How to Ensure Continuous Compliance? - Netwrix · How to Ensure Continuous Compliance? Episode II:...
Transcript of How to Ensure Continuous Compliance? - Netwrix · How to Ensure Continuous Compliance? Episode II:...
#completevisibility
Speaker: Danny MurphySr. Sales Engineer, Netwrix [email protected] +44 (0) 203 588 3023 ext 2202
How to Ensure Continuous Compliance?
Episode II: PCI Compliance 101
#completevisibility
Housekeeping
All microphones will be mutedfor the duration of the webinar
To submit text questions use the Question Pane
All questions, comments or opinions are greatly appreciated
The Question Pane
#completevisibility
Agenda
Compliance Overview
PCI Compliance 101
PCI Data Security Standard (PCI DSS)
PCI Compliance and Netwrix Auditor
Netwrix Auditor Demo
Real Case: Netwrix Auditor helping with PCI Compliance
About Netwrix Corporation
Q & A
#completevisibility
Compliance Overview
Best Practices, Standards and Regulations
ISO 27001, COBIT, NIST
PCI, HIPAA, SOX, FISMA, FFIEC/GLBA
Commonalities
Availability, Integrity, Accountability
Policies, Implementation, Validation, Reporting
Perform reviews of your policies
Periodic reviews should be planned
Establish processes for changing existing or adding new policies.
Why it’s important?
Home Depot 56 million customer cards compromised
JPMorgan Chase data associated with over 83 million accounts compromised
#completevisibility
Volume of card transactions is on the rise
Verizon 2015
PCI Compliance Report
45% of Americans say
they or a household member have been
notified by a card issuer, financial institution, or retailer that their credit card information had
possibly been stolen as part of a data breach
CARDS PAYMENTS BY REGION, 2012-2018
In 2015, total world card payments are expected to exceed $20 trillion.
#completevisibility
PCI Compliance 101
PCI (Payment Card Industry) security standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data.
The Three Major Components of PCI:
– PCI Data Security Standard (PCI DSS)
– PIN Transaction Security (PTS) Requirements
– Payment Application Data Security Standard (PA-DSS)
#completevisibility
How to become PCI compliant?
Validation of compliance depends on merchant’s volume of transactions (merchant level), slightly differs between various payment brands and may include:
• Annual Self Assessment Questionnaire (SAQ reporting)
• Quarterly scans of PCI systems by ASV
• Annual onsite audit of PCI systems by QSA (usually for level 1 merchants)
Who must comply?
PCI DSS applies to all entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) including:
– Merchants,
– Processors,
– Acquirers,
– Issuers,
– Service providers.
Verizon 2015 PCI Compliance Report
«Of all the data breaches not a single company has been found to be compliant at the time of the breach — this underscores the importance of PCI DSS compliance».
#completevisibility
Initial effort for establishing a continuous compliance regime can be cumbersome:
– Extensive planning and development of internal policies,
– Assignment of roles and responsibilities,
– Implementation of controls and mechanisms for feedback and improvement.
Once continuous compliance is established, it brings many benefits, including:
– Increased efficiency of operations
– No high risks periods
– Continuous improvement
– Lower total cost (over the years)
Netwrix Auditor integrated into organization’s IT infrastructure is a great tool to provide
visibility into the systems. It enables validation of policies and provides mechanisms for
establishment of some of the compliance controls.
Continuous Compliance is the Way
#completevisibility
Delivers Complete Visibility Analyze and control any IT related activities with more than 200 predefined reports and more.
Enables Evaluation According to defined policies, metrics and baselines.
Provides Audit Reports Proving compliance along with data consolidation and archiving capabilities with two-tiered audit data storage for up to 10 years or more.
Netwrix Auditor is easily configurable and affordable unified platformWith lightweight non-intrusive data collecting agents that greatly reduces administrative burden and helps to maintain compliance with PCI.
Streamlines compliance by auditing access to cardholder data as well as auditing of changes to access rights for system components.
How Netwrix assists with PCI compliance?
#completevisibility
How Netwrix assists with PCI compliance?
Netwrix Auditor facilitates the following IT processes:Access Control,
Account Management,
Privileged Users Management,
Integrity Monitoring,
Configuration Management,
Data Governance,
Change Management
Audit Trail
Overview of Netwrix Auditor coverage of PCI DSS 3.0 (same for 3.1)Requirement 3: Protect stored cardholder data
Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
Requirement 6: Develop and maintain secure systems and applications
Requirement 7: Restrict access to cardholder data by business need to know
Requirement 8: Identify and authenticate access to system components
Requirement 10: Track and monitor all access to network resources and cardholder data:
Requirement 11: Regularly test security systems and processes
#completevisibility
PCI Compliance and Netwrix Auditor
PCI DSS 3.0 How Netwrix helpsProcesses and
Report CategoriesNetwrix Report
Requirement 10: Track and monitor all access to network resources and cardholder data
10.1 Implement audit trails to link all access to system components to each individual user.
Utilize Netwrix Auditor’s fully featured auditing and
reporting of all user activities including access to sensitive
files, across the entire IT infrastructure and recording of who changed what, when, and
where.
