Requirements and Milestones Reporting

Transcription

1 IBM BigFix Compliance PCI Add-on Requirements and Milestones Reporting Payment Card Industry Data Security (PCI DSS)

2 Table of Contents Introduction...2 Installing the reports manually...3 Updating the reports manually...7 Installing the reports using the script (import_milestones.sh)...8 Updating the reports using the script (import_milestones.sh) Appendix A: PCI DSS Requirements A.1: All checklists with requirements A.2: Checks List for PCI DSS Requirement 10 and mapping to PCI DSS standard A.3: Checklist Overview for PCI DSS Requirement A.4: Checks List for PCI DSS Requirement A.5: Check Overview for PCI DSS requirement A.6: List of Computers for PCI DSS Requirement A.7: List of checks and computers that are compliant to PCI DSS requirement A.8: List of checks and computers that are not compliant to PCI DSS requirement Appendix B: PCI DSS Milestones B.1: All checklists with milestones B.2: Milestones Summary Checklist Overview Report B.3: Checks List for PCI DSS Milestone 1 and mapping to PCI DSS prioritized approach B.4: Checklist Overview for PCI DSS Milestone B.5: Checks List for PCI DSS Milestone B.6: List of Computers for PCI DSS Milestone B.7: List of checks and computers that are compliant to PCI DSS milestone B.8: List of checks and computers that are not compliant to PCI DSS milestone

3 Introduction Use Security and Compliance Analytics (SCA), now known as IBM BigFix Compliance, to navigate and explore security configuration check results. SCA is a web-based application designed to help you manage security, vulnerability, and risk assessment. The application archives security and vulnerability compliance check results to identify configuration issues and report levels of compliance toward security configuration goals. These reports can be filtered, sorted, grouped, customized, or exported according to your preferences and requirements. In addition to the available reports in SCA, IBM BigFix Compliance PCI Add-on provides supplementary reports that show the cumulative state aggregated on the level of specific Payment Card Industry Data Security Standard (PCI DSS) requirement or milestone. These reports are generated based on the data from the available PCI DSS checklists. To use these supplementary reports, you need to complete the installation steps discussed in this document. Note: The SCA exceptions do not exclude chosen PCI DSS Fixlets from the Requirements and Milestones Reporting as cumulative result contains all results. Results from the Requirements and Milestones Reporting also include summary views at the home page or on computer level. 2

4 Installing the reports manually Before you Begin To access the PCI DSS Requirements and Milestones Reporting from SCA, complete the following steps: Process 1. Subscribe to either the PCI DSS Checklist for Windows 2012 site or the PCI DSS Checklist for RHEL 6 site. 2. Deploy the Environment Setup Task - Download Requirements and Milestones Reporting Installer task to download the reports installer (import_milestones.zip package). 3. Extract the BES directory with.bes files to your local disk. To install the reports manually, you must import each of the files to a separate custom site using IBM BigFix Console. 1. Create a custom site for each.bes file. a. From the IBM BigFix console, click Tools > Create Custom Site. b. Enter a name for the custom site and click OK. 3

5 2. Import a Fixlet to the custom site. a. On your local disk, browse for the Fixlet that you want to add in the custom site and double-click it. The dialog window on the IBM BigFix Console opens. b. On the right-upper corner of the console, select the custom site that you created for this Fixlet in step 1 and click OK. 4

6 All the Fixlet are available in the IBM BigFix Console. 3. Complete steps 1 and 2 for each.bes file. 4. When all the custom sites for the Requirement and Milestones Reports are created and new Fixlets and analyses are imported in the IBM BigFix Console, you must subscribe computers to each site. Note: To enhance this process you can use Computer Groups. You can create the groups manually, assign computers to them, and then assign the computer groups to the reporting custom sites. 5

7 5. Run the Environment Setup Tasks. There are two separate environment setup tasks: one is designed for the PCIDSS Milestone site and the other for all other Requirement and Milestones Reporting sites. Both of them are located under PCIDSS_Milestones site. 6. Import data to the SCA by running Import from the SCA console. Note: In case of updates to the Requirements and Milestones Reporting, you must delete the outdated content from the IBM BigFix console. For more information, see Updating the reports manually. 6

8 Updating the reports manually To update the Requirements and Milestones Reporting, complete the following steps: 1. Remove all the Fixlets and analyses in every custom site that you have created for the reporting. You may also need to delete the custom site. This step ensures that no duplicates will be created. 2. Import the new version of the Fixlets and analyses by importing the definitions from the.bes files. a. On your local disk, browse for the Fixlet that you want to add in the custom site and double-click on it. The dialog window on the IBM BigFix Console opens. b. On the right-upper corner of the console, select the custom site that you created for this Fixlet in step 1 and click OK. 3. After the sites are updated you need to run both environmental setup tasks. There are two separate environment setup tasks: one is designed for the PCIDSS Milestone site and the other for all other Requirement and Milestones Reporting sites. Both of them are located under PCIDSS_Milestones site. Note: If you created a new custom site from scratch, ensure that computers are subscribed to the site. 7

