IC L19 - Consolidate Information from across your Infrastructure to create a custom report for PCI DSS Hands-On Lab Description How to implement external data connectors for data relevant to PCI and map that data to controls alongside data from across your environment. Using Analysis within Control Compliance Suite, map controls to the requirements of PCI and other regulations. Customize dashboards to present the mandate data in multiple ways for different teams to easily digest. At the end of this lab, you should be able to View a PCI dashboard Understand how external data gets into CCS Using Assessment Manager to assess PCI Procedural controls Understanding Control Statements View Mandate Report Notes A brief presentation will introduce this lab session and discuss key concepts. The lab will be directed and provide you with step-by-step walkthroughs of key features. Feel free to follow the lab using the instructions on the following pages. You can optionally perform this lab at your own pace. Be sure to ask your instructor any questions you may have. Thank you for coming to our lab session.
Exercise 1: PCI Dynamic Dashboard View This exercise focuses on identifying changes in the PCI status of an asset. Using the CCS Dashboards you can see a consolidated view of data collected from CCS Standards Manager and Third party solutions which have been integrated into CCS. CCS has pre-fined dashboard views for mandates such as PCI. 1. Double click on the CCS Web portal from the desktop icon This brings you to the CCS Web Client. The web client provides the ability to view and create dashboards using the data within the CCS and External data from third party solution, Accept, review, and approve policies from the CCS policy manager solution and answer questionnaires from the CCS Assessment Manager solution. 2. Select the Dashboards Tab 3. Expand the Misc tab These are the default dashboards that come with the solution. They have been generated to provide a view of information based on Mandates and operational information 4. Select the Compliance Analyis PCI Mandate Dashboard 5. From the Compliance Score for PCI Mandate select the Red piece of the pie chart 6. Select the SYMPL\WS6535 Asset This provides you a data sheet which shows all the information we have collected for the Asset. 7. What are the two Providers for the Failed External Data Assessments? Exercise 2: Understand the CCS External Data Connector feature In order to show due diligence for PCI requirements it is important to have a single view of data from multiple solutions as we showed in exercise1. The next step is to learn how data from external solutions is easily brought into the CCS solution and the different ways to view that data. 1. Double click on the Symantec Control Compliance Suite Console Icon from the desktop 2 of 9
2. Open the CCS Console and navigate to Manage > External Data Integration 3. Expand the Qualys Vulnerability Manager Data System You must add an external data system to CCS before you can import data into CCS. CCS supports ODBC, CSV and Web services as data connections. The data connection used is going to be determined by the format the data is in within the external solution. The Qualys Vulnerability Manager Data System is a connector created by Symantec for Qualys data. Symantec provides several predesigned connectors for third party solutions which are available on the Symantec Community Connect Web Site: http://www.symantec.com/connect/?inid=us_sc_flyout_connect 4. From the properties tab view select the Field Mappings tab The field mappings are the data fields being brought into CCS from the third party solution which are then mapped to data fields within CCS. 5. Check that following field from the Qualys data are mapped to CCS: Vulnerability Type Last Scan Date/Time Patchaable IP Address 6. Which Mapped field would indicate the Asset Type? 7. Select the Qualys Connector beneath the Qualys Manager Data System. The Data Connection provides the information needed in order to collect the data from the third party solution. 8. What are the three parameters used to collect data from Qualys? Right click on the Qualys Vulnerability Manager Data System Select View Data Schema What is the number of Data Records Displayed? Note: For this demo environment we only collected Qualys vulnerability data from one IP address. 9. Double click on the CCS Web portal from the desktop icon 10. Select the Dashboards Tab 11. Expand the Misc tab 3 of 9
12. Select the Compliance Analyis PCI Mandate Dashboard 13. From the Compliance Score for PCI Mandate select the Red piece of the pie chart 14. Select the link for the Asset 10.0.39.6:10.0.39.6 15. View the External Data provided by Qualys Exercise 3: Using Assessment Manager for PCI Procedural controls Technical controls are not the only type of data necessary for showing a compliance strategy towards PCI. CCS Assessment Manager provides the ability to assess your procedures used towards your PCI goals. The PCI SAQ questionnaire was designed as a self-evaluation tool provided for merchants and service providers who are not required to do an on-site security assessment. Using the CCS Assessment Manager solution you have the ability to use the PCI SAQ questionnaires to answer those critical procedural questions and associate the information back to your infrastructure and your policies. 1. Double click the CCS Web Console icon on the desktop 2. Select the CCS Assessment Manager (AM) link within the Favorites tool bar 3. The CCS AM Home page is displayed The CCS Assessment Manager Admin Web client provides access to various Adminrelated functions that you perform for a questionnaire 4. Looking at the console, how many Assessments are still in Progress? 5. How many are pending acceptance? Questionnaires are created within the CCS Assessment Manager Client. For this lab we have prepopulated questionnaires for you. 6. Select the Review and Publish link from within the Questionnaires section of the home page Once a questionnaire has been created it is reviewed and published from this location. Once a questionnaire is published it becomes available for review 7. Select the PCI SAQ 2.0 Self-Assessment Questionnaire C 8. Click the publish button and then click OK 9. From within the Assessments section select the Initiate and Track Assessments link 4 of 9
