening standards.

Default SNMP community strings on wireless devices were changed.

PCI/DSS 2.2

Examine the organization’s system configuration standards for all types of system components and verify the system configuration standards are consistent with industry-accepted hardening standards—for example, SysAdmin Audit Network Security (SANS), National Institute of Standards Technology (NIST), and Center for Internet Security (CIS).

Secure Auditor examines the overall health of an organization through its audit process in which it identifies system components and configuration settings. Secure Auditor follows standards of NIST and contains profiles according to guidelines of PCI DSS, SANS, SOX, CIS etc. According to these profiles audit is conducted on specified machines.

PCI/DSS 2.2 .2

Disable all unnecessary and insecure services and protocols (services and protocols not directly needed to perform the device’s specified function)

For a sample of system components, inspect enabled system services, daemons, and protocols. Verify that unnecessary or insecure services or protocols are not enabled, or are justified and documented as to appropriate use of the service. For example, FTP is not used, or is encrypted via SSH or other technology.

Secure Auditor checks registry and unnecessary or insecure services or protocols which are enabled, It is also capable to identify security flaws in it.

Secure Auditor Compliance Statement for PCI DSS compliance

4 PCI Clause No
PCI/DSS 2.2.3

PCI Clause
Configure system security parameters to prevent misuse.

Illustration
2.2.3.b Verify that common security parameter settings are included in the system.

Compliance statement
Secure Auditor contains embedded profiles that are based on common security parameters defined by international institutions and compliance standards like PCI DSS, SANS, SOX, ISACA, CIS etc. Once an audit is conducted against these standards, systems are verified according to common security parameters. In Secure Auditor multiple profiles are embedded that define security parameters of particular industry. By using these security standards user can clearly check that security parameters are set appropriately or not.

2.2.3.c For a sample of system components, verify that common security parameters are set appropriately

PCI/DSS 2.2.4

Remove all functionality, such drivers, features, file systems, and web servers.

unnecessary as scripts, subsystems, unnecessary

For a sample of system components, verify that all unnecessary functionalities (for example, scripts, drivers, features, subsystems, file systems, etc.) are removed. Verify enabled functions are documented and support secure configuration, and that only documented functionality is present on the sampled machines. 2.3 For a sample of system components, verify that no console administrative access is encrypted by :-Observing an administrator log on to each system to verify that a strong encryption method is invoked before the administrator’s password is requested; - Reviewing services and parameter files on systems to determine that Telnet and other remote log-in commands are not available for use internally; and – Verifying that administrator access to the web based management interfaces.

Secure Auditor checks default registry settings that can facilitate in identification of unnecessary functions, configured and allowed on a system.

PCI/DSS 2.3

Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS for web based management and other nonconsole administrative access.

Secure Auditor after conducting an audit informs you about the access control for all users and also shows services, encryption, remote log-in and parameter files on systems. By using the Secure Auditor's Event Log Viewer utility all logs of administrative access can be checked.

Secure Auditor Compliance Statement for PCI DSS compliance

5 PCI Clause No PCI Clause Illustration Compliance statement

PCI/DSS Requirement 3: (Protect stored cardholder data)

PCI/DSS 3.5.1

Restrict access to cryptographic keys to the fewest number of custodians necessary.

3.5.1 Examine user access lists to verify that access to keys is restricted to very few custodians.

Secure Auditor’s Access rights auditor inform about access privileges to tables which contain cryptographic keys.

PCI/DSS 3.6

Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data, including the following.

3.6.a Verify the existence of keymanagement procedures for keys used for encryption of cardholder data. Note: Numerous industry standards for key management are available from various resources including NIST, which can be found at http://csrc.nist.gov. 5.2.c For a sample of system components including all operating system types commonly affected by malicious software, verify that automatic updates and periodic scans are enabled.

Secure Auditor by conducting, an audit according to PCI DSS, SANS, SOX, ISACA and CIS helps in indentifying key management from different resources including NIST.