9 Installing the reports using the script (import_milestones.sh) The provided installation script creates and configures the necessary files to collect data from the endpoints and display them in the reports in SCA. The script can be used on Windows or Linux OS and with Cygwin and curl package. Running the script creates the following resources in your local disk: 3 computer groups (PCIDSS_Requirement_Group, PCIDSS_Milestones_Group, PCIDSS_Milestone_Group) 16 custom sites and upload them in the IBM BigFix console with the corresponding Fixlets Before you Begin Ensure that you have the curl package installed as it is required to use the script. To access the PCI DSS Requirements and Milestones Reporting from SCA, complete the following steps: 1. Subscribe to either the PCI DSS Checklist for Windows 2012 site or the PCI DSS Checklist for RHEL 6 site. 2. Deploy the Environment Setup Task - Download Requirements and Milestones Reporting Installer task to download the reports installer (import_milestones.zip package). 3. Extract the files to your local disk. The package contains: - import_milestones.sh - BES directory with.bes files - META-INF directory with the manifest Process 1. Updated the script with the URL to IBM BigFix console and credentials as follows: host=" userpass="admin:xxxxxxxx" For the port number, see the masthead file located in <InstallationPath>\BigFix Enterprise\BES Installers\Server\masthead.afxm. The default port is Note: When modifying the file on a Windows OS, you need to keep the UNIX formatting (end of line character). 2. Execute the script in the current directory:./import_milestones.sh 8

10 3. When all the custom sites for the Requirement and Milestones Reports are created in the IBM BigFix Console along with the Fixlets, you must subscribe all computers to each site. Note: To enhance this process you can use the Computer Groups that were created and assigned to the reporting custom sites. You must assign computers to the groups. 4. Run the Environment Setup Tasks. There are two separate environment setup tasks: one is designed for the PCIDSS Milestone site and the other for all other Requirement and Milestones Reporting sites. Both of them are located under PCIDSS_Milestones site. 5. Import data to the SCA by running Import from the SCA console. 9

11 Updating the reports using the script (import_milestones.sh) The script can be used to update the Requirements and Milestones Reporting. To perform this task you can use the script in the same way as during the installation. See Installing the reports using the script (import_milestones.sh)the script will remove the Fixlets and analyses from the following reporting custom sites and import the new versions of the files. During the removal, the percentage of action progress will be presented. The whole process can take about 1 hour approximately. Once it is completed, all the sites will have the new Fixlets and analyses. The computer assignments using the computer groups will not be affected. 10

12 Appendix A: PCI DSS Requirements This section shows BigFix Compliance reports that are generated based on the Requirements and Security Assessment Procedures for PCI DSS 3.2. The PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment. PCI DSS comprises a minimum set of requirements for protecting account data, and may be enhanced by additional controls and practices to further mitigate risks, as well as local, regional and sector laws and regulations. In this appendix, we will use Requirements 10 as an example to show the PCI DSS Requirements Reporting. 11

13 A.1: All checklists with requirements This view lists the checklists for each requirement. Each requirement has a corresponding checklist. Note: PCI DSS requirements 9, 11, and 12, which are process-oriented in nature, are not covered in BigFix Compliance. To view the checklists from SCA, click Reports > Checklists. To view more information about a checklist, click the checklist name from the Checklist view. 12

14 A.2: Checks List for PCI DSS Requirement 10 and mapping to PCI DSS standard The PCI DSS requirements are mapped to the twelve PCI DSS requirements and their sub-requirements that are listed in This mapping was used in creating the checklists for the requirements perspective. 13

15 A.3: Checklist Overview for PCI DSS Requirement 10 To view an overview of a specific requirement checklist, click Reports > Checklists. Then, select a requirement checklist: PCIDSS_Requirement_<number>. The Overview presents a graphic representation of compliance history, computers by compliance quartile, and check results history with an overall compliance percentage shown in the top left corner of the console. From this view, you can: - View the list of checks by clicking on the number of checks available. - View the list of computers by clicking on the number of computers available. - View the list of checks and computers based on their compliance status. 14

16 A.4: Checks List for PCI DSS Requirement 10 You can view the available checks in a checklist in detail by drilling down to the checks. You can do this by clicking the number of checks displayed on the Checklist Overview page. This view shows a list of all checks, each in its cumulative state, for a requirement checklist. In this case, the cumulative state for each check for requirement 10 is displayed. 15

