#completevisibility

Speaker: Danny MurphySr. Sales Engineer, Netwrix CorporationDanny.Murphy@netwrix.com +44 (0) 203 588 3023 ext 2202

How to Ensure Continuous Compliance?

Episode II: PCI Compliance 101

#completevisibility

Housekeeping

All microphones will be mutedfor the duration of the webinar

To submit text questions use the Question Pane

All questions, comments or opinions are greatly appreciated

The Question Pane

#completevisibility

Agenda

Compliance Overview

PCI Compliance 101

PCI Data Security Standard (PCI DSS)

PCI Compliance and Netwrix Auditor

Netwrix Auditor Demo

Real Case: Netwrix Auditor helping with PCI Compliance

About Netwrix Corporation

Q & A

#completevisibility

Compliance Overview

Best Practices, Standards and Regulations

ISO 27001, COBIT, NIST

PCI, HIPAA, SOX, FISMA, FFIEC/GLBA

Commonalities

Availability, Integrity, Accountability

Policies, Implementation, Validation, Reporting

Perform reviews of your policies

Periodic reviews should be planned

Establish processes for changing existing or adding new policies.

Why it’s important?

Home Depot 56 million customer cards compromised

JPMorgan Chase data associated with over 83 million accounts compromised

#completevisibility

Volume of card transactions is on the rise

Verizon 2015

PCI Compliance Report

45% of Americans say

they or a household member have been

notified by a card issuer, financial institution, or retailer that their credit card information had

possibly been stolen as part of a data breach

CARDS PAYMENTS BY REGION, 2012-2018

In 2015, total world card payments are expected to exceed $20 trillion.

#completevisibility

PCI Compliance 101

PCI (Payment Card Industry) security standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data.

The Three Major Components of PCI:

– PCI Data Security Standard (PCI DSS)

– PIN Transaction Security (PTS) Requirements

– Payment Application Data Security Standard (PA-DSS)

#completevisibility

How to become PCI compliant?

Validation of compliance depends on merchant’s volume of transactions (merchant level), slightly differs between various payment brands and may include:

• Annual Self Assessment Questionnaire (SAQ reporting)

• Quarterly scans of PCI systems by ASV

• Annual onsite audit of PCI systems by QSA (usually for level 1 merchants)

Who must comply?

PCI DSS applies to all entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) including:

– Merchants,

– Processors,

– Acquirers,

– Issuers,

– Service providers.

Verizon 2015 PCI Compliance Report

«Of all the data breaches not a single company has been found to be compliant at the time of the breach — this underscores the importance of PCI DSS compliance».

#completevisibility

Initial effort for establishing a continuous compliance regime can be cumbersome:

– Extensive planning and development of internal policies,

– Assignment of roles and responsibilities,

– Implementation of controls and mechanisms for feedback and improvement.

Once continuous compliance is established, it brings many benefits, including:

– Increased efficiency of operations

– No high risks periods

– Continuous improvement

– Lower total cost (over the years)

Netwrix Auditor integrated into organization’s IT infrastructure is a great tool to provide

visibility into the systems. It enables validation of policies and provides mechanisms for

establishment of some of the compliance controls.

Continuous Compliance is the Way

#completevisibility

Delivers Complete Visibility Analyze and control any IT related activities with more than 200 predefined reports and more.

Enables Evaluation According to defined policies, metrics and baselines.

Provides Audit Reports Proving compliance along with data consolidation and archiving capabilities with two-tiered audit data storage for up to 10 years or more.

Netwrix Auditor is easily configurable and affordable unified platformWith lightweight non-intrusive data collecting agents that greatly reduces administrative burden and helps to maintain compliance with PCI.

Streamlines compliance by auditing access to cardholder data as well as auditing of changes to access rights for system components.

How Netwrix assists with PCI compliance?

#completevisibility

How Netwrix assists with PCI compliance?

Netwrix Auditor facilitates the following IT processes:Access Control,

Account Management,

Privileged Users Management,

Integrity Monitoring,

Configuration Management,

Data Governance,

Change Management

Audit Trail

Overview of Netwrix Auditor coverage of PCI DSS 3.0 (same for 3.1)Requirement 3: Protect stored cardholder data

Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs

Requirement 6: Develop and maintain secure systems and applications

Requirement 7: Restrict access to cardholder data by business need to know

Requirement 8: Identify and authenticate access to system components

Requirement 10: Track and monitor all access to network resources and cardholder data:

Requirement 11: Regularly test security systems and processes

#completevisibility

PCI Compliance and Netwrix Auditor

PCI DSS 3.0 How Netwrix helpsProcesses and

Report CategoriesNetwrix Report

Requirement 10: Track and monitor all access to network resources and cardholder data

10.1 Implement audit trails to link all access to system components to each individual user.

Utilize Netwrix Auditor’s fully featured auditing and

reporting of all user activities including access to sensitive

files, across the entire IT infrastructure and recording of who changed what, when, and

where.