Secure Auditor's Software Inventory viewer helps to identify all installed software on the system according to the company policy and also indentifies all extra or malicious Installed software’s. Secure Auditor also informs whether periodic scan and automatic updates are enabled or not.

PCI/DSS Requirements 4 ( Encrypt transmission of cardholder data across open, public networks) PCI/DSS 4.2 Never send unencrypted PANs by end-user messaging technologies (for example, email, instant messaging, chat). 4.2.b Verify the existence of a policy stating that unencrypted PANs are not to be sent via end-user messaging technologies. Secure Auditor's port scanner identifies open ports which uses plain text data like FTP, HTTP, TFTP and SMTP software, because the data should be encrypted on both public and private networks, usage should be limited only to those protocol and software's that support encryption.

Secure Auditor Compliance Statement for PCI DSS compliance

6 PCI Clause No PCI Clause Illustration Compliance statement

PCI/DSS Requirements 5 ( Use and regularly update anti-virus software)

PCI/DSS 5.1

Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers.)

For a sample of system components including all operating system types commonly affected by malicious software, verify that anti-virus software is deployed if applicable anti-virus technology exists .

Secure Auditor checks for antivirus software and its last updated file. Making it easily verifiable through Secure Auditor whether Antivirus is deployed and up to dated.

PCI/DSS 5.1.1

Ensure that all anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software.

5.2.c For a sample of system components including all operating system types commonly affected by malicious software, verify that automatic updates and periodic scans are enabled.

Secure Auditor's Software Inventory viewer helps to identify all installed software on the system according to company policy and also indentifies all extra or malicious software’s. Secure Auditor also informs whether periodic scan and automatic updates are enabled. Secure Auditor performs checks to identify that an anti virus is running on a windows based machine. It also keeps a check on its updated definitions file are informs the user about the last update of the antivirus on a particular system.

PCI/DSS 5.2

Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs.

5.2.a Obtain and examine the policy and verify that it requires updating of antivirus software and definitions.

PCI/DSS Requirements 6 ( Develop and maintain secure systems and applications) PCI/DSS 6.1 PCI DSS Requirements Ensure that all system components and software have the latest vendor supplied security patches installed. Install critical security patches within one month of release. 6.1.a For a sample of system components and related software, compare the list of security patches installed on each system to the most recent vendor security patch list, to verify that current vendor patches are installed. Secure Auditor regularly checks patches installed on Windows, Oracle and MSSQL. It compares the list of security patches installed on each system to the most recent vendor security patch list, to verify that current vendor patches are installed or not. It clearly indicates patches that are yet to be installed. Secure Auditor checks patches and depicts their date for the last file update that makes it possible for cross check policy requirements of updating security patch installation within 1 month.

6.1.b Examine policies related to security patch installation to verify they require installation of all critical new security patches within one month.

Secure Auditor Compliance Statement for PCI DSS compliance

7 PCI Clause No
PCI/DSS 6.2

PCI Clause
6.2.b Verify that processes to identify new security vulnerabilities include using outside sources for security vulnerability information and updating the system configuration standards reviewed in Requirement 2.2 as new vulnerability issues are found.

Illustration
6.2.b Verify that processes to identify new security vulnerabilities include using outside sources for security vulnerability information and updating the system configuration standards reviewed in Requirement 2.2 as new vulnerability issues are found.

Compliance statement
Secure Auditor conducts an audit according to predefined embedded profiles that are based on common security parameters defined by international institutions and compliance standards like PCI DSS, SANS, SOX, ISACA and CIS. After auditing it identifies vulnerabilities and provides the description and step by step solution for Identified vulnerabilities. Secure Auditor detects default passwords in Oracle MSSQL and Oracle based applications, during the enumeration phase default password in windows can be checked .With the help of Secure Auditor default passwords can be checked easily which should removed, before going to customers or before starting production. System component and security patches changes defined in change control documents can be verified through identification by Secure Auditor with the help of audit and enumeration.

PCI/DSS 6.3.6

Removal of custom application accounts, user IDs, and passwords before applications become active or are released to customers

Custom application accounts, user IDs and/or passwords are removed before system goes into production or is released to customers.