Once a questionnaire is approved and published, you can initiate an assessment by sending the assessment to selected end users 10. Click Create There are two types of Assessments which can be created. User Assessment: allows you to collect responses based on non-it assessments. These assessments are usually quiz-based and help you assess compliance based on an individual as opposed to an asset. A good example would be Security Awareness training. The Asset Compliance assessment allows you to collect responses and evidence based on procedural controls which relate to assets within the environment and are related to the controls within mandates, polices and risk objectives. 11. Select the Asset Compliance Assessment. 12. Click on the PCI DSS v2.0 Self-Assessment Lab Questionnaire 13. Select next Asset compliance assessments will be sent to asset owners of business assets or individual assets which are defined within the CCS Asset System. 14. Click the Individual Asset Owners 15. Expand the Asset System 16. Select the Qualys Folder 17. Select Next 18. Who is the Asset Owner? 19. Select Next Some assessments will require multiple responders based on the different sections within the questionnaire. The example questionnaire was created so that sections would not show. 20. Select next Prerequisites allow you to attach collateral such as documentation, videos or URL s which you would like to associate and have available for the attester to review. There is also the option to require the attester to acknowledge they have read the content. 21. Select Next 22. Change the Due date to two weeks from today. The solution will populate the questionnaire within the end users CCS Web interface. You have the ability to email a notification to the user as well as a reminder to ensure they are notified to go look for the questionnaire. 23. Select Next 24. Within the Welcome Text box type: This is a short example of a much larger PCI DSS v2.0 Self-Assessment Questionnaire 25. Select Next 5 of 9
At this point you have the option to schedule the date and time the questionnaire is sent to the end user. Select Finish sending the questionnaire now 26. From the Desktop select the Login as a different user icon 27. Login name: SYMPL\Jane_Martin Password: symc4now 28. Start a web browser and browse to http://svr-ccs2.symplified.org/ra_webclient 29. Select the questionnaire: PCI DSS v2.0 Self-Assessment Lab Questionnaire 30. Answer the questions with yes and no s 31. Click the submit button 32. Select Start and Log out as Jane to get back into the system as the Administrator 33. Open the CCS Web Portal 34. Select the Dashboards Tab 35. Expand the Misc tab 36. Select the Compliance Analyis PCI Mandate Dashboard 37. From the Compliance Score for PCI Mandate select the Red piece of the pie chart 38. Select the link for the Asset 10.0.39.6:10.0.39.6 39. View the two types of external evidense now available Exercise 4: Understanding Control Statements Now that you have seen different ways of collecting and displaying data brought into CCS it is important to understand how to make since of the information and tie it to PCI as evidence. Organizations have many controls to help secure their environment. CCS provides a mechanism to collect evidence from third party tools and apply that data towards your risk and compliance assessments and reports. 1. Double click on the Symantec Control Compliance Suite Console Icon from the desktop 2. Select Manage > Content 3. Click the Controls Studio button CCS Controls Studio allows you to map mandates and policies to control statements and control statements to checks, questions, SCAP rules, and external data assessments. Control Statements are a short account of a detailed requirement. 4. From the Mandates tab expand Frameworks 6 of 9
This is a view of the content available within CCS which can be used to map your control evidence. 5. Select the PCI DSS v2.0 Framework 6. Expand Build and Maintain a Secure Network 7. Expand Requirement 2 Do Not use Vendor-supplied defaults for system passwords or other security parameters 8. Expand 2.2 and click on 2.2.3 9. From the right hand page select Statement Mappings 10. What control statement is this requirement mapped to? 11. From the tabs at the bottom left select Controls Framework Controls Framework provides you the means to organize all the control statements in a logical structure 12. Select the magnifying glass within the tool bar 13. Type in Secure System Configuration 14. Click Search 15. Double click on the Secure System Configuration 16. From the right hand of the screen select Mandate Mappings 17. How many Mandates is the control mapped to? 18. Click on Question Mappings 19. How many currently published questionnaires is the control statement mapped to? 20. Click on External Data Assessment Mappings 21. What External solution is the control statement mapped to? The information just viewed is an example of what the evidence for PCI Requirement 2.2.3 is mapped to within CCS. Exercise 5: Mandate Reports Control Compliance Suite provides 30 predefined Report Templates which can be customized to your requirements. The Mandate reports are designed to provide specific information on the mandates required for your environment. 1. Double click on the Symantec Control Compliance Suite icon on the desktop 2. Select the Reporting Tab > Report Templates 3. Expand the Predefined Reports folder 7 of 9
4. From the bottom left Report Templates Filter View select Mandate Reports 5. Click on the red up arrow to filter the reports. 6. Right click on Mandate Compliance and select Schedule Report 7. Name the Report Symplified PCI Mandate Compliance 8. Click Next 9. Highlight and Add the PCI DSS v2.0 10. Click Next 11. Keep the Control type for All 12. Click Next 13. Select All Assets and click Add 14. Click Next 15. Keep Status set to All 16. Click Next 17. Select Finish 18. Select yes to conclude The Report generation job will automatically start 19. Once it is finished running select Reporting > My Reports to view the finished report 20. What is the percentage of controls in the failed state? Next we will generate a Mandate Remediation Report 21. Select the Reporting Tab > Report Templates 22. Expand the Predefined Reports folder 23. From the bottom left Report Templates Filter View select Mandate Reports 24. Click on the red up arrow to filter the reports. 25. Right click the Mandate Remediation Report and select Schedule report 26. Name the Report Symplified PCI Remediation Report 8 of 9
27. Click Next 28. Select PCI DCC v2.0 29. Click Add and Click Nect 30. Select All Assets and click Add 31. Keep the default settings for the rest of the report and click finish 32. Click OK at the Job Status Window 33. Once the report is finished running select Reporting > My Reports to view the finished report 9 of 9