ACCESS CONTROLSystems Access

Data Access User Activity AUDIT TRAIL User Activity

Netwrix Auditor for Active Directory:- User Accounts Last Logon

Time

Netwrix Auditor for File Servers: - File Server Changes by User

and more

Requirement 8: Identify and authenticate access to system components

8.1 Define and implement policies and procedures to ensure proper user identification management for non-consumer users and administrators on all system components 8.2 In addition to assigning a unique ID, ensure proper userauthenticationmanagement for non-consumer users and administrators on all system components

Complement administrative efforts of various departments

of organization and built-in capabilities of Active Directory for identity management with enhanced visibility, complete

audit trail of states and changes and other features

provided by Netwrix Auditor.

ACCOUNT MANAGEMENT

Configuration States Accounts States

Accounts Changes Policies Changes

Policies States PRIVILEGED USERS

MANAGEMENT User Activity

ACCESS CONTROL Systems Access

Netwrix Auditor for Active Directory:- User Accounts- User Accounts – Expired- User Accounts - Locked

Netwrix Auditor for Group Policy:- Account Policy Changes- User Configuration Changes

Netwrix Auditor Event Log:- Logoffs by User- Successful Logons by User

and more

#completevisibility

Demonstration: Continuous Compliance With…

Netwrix Auditor

#completevisibility

Real Case Study

Customer– Borderfree, Inc.

Industry– Technology

Challenge:– Staying PCI Compliant Despite the Large Number of Servers

Solution– Netwrix Auditor

Ryan Dorman, Senior Systems Administrator, Borderfree Inc.:

“With Netwrix Auditor it takes me five minutes to complete tasks thatused to take all day.”

#completevisibility

Netwrix Auditor Unified Platform for Change and Configuration Auditing

Active Directory

Exchange

File Servers

SharePoint

SQL Server

VMware

Windows Server

Auditing solutions for: Major features:

Audit Assurance™: Captures all IT changes with ‘Who’, ‘What’, ‘When’

and ‘Where’ details with ‘before’ and ‘after’ values

Configuration Assessment: State-in-time™ reports showing

configuration settings at present or at any moment in the past

Audit Intelligence™ More than 200 predefined easy to read reports

and dashboards with actionable intelligence with filtering, grouping, sorting, exporting, email subscriptions and ability to create custom reports

Audit Archive™: Scalable two-tiered storage (file-based + SQL

database) holding consolidated audit data for up to and beyond 10 years

Unified Platform to audit the entire IT infrastructure (including

systems with limited native logging capabilities, Syslog support, activities video recording), as opposed to multiple hard-to-integrate standalone tools from other vendors

#completevisibility

Next Sessions

Episode I: HIPAA Compliance (recorded)

netwrix.com/how_to_ensure_continuous_compliance_episode_1_hipaa.html

Episode III: FISMA Compliance (16th June, 11:00 EDT)

netwrix.com/how_to_ensure_continuos_compliance.html

Upcoming webinars:

netwrix.com/webinars.html

Recorded webinars:

netwrix.com/webinars.html#featured

#completevisibility

Briefly About Netwrix

All awards: www.netwrix.com/awards

#completevisibility

Netwrix Corporation

Corporate Headquarters:300 Spectrum Center Drive #820 Irvine, CA 92618888-638-9749www.netwrix.com

Additional Offices:Columbus, OHParamus, NJAtlanta, GAKent, UK

Founded in 2006

Headquartered in Irvine, California

Philosophy – deliver complete visibility of IT infrastructure.

Used to enable IT auditing by over 160,000 IT departments worldwide.

Over 6000 licensed deployments with more than 6M user licenses installed.

Global support North America, EMEA and Asia.

Among the fastest growing software companies in the US.

#completevisibility

Our Customers

Financial

Healthcare & Pharmaceutical

Federal, State, Local, Government

Industrial/Technology/Other

#completevisibility

Next Steps

Free Guide: PCI Compliance with Netwrix Auditor

netwrix.com/compliance.html#pci

Free Trial: setup in your own test environment

netwrix.com/freetrial

Test Drive: virtual POC, try in a Netwrix-hosted test lab

netwrix.com/testdrive

Live One-to-One Demo: product tour with Netwrix expert

netwrix.com/livedemo

Contact Sales to obtain more information

netwrix.com/contactsales

#completevisibility

Thank You for Your Attention!

Questions?

Danny Murphy

Sr. Sales Engineer, Netwrix Corporation

Danny.Murphy@netwrix.com

+44 (0) 203 588 3023 ext 2202