PCI/DSS 6.4

Follow change control procedures for all changes to system components

6.4 b. For a sample of system components and recent changes/security patches, trace those changes back to related change control documentation. For each change examined.

PCI/DSS Requirements 7 ( Restrict access to cardholder data by business need to know ) PCI/DSS 7.1.1 Assignment of privileges is based on individual personnel’s job classification and function. Confirm that privileges are assigned to individuals based on job classification and function (also called “role-based access control” or RBAC). Access Rights auditor conducts an audit on role based access rights granted on oracle and MSSQL server.

PCI/DSS 7.1.4

Implementation of an automated access control system

7.1.4 Confirm that access controls are implemented via an automated access control system.

Secure Auditor provides the information about the file and folder permission. It checks the user rights and privileges on the system.

PCI/DSS 7.2.2

Assignment of privileges to individuals based on job classification and function.

Confirm that access control systems are configured to enforce privileges assigned to individuals based on job classification and function.

Access rights auditor clearly audits and demonstrates that access rights and privileges are assigned in accordance with the needs and requirements of job functions.

Secure Auditor Compliance Statement for PCI DSS compliance

8

PCI Clause No

PCI Clause

Illustration

Compliance statement

PCI/DSS Requirements 8 ( Assign a unique ID to each person with computer access)

PCI/DSS 8.5.3

Set first-time passwords to a unique value for each user and change immediately after the first use.

8.5.3 Examine password procedures and observe security personnel to verify that first-time passwords for new users are set to a unique value for each user and changed after first use.

Secure Auditor's Password Auditor tools helps identify default, common easily guessable passwords. It can help you to identify whether a user changed their default password provided by the administrator. Secure Auditor also checks password policy according to the Company’s Standards.

PCI/DSS 8.5.5

Remove/disable inactive user accounts at least every 90 days.

Verify that inactive accounts over 90 days old are either removed or disabled.

Secure Auditor shows in its audit results the number of inactive accounts for over 90 days.

PCI/DSS 8.5.6

Enable accounts used by vendors for remote maintenance only during the time period needed.

8.5.6 Verify that any accounts used by vendors to support and maintain system components are disabled, enabled only when needed by the vendor, and monitored while being used.

Secure Auditor Checks the default accounts which exist in the system and also respective informs whether the account is enabled or disabled. The activities of user accounts can be traced by using Secure Auditor’s Event Log Viewer tool, furthermore one can use default password tester to test the accounts with default passwords. Secure Auditor’s audit process identifies generic user IDs and shared user IDs which are present in the system. Secure Auditor also depicts privileges given to the particular shared account and determines whether privileges for system activities and other critical functions exist. Event log viewer verify this feature in much detail by showing logs that generic user Ids are used by someone as it is not possible for anyone to use disabled IDs . Password Auditor fetches passwords and usernames for a particular system that determines user enabled IDs on a system. Secure Auditor identifies the passwords that are 90 days old or more. It also checks the password policy to make sure password parameters are set in a way that requires users to change passwords at least every 90 days.

PCI/DSS 8.5.8

Do not use group, shared, or generic accounts and passwords.

8.5.8. A. For a sample of system components, examine user ID lists to verify the following Generic user IDs and accounts are disabled or removed. * Shared user IDs for system administration activities and other critical functions do not exist. Shared and generic user IDs are not used to administer any system components. Audit, password audit,

PCI/DSS 8.5.9

Change user passwords at least every 90 days.

For a sample of system components, obtain and inspect system configuration settings to verify that user password parameters are set to require users to change passwords at least every 90 days.

Secure Auditor Compliance Statement for PCI DSS compliance

9

PCI Clause No
PCI/DSS 8.5.10

PCI Clause
Require a minimum password length of at least seven characters.

Illustration
For a sample of system components, obtain and inspect system configuration settings to verify that password parameters are set to require passwords to be at least seven characters long.