ACCESS CONTROLSystems Access
Data Access User Activity AUDIT TRAIL User Activity
Netwrix Auditor for Active Directory:- User Accounts Last Logon
Time
Netwrix Auditor for File Servers: - File Server Changes by User
and more
Requirement 8: Identify and authenticate access to system components
8.1 Define and implement policies and procedures to ensure proper user identification management for non-consumer users and administrators on all system components 8.2 In addition to assigning a unique ID, ensure proper userauthenticationmanagement for non-consumer users and administrators on all system components
Complement administrative efforts of various departments
of organization and built-in capabilities of Active Directory for identity management with enhanced visibility, complete
audit trail of states and changes and other features
provided by Netwrix Auditor.
ACCOUNT MANAGEMENT
Configuration States Accounts States
Accounts Changes Policies Changes
Policies States PRIVILEGED USERS
MANAGEMENT User Activity
ACCESS CONTROL Systems Access
Netwrix Auditor for Active Directory:- User Accounts- User Accounts – Expired- User Accounts - Locked
Netwrix Auditor for Group Policy:- Account Policy Changes- User Configuration Changes
Netwrix Auditor Event Log:- Logoffs by User- Successful Logons by User
and more
#completevisibility
Real Case Study
Customer– Borderfree, Inc.
Industry– Technology
Challenge:– Staying PCI Compliant Despite the Large Number of Servers
Solution– Netwrix Auditor
Ryan Dorman, Senior Systems Administrator, Borderfree Inc.:
“With Netwrix Auditor it takes me five minutes to complete tasks thatused to take all day.”
#completevisibility
Netwrix Auditor Unified Platform for Change and Configuration Auditing
Active Directory
Exchange
File Servers
SharePoint
SQL Server
VMware
Windows Server
Auditing solutions for: Major features:
Audit Assurance™: Captures all IT changes with ‘Who’, ‘What’, ‘When’
and ‘Where’ details with ‘before’ and ‘after’ values
Configuration Assessment: State-in-time™ reports showing
configuration settings at present or at any moment in the past
Audit Intelligence™ More than 200 predefined easy to read reports
and dashboards with actionable intelligence with filtering, grouping, sorting, exporting, email subscriptions and ability to create custom reports
Audit Archive™: Scalable two-tiered storage (file-based + SQL
database) holding consolidated audit data for up to and beyond 10 years
Unified Platform to audit the entire IT infrastructure (including
systems with limited native logging capabilities, Syslog support, activities video recording), as opposed to multiple hard-to-integrate standalone tools from other vendors
#completevisibility
Next Sessions
Episode I: HIPAA Compliance (recorded)
netwrix.com/how_to_ensure_continuous_compliance_episode_1_hipaa.html
Episode III: FISMA Compliance (16th June, 11:00 EDT)
netwrix.com/how_to_ensure_continuos_compliance.html
Upcoming webinars:
netwrix.com/webinars.html
Recorded webinars:
netwrix.com/webinars.html#featured
#completevisibility
Netwrix Corporation
Corporate Headquarters:300 Spectrum Center Drive #820 Irvine, CA 92618888-638-9749www.netwrix.com
Additional Offices:Columbus, OHParamus, NJAtlanta, GAKent, UK
Founded in 2006
Headquartered in Irvine, California
Philosophy – deliver complete visibility of IT infrastructure.
Used to enable IT auditing by over 160,000 IT departments worldwide.
Over 6000 licensed deployments with more than 6M user licenses installed.
Global support North America, EMEA and Asia.
Among the fastest growing software companies in the US.
#completevisibility
Our Customers
Financial
Healthcare & Pharmaceutical
Federal, State, Local, Government
Industrial/Technology/Other
#completevisibility
Next Steps
Free Guide: PCI Compliance with Netwrix Auditor
netwrix.com/compliance.html#pci
Free Trial: setup in your own test environment
netwrix.com/freetrial
Test Drive: virtual POC, try in a Netwrix-hosted test lab
netwrix.com/testdrive
Live One-to-One Demo: product tour with Netwrix expert
netwrix.com/livedemo
Contact Sales to obtain more information
netwrix.com/contactsales
#completevisibility
Thank You for Your Attention!
Questions?
Danny Murphy
Sr. Sales Engineer, Netwrix Corporation
+44 (0) 203 588 3023 ext 2202