17 A.5: Check Overview for PCI DSS requirement 10 You can drill down to a specific check to view an overview of the cumulative check result. To do this, you can either click on a check name from the check list (as shown in the previous screenshot) or click Reports > Checks and select the cumulative check or click any check in the list. This view shows a graphic representation of compliance history and check results history for a particular check, in this case, requirement

18 A.6: List of Computers for PCI DSS Requirement 10 You can view the list of computers that are relevant to a specific requirement. To view this report, click the number of computers displayed on the Checklist Overview page. This view shows a list of all computers with additional information (i.e. OS). It also shows the corresponding compliance status for each computer. 17

19 A.7: List of checks and computers that are compliant to PCI DSS requirement 10 You can configure the view according to what information you want to display by using the Configure View option. In this example, use Filters to specify that you want to view only the checks and computers that compliant to PCI DSS requirement

20 This view shows which computers and checks are in compliance with a particular requirement checklist, in this case, requirement

21 A.8: List of checks and computers that are not compliant to PCI DSS requirement 10 You can configure the view according to what information you want to display by using the Configure View option. This view shows which computers and checks are not in compliance with a particular requirement checklist, in this case, requirement

22 Appendix B: PCI DSS Milestones This section shows BigFix Compliance reports that are generated based on the Prioritized Approach for PCI DSS 3.2. The Prioritized Approach provides six security milestones that will help merchants and other organizations incrementally protect against the highest risk factors and escalating threats while on the road to PCI DSS compliance. In this appendix, we will use Milestone 1 as an example to show the PCI DSS Milestones Reporting. 21

23 B.1: All checklists with milestones To view the Milestones Summary checklist from SCA, click Reports > Checklists. This view lists the checklists for each milestone. There are 7 milestone checklists in total, including the milestone summary checklist. Each milestone has a corresponding checklist, and is intended to provide a roadmap to address risks in a prioritized order. Milestones enable merchants to demonstrate progress on compliance process. 22

24 B.2: Milestones Summary Checklist Overview Report To view the Milestones Summary checklist from SCA, click Reports > Checklists. Then, select PCIDSS_Milestones from the list of checklists. This view shows a summary of all six milestones in a graphic representation of compliance history, computers by compliance quartile, and check results history with an overall compliance percentage shown in the top left corner of the console. From this view, you can: - View the list of checks by clicking on the number of checks available. - View the list of computers by clicking on the number of computers available. - View the list of checks and computers based on their compliance status. 23

25 B.3: Checks List for PCI DSS Milestone 1 and mapping to PCI DSS prioritized approach The PCI DSS milestones are mapped to the six PCI DSS milestones that are listed in This mapping was used in creating the checklists for the prioritized approach. 24

26 B.4: Checklist Overview for PCI DSS Milestone 1 To view an overview of a specific milestone checklist, click Reports > Checklists. Then, select a milestone checklist PCIDSS_Milestone_<number>. The Overview presents a graphic representation of compliance history, computers by compliance quartile, and check results history with an overall compliance percentage shown in the top left corner of the console. From this view, you can: - View the list of checks by clicking on the number of checks available. - View the list of computers by clicking on the number of computers available. - View the list of checks and computers based on their compliance status. In this example, you can see the overview of the PCIDSS_Milestone_1 checklist. 25

27 B.5: Checks List for PCI DSS Milestone 1 You can view the available checks in a checklist in detail by drilling down to the checks. You can do this by clicking the number of checks displayed on the Checklist Overview page. The Checks List report shows the list of checks in the given scope together with attributes of each check and the overall, historical aggregate compliance results (the aggregate of all visible computer s pass and fail score) of each check. 26

28 B.6: List of Computers for PCI DSS Milestone 1 You can view the list of computers that are relevant to a specific requirement. To view this report, click the number of computers displayed on the Checklist Overview page. This view lists all the computers that are applicable to a particular milestone checklist, in this case, milestone 1. 27

29 B.7: List of checks and computers that are compliant to PCI DSS milestone 1 You can configure the view according to what information you want to display by using the Configure View option. In this example, use Filters to specify that you want to view only the checks and computers that compliant to PCI DSS milestone 1. 28

30 This view shows which computers and checks are in compliance with a particular milestone checklist, in this case, milestone 1. 29

31 B.8: List of checks and computers that are not compliant to PCI DSS milestone 1 You can configure the view according to what information you want to display by using the Configure View option. This view shows which computers and checks are not in compliance with a particular milestone checklist, in this case, milestone 1. 30