Comply to PCI DSS Requirements with EventLog Analyzer's Predefined Reports
PCI DSS Requirements and how to meet them with EventLog Analyzer
In addition to Requirement 10 of PCI DSS, EventLog Analyzer also houses reports that cater to most other requirements. With an easily-comprehendible interface and unparalleled log-sweeping capabilities, EventLog Analyzer's compliance reports make PCI DSS compliance possible within a few clicks.
- PCI DSS Requirement 3 - Protect Stored Cardholder Data
- PCI DSS Requirement 7 - Restrict access to cardholder data by business need-to-know.
- PCI DSS Requirement 7.1 - Limit access to computing resources and cardholder information only to those individuals whose job requires such access.
- PCI DSS Requirement 7.2 - Establish a mechanism for systems with multiple users that restricts access based on a user's need to know and is set to "deny all" unless specifically allowed.
- PCI DSS Requirement 8 - Assign a unique ID to each person with computer access.
- PCI DSS Requiremnt 8.5.1 - Control addition, deletion, and modification of user IDs, credentials, and other identifier objects.
- PCI DSS Requiremnt 8.5.8 - Do not use group, shared, or generic accounts and passwords.
- PCI DSS Requiremnt 8.5.13 - Limit repeated access attempts by locking out the user ID after not more than six attempts.
- PCI DSS Requiremnt 8.5.16 - Authenticate all access to any database containing cardholder data. This includes access by applications, administrators, and all other users.
- PCI DSS Requirement 11.1 - Test security controls, limitations, network connections, and restrictions annually to assure the ability to adequately identify and to stop any unauthorized access attempts. Use a wireless analyzer at least quarterly to identify all wireless devices in use.
- PCI DSS Requirement 12 - Maintain a policy that addresses information security for employees and contractors.
- PCI DSS Requiremnt 12.2 - Develop daily operational security procedures that are consistent with requirements in this specification (for example, user account maintenance procedures, and log review procedures).
PCI DSS Requirement 3:
Protect Stored Cardholder Data
What Needs To Be Done?
Cardholder Data is the holy grail of PCI DSS. Encryption is a critical component of cardholder data protection. If an intruder circumvents other network security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of protecting stored data should be considered as potential risk mitigation opportunities. For example, methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full PAN is not needed, and not sending PAN in unencrypted e-mails.
PCI DSS Requirement 3.5.1:
What Is It?
Restrict access to (encryption) keys to the fewest number of custodians necessary.
What Needs To Be Done?
The first stage of protecting cardholder data is to have then encrypted, thereby rendering the data unusable unless the interceptor has the keys to decrypt it. The second stage is to restrict the access to the encryption keys. This will ensure that not everyone can decrypt the cardholder data, and this will considerably reduce the risks of subjecting cardholder data to criminal usage, as the keys to decrypt the data will no longer be accessible.
How It Is Done:
The straightforward method to achieve compliance to this requirement is to restrict the access to the encryption keys, and this can be done be the usual access control methods.
To prove compliance to this requirement, EventLog Analyzer presents The Report on Object Access shows the complete list of users who have accessed the objects on the network, with details like the username and the timestamp, along with the object access details This report can be filtered to show information on the accesses to encryption keys. With this information, it is easy to arrive at the list of all users who have access to the encryption keys: an information manadated by PCI DSS Requirement 3.5.1
PCI DSS Requirement 7:
Restrict access to cardholder data by business need-to-know.
What Needs To Be Done?
Sensitive resources like cardholder data and PAN numbers are housed in networks that handle a vast number of users and other objects. In such networks, security threats are directly proportional to the size. Therefore it becomes imperative on the part of the organization to restrict accesses to cardholder data. Also, to make it more systematic, PCI DSS also mandates that access to cardholder data can be allowed only on a business-level need-to-know. This will ensure that no unauthorized users access the network. This also takes care that even authorized personnel access the data only per business requirements.
This requirement branches in to two sub-sections to fulfill the above purpose:
PCI DSS Requirement 7.1:
What Is It?
Limit access to computing resources and cardholder information only to those individuals whose job requires such access.
What Needs To Be Done?
This requirement emphasizes the need to restrict access to cardholder data and also the computing resources to only those with job-related requirement. One implication of this requirement is that the access need not be on the basis of the user-privilege on the network, but independent of the user-type. This will also mean that not every administrative user will have access to cardholder data. This will serve to protect sensitive information from being accessed by unauthorized users.
How It Is Done:
The needful measures to restrict access to sensitive areas of the network can be effected by using simple access control methods. However, to prove the effectiveness of these methods, it takes an extra step.