Compliance statement
Secure Auditor verifies implemented password policy on a system or database and checks whether the password policy parameters are set to accept a minimum of at least seven characters. Secure Auditor also checks password policy to determine that password policy is set to use strong passwords that contain numerical and alphabetical characters. It also identifies and fetches weak passwords on a system that verifies extend of implications on password policy.

PCI/DSS 8.5.11

Use passwords containing both numeric and alphabetic characters.

For a sample of system components, obtain and inspect system configuration settings to verify that password parameters are set to require passwords to contain both numeric and alphabetic characters. For service providers only, review internal processes and customer /user documentation to verify that customer passwords are required to contain both numeric and alphabetic characters. For a sample of system components, obtain and inspect system configuration settings to verify that password parameters are set to require that new passwords cannot be the same as the four previously used passwords. For a sample of system components, obtain and inspect system configuration settings to verify that password parameters are set to require that a user’s account is locked out after not more than six invalid logon attempts. For a sample of system components, obtain and inspect system configuration settings to verify that password parameters are set to require that once a user account is locked out, it remains locked for a minimum of 30 minutes or until a system administrator resets the account.

PCI/DSS 8.5.12

Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used.

Secure Auditor checks the password policy and checks if the password history is properly set according to the PCI standards.

PCI/DSS 8.5.13

Limit repeated access attempts by locking out the user ID after not more than six attempts.

Secure Auditor checks account lockout policy set on a system according to the PCI standards. This feature will verify that password parameters are set to require that a user’s account is locked out after not more than six invalid logon attempts. Secure Auditor checks the account lock out duration according to the PCI standards. These auditing processes verify that account will remain locked for 30 minutes or until administrator enables the user ID.

PCI/DSS 8.5.14

Set the lockout duration to a minimum of 30 minutes or until administrator enables the user ID.

Secure Auditor Compliance Statement for PCI DSS compliance

10

PCI Clause No

PCI Clause

Illustration

Compliance statement

PCI/DSS Requirements 10 ( Track and monitor all access to network resources and cardholder data )

PCI/DSS 10.2.2

All actions taken by any individual with root or administrative privileges

Verify actions taken by individual with root administrative privileges logged.

any or are

Event log viewer clearly verifies actions taken by any individual with root or administrative privileges. It fetches Oracle, MSSQL and Windows log and displays them in a readable manner in the form of a report that demonstrate all active made by users having administrative privileges. Secure Auditor checks whether audit trail is being logged or not. It checks whether audit trail logging is enabled or disabled on the system. Event log viewer generates separate report to provide lists of logical access attempts made on a particular system. Event Log viewer provides logs related to initialization and authentication mechanisms defined for a particular system. With the help of Event Log viewer user can verify initialization of audit logs.

PCI/DSS 10.2.3

Access to all audit trails

Verify access to all audit trails is logged.

PCI/DSS 10.2.4

Invalid logical access attempts

Verify invalid logical attempts are logged.

access

PCI/DSS 10.2.5

Use of identification authentication mechanisms

and

Verify use of identification and authentication mechanisms is logged.

PCI/DSS 10.2.6

Initialization of the audit logs

Verify initialization of audit logs is logged.

PCI/DSS 10.2.7

Creation and deletion of system level objects

Verify creation and deletion of system level objects is logged.

With the help of event log viewer user can verify the creation and deletion of system level objects with details that who has performed. Such actions on a certain time at a particular instance. Event Log Viewer provides facility to view logs of a particular user that helps in verifying log entries according to a particular user Event type is clearly mentioned in event log viewer reports.

PCI/DSS 10.3.1

User identification

Verify user identification included in log entries.

is

PCI/DSS 10.3.2

Type of event

Verify type of event is included in log entries.

PCI/DSS 10.3.3

Date and time

Verify date and time stamp is included in log entries.

Event log viewer represents log entries along with date and time. It helps user in verifying time and date of a particular query

Secure Auditor Compliance Statement for PCI DSS compliance

11

PCI Clause No
PCI/DSS 10.3.4

PCI Clause
Success or failure indication

Illustration
Verify success or indication is included entries. failure in log

Compliance statement
Event log viewer generates reports about successful or failed log in attempts made by different users that help in determining the number of successful and failed log entries on a particular system.

PCI/DSS 10.3.5

Origination of event

Verify origination of event is included in log entries.

Whenever an event is occurred, it is logged. Event log viewer provides the user an ability to trace the origination of events along with the related machine name and IP address. Secure Auditor provides exact instance details of infected data along with name, system components and resources through event log reports and fine grained audit report viewable through the Event log viewer. Secure Auditor checks the time settings that could be verified through cross check with policy that whether system is following defined time related parameter settings.

PCI/DSS 10.3.6

Identity or name of affected data, system component, or resource

Verify identity or name of affected data, system component, or resources is included in log entries.

PCI/DSS 10.4

Synchronize all critical system clocks and times.

10.4. Obtain and review the process for acquiring and distributing the correct time within the organization, as well as the time-related system-parameter settings for a sample of system components. Verify the following is included in the process and implemented 10.4 .a. Verify that a known, stable version of NTP (Network Time Protocol) or similar technology, kept current per PCI DSS Requirements 6.1 and 6.2, is used for time synchronization.

Secure Auditor checks Network time protocol that could be compared a with system time to check that NTP technology is kept current and synchronized according to PCI requirements.

PCI/DSS 10.7

Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup).

10.7.b Verify that audit logs are available for at least one year and processes are in place to restore at least the last three months’ logs for immediate analysis.

Secure Auditor checks if the Auditing is enabled according to company’s policy and Secure Auditor's Event Log Viewer tool can show the previous log which may be required. Logs can be maintained by saving logs on monthly or yearly basics.

Secure Auditor Compliance Statement for PCI DSS compliance

12

PCI Clause No
PCI/DSS 11.2

PCI Clause
Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).

Illustration
11.2. A Inspect output from the most recent four quarters of internal network, host, and application vulnerability scans to verify that periodic security testing of the devices within the cardholder data environment occurs. Verify that the scan process includes rescans until passing results are obtained 11.2.b Verify that external scanning is occurring on a quarterly basis in accordance with the PCI Security Scanning Procedures,

Compliance statement
Secure Auditor conducts vulnerability scanning on networks, hosts and database assets to identify loopholes in them. Its report facilitates comparison and contrast result of multiple audits conducted over a period of time.

Secure Auditor provides facilities to scan vulnerabilities. Automated audits can be scheduled on defined dates and their reports can be compared to ensure quarterly dates of audits. Secure Auditor can help in verifying significant changes in the network by comparing variation within the reports. User can compare results of two years through an archive reports facility embedded in Secure Auditor.

11.2.c Verify that internal and/or external scanning is performed after any significant change in the network, by inspecting scan results for the last year. Verify that the scan process includes rescans until passing results are obtained PCI/DSS 11.3 Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification Obtain and examine the results from the most recent penetration test to verify that penetration testing is performed at least annually and after any significant changes to the environment.

Secure Auditor provides penetration testing tools that facilitate users in performing penetration tests. So using Secure Auditor ensures that penetration testing is performed at least annually to fulfill the requirement.

PCI/DSS 11.3.1

Network-layer penetration tests

11.3.1 Verify that the penetration test includes network-layer penetration tests. These tests should include components that support network functions as well as operating systems.

Secure Auditor contains utilities that provide facilities to conduct network penetration tests like SNMP browser, SNMP brute force attacker, Port Scanner, FTP and HTTP attackers etc. their reports are also generated so the user can compare them to identify significant changes to the environment and fulfill compliance clause requirements as well.

PCI/DSS Requirement 12: Maintain a policy that addresses information security for employees and contractors. PCI/DSS 12.1.1 Addresses all requirements. PCI DSS 12.1.1 Verify that the addresses all PCI requirements. policy DSS PCI DSS requirements are included in Secure Auditor which helps an organization to comply with PCI DSS.

Secure Auditor Compliance Statement for PCI DSS compliance

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close