EventLog Analyzer presents four reports that can help you establish your organization's compliance to PCI DSS Requirement 7.1:
- Report on Successful User Logons gives information on the users who were able to successfully able to log in to the network. Drilling down on the logon information will give more granular details like time stamp and resources. This data can establish that no user without sufficient privileges or job-requirement accessed sensitive resources of the network.
- Report on Successful Logoffs takes care of the opposite end of the logon section. Using this report, it can be proved that no user stayed for unusually long time stretches and also that every user who logged in has logged off from the network.
- Reports on Logon Attempts will show that users who, without suitable credentials, tried logging in to sensitive resources of the network, were denied access to the resources.
- Reports on Audit Policy Changes will help validate any new entry in the logon reports. For example, if a new user has logged in to the network, Audit Policy Changes can show the particular policy change that enabled the user to access a sensitive resource.
PCI DSS Requirement 7.2:
What Is It?
Establish a mechanism for systems with multiple users that restricts access based on a user's need to know and is set to "deny all" unless specifically allowed.
What Needs To Be Done?
This requirement is of vital importance when it comes to multiple users accessing the same system. In this case, the privileges have to be user-specific and not system-specific. This will ensure that, irrespective of the system in which the users are logged in to, only the users who have the sufficient privileges can access the resources. This requirement also mandates not defaulting any user in to accessing sensitive areas of the network. This is important so that no newly created user is defaulted in to accessing all the network resources.
How It Is Done:
As in every case, the permissions for each user can be configured using the access control lists. To prove the effectiveness of these access control measures and in turn, to establish compliance to PCI DSS Requirement 7.2, Eventlog Analyzer presents two reports:
- The Successful User Logon Report shows that only the users who have proper credentials and the business-requirement have logged in to access the secure areas of the network.
- Reports on Logon Attempts will show that users who, without suitable credentials, tried logging in to sensitive resources of the network, were denied access to the resources.
PCI DSS Requirement 8:
Assign a unique ID to each person with computer access.
What Needs To Be Done?
This requirement of PCI DSS demands a unique identifier to be assigned to each person who has access to the network computers. Though this requirement might seem basic and taken-for-granted, it has profound repercussions on network security. Only if a unique identifier exists for each user with computer access, each action performed using the credentials can be back-tracked to the user. This will help trace causes of security-breaches to the point-blank range.
Requirement 8.5 specifically talks about using proper user-authentication and password mechanisms. This Requirement is further divided in to sub-sections and each one plays a part in achieving the end-goal of being able to uniquely identify users.
PCI DSS Requirement 8.5.1:
What Is It?
Control addition, deletion, and modification of user IDs, credentials, and other identifier objects.
What Needs To Be Done?
User-Authentication and Security of Login Credentials have a direct impact on cardholder data security. Securing user-access and security of login credentials will greatly enhance the security of cardholder data. Therefore it is important to keep a tab on user-administration activities. For this reason, PCI DSS manadates that there should be complete control over addition and modification of user ids and any other identifier object.
How It Is Done:
Even outside PCI DSS Point of view, it is import to have controls over creation and modification of users. These controls can be effecting by defining the powers of each users using standard access control methods. To establish compliance to PCI DSS, it is important to prove that the access controls methods are effective
EventLog Analyzer comes pre-loaded with Change Audit Reports that will help in this respect. Using EventLog Analyzer's Change Audit Reports, the exact policy changes can be traced. This can help track the effect of each policy change - the users or the roles that were authorized to perform modifications on the user IDs can be identified. This data can help establish compliance to PCI DSS.
PCI DSS Requirement 8.5.8:
What Is It?
Do not use group, shared, or generic accounts and passwords.
What Needs To Be Done?
The implications of this requirement are too obvious: Using group, shared or generic accounts and passwords defeats the entire purpose of assigning a unique user ID, and therefore the actions performed using generic credentials cannot be traced to a single user. Hence, from a security perspective, it is of utmost importance to comply to this PCI-DSS Requirement.
How It Is Done:
The only way to prove that your organization is compliant to the above-mentioned requirement is to list out all the user-names with accesses to network resources, and prove that there's no generic name in the list.
EventLog Analyzer with itsSuccessful Logon Reports will help prove your compliance to this requirement. Using EventLog Analyzer's Successful Logon Reports, all the users who successfully logged in to the network can be obtained. Using the user-names in the list, it can be proved that no generic names were used to log-in to the system or the network.
PCI DSS Requirement 8.5.13:
What Is It?
Limit repeated access attempts by locking out the user ID after not more than six attempts.
What Needs To Be Done?
Access to cardholder data and other sensitive resources cannot be left to chance; this requirement of PCI DSS seals such loop holes. Per this requirement, to achieve compliance, it is mandated that a user-id cannot attempt a log on with not more than six unsuccessful attempts. With this requirement in place, any unauthorized user who tries to access a restricted resource by guessing the password cannot continue the game for infinitesimal attempts.
How It Is Done:
The primary method to enforce this measure would be to enforce strong password policies and define the number of unsuccessful logon attempts before the user is denied access in to the resource he's trying to access.
EventLog Analyzer with its Successful Logon Reports will help prove your compliance to this requirement. Using EventLog Analyzer's Successful Logon Reports, all the users who successfully logged in to the network can be obtained. Using the user-names in the list, it can be proved that no generic names were used to log-in to the system or the network.
PCI DSS Requirement 8.5.16:
What Is It?
Authenticate all access to any database containing cardholder data. This includes access by applications, administrators, and all other users.
What Needs To Be Done?
With this requirement in place, it is impossible to circumvent the authentication process when accessing resources through some application. This will also ensure that there's no default authentication in to the sensitive areas of the network, even through applications or other consoles. Additionally, this also forbids an administrator from having blanket credentials that allow blind access to all the network resources.
How It Is Done:
The initial authentication mechanisms have to be configured in such a way that there's no possibility to beat the straight way using an authenticating interface.
EventLog Analyzer presents two reports that can prove compliance to this Requirement.
Successful Logon Reports will help prove your compliance to this requirement. Using EventLog Analyzer's Successful Logon Reports, all the users who successfully logged in to the network can be obtained. This will ensure that there was no unauthenticated entry in to the critical resources of the network.
The Report on Individual Actions will list out all the activities of all the users on the network, by user. Using the data obtained from this report, the administrator can find out the areas accessed by that particular user. Coupling the data from this report with the former, compliance to PCI DSS Requirement 8.5.16 can be established.
PCI DSS Requirement 11.1:
What Is It?
Test security controls, limitations, network connections, and restrictions annually to assure the ability to adequately identify and to stop any unauthorized access attempts. Use a wireless analyzer at least quarterly to identify all wireless devices in use.
What Needs To Be Done?
This requirement talks about testing security measures on an annual bases, so the security devices are up to date, if not advanced, to thwart the ever-evolving attacks by brute forces that attempt to access classified data. This requirement also demands testing wireless devices in use, on a quarterly basis, as vulnerabilities are higher for wireless devices.
How It Is Done:
The only way to establish compliance to this section of PCI DSS is to manually test the securities of all the connections and controls.
EventLog Analyzer presents three reports that can help you establish your organization's compliance to PCI DSS Requirement 11.1:
- Report on Successful User Logons gives information on the users who will be able to successfully able to log in to the network. This information takes care to identify authorized users.
- Report on Object Access shows the same data from an objects' perspective - this will ensure that no object was subjected to unauthorized or malicious access.
- Reports on Logon Attempts will show that users who, without suitable credentials, tried logging in to sensitive resources of the network, were denied access to the resources. A user trying to unsuccessfully access a resource is the most superficial sign of a security-threat.
PCI DSS Requirement 12:
Maintain a policy that addresses information security for employees and contractors.
What Needs To Be Done?
Requirement 12 of PCI DSS is the icing for all the above requirements - per this requirement, there has to be a security policy place that addresses information security for employees and contractors alike. This requirement serves to have a constitution that will address the breaching of thee protocol by employees and contractors. This requirement is the precursor to all the above requirements, as this is the one that will give the various policies that govern information security.
This requirement is further divided in to a few sub-requirements:
PCI DSS Requirement 12.2:
What Is It?
Develop daily operational security procedures that are consistent with requirements in this specification (for example, user account maintenance procedures, and log review procedures)
What Needs To Be Done?
Requirement 12.2 makes PCI DSS compliance more as an everyday affair and not as a specific activity. Compliance to this requirement would mean that all procedures that will help establish compliance to PCI DSS that are in place will help in organizational and information security.
How It Is Done:
The only way to establish compliance to this section of PCI DSS is to manually test the securities of all the connections and controls.
EventLog Analyzer presents three reports that can help you establish your organization's compliance to PCI DSS Requirement 112.2:
- Report on Successful User Logons gives information on the users who will be able to successfully able to log in to the network. This information takes care to identify authorized users.
- Report on Object Access shows the same data from an objects' perspective - this will ensure that no object was subjected to unauthorized or malicious access.
- Reports on Logon Attempts will show that users who, without suitable credentials, tried logging in to sensitive resources of the network, were denied access to the resources. A user trying to unsuccessfully access a resource is the most superficial sign of a security-threat.
EventLog Analyzer's Reports are created with your organization's PCI DSS Requirements in mind. With these many reports in place, it is now a child's play to establish your organization's compliance to PCI DSS. EventLog Analyzer also provides reporting solutions for various Government Regulatory Acts like SOX, HIPAA, FISMA and GLBA too!