Sample PCI-DSS Report - Check Point Software · PCI-DSS is a legal obligation mandated not by...

Compliance Report PCI DSS 2.0

Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM

1

1/96

Unscheduled (9)

Future (29)

Overdue (58)

74%Compliance

About PCI DSS 2.0PCI-DSS is a legal obligation mandated not by government but by the credit card companies. Any company that isinvolved in the transmission, processing or storage of credit card data, must be compliant with PCI-DSS. PCI is divided into12 main requirements, and further broken down into approximately 200 control areas. There are different levels of PCIcompliance depending on the number of transactions that are being processed by the company.

203 Security Best Practicesrelated to this regulation

53%

Secure

4%

High

13%

Medium

30%

Low

55 Regulatory Requirements

19 Compliant

12 High

13 Medium

11 Low

BladesSecurity Status by Blade

Firewall

68%

Data Loss Prevention

57%

IPSec VPN

72%

URL Filtering

48%

Upcoming

Future

Unscheduled

Overdue

96 Action Items

0 items

29 items

9 items

58 items

Regulatory Requirement Summary ( 1 out of 4 ) 2

2/96

Id Description Status

030005Establish firewall and router configuration standards that include documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for thoseprotocols considered to be insecure [Original PCI DSS 2.0 Reference: Requirement 1: Install and maintain a firewall configuration to protect cardholder data: 1.1.5]

Compliant

030007 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment [Original PCI DSS 2.0 Reference: Requirement 1: Install and maintain a firewall configuration to protect cardholder data: 1.2.1] Low

030009Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wirelessenvironment into the cardholder data environment [Original PCI DSS 2.0 Reference: Requirement 1: Install and maintain a firewall configuration to protect cardholder data: 1.2.3]

Low

030011 Limit inbound Internet traffic to IP addresses within the DMZ [Original PCI DSS 2.0 Reference: Requirement 1: Install and maintain a firewall configuration to protect cardholder data: 1.3.2] High

030012Do not allow any direct connections inbound or outbound for traffic between the Internet and the cardholder data environment [Original PCI DSS 2.0 Reference: Requirement 1: Install and maintain a firewall configuration to protectcardholder data: 1.3.3]

High

030013 Do not allow internal addresses to pass from the Internet into the DMZ [Original PCI DSS 2.0 Reference: Requirement 1: Install and maintain a firewall configuration to protect cardholder data: 1.3.4] High

030014 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet [Original PCI DSS 2.0 Reference: Requirement 1: Install and maintain a firewall configuration to protect cardholder data: 1.3.5] Low

030015 Implement stateful inspection, also known as dynamic packet filtering [Original PCI DSS 2.0 Reference: Requirement 1: Install and maintain a firewall configuration to protect cardholder data: 1.3.6] High

030017 Do not disclose private IP addresses and routing information to unauthorized parties [Original PCI DSS 2.0 Reference: Requirement 1: Install and maintain a firewall configuration to protect cardholder data: 1.3.8] High

030021Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards [Original PCI DSS 2.0Reference: Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters: 2.2]

Medium

030024 Configure system security parameters to prevent misuse [Original PCI DSS 2.0 Reference: Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters: 2.2.3] Medium

030025Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers [Original PCI DSS 2.0 Reference: Requirement 2: Do not use vendor-supplied defaults for systempasswords and other security parameters: 2.2.4]

Compliant

030026Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access [Original PCI DSS 2.0 Reference:Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters: 2.3]

High

030046Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks [Original PCI DSS 2.0 Reference: Requirement 4: Encrypt transmission of cardholder data acrossopen, public networks: 4.1]

High

030048Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat, etc.) [Original PCI DSS 2.0 Reference: Requirement 4: Encrypt transmission of cardholder data across open, publicnetworks: 4.2]

Medium


3/96


030049Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers) [Original PCI DSS 2.0 Reference: Requirement 5: Use and regularly update anti-virus software orprograms: 5.1]

N/A

030050Ensure that all anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software [Original PCI DSS 2.0 Reference: Requirement 5: Use and regularly update anti-virus software orprograms: 5.1.1]

High

030051 Ensure that all anti-virus mechanisms are current, actively running, and generating audit logs [Original PCI DSS 2.0 Reference: Requirement 5: Use and regularly update anti-virus software or programs: 5.2] High

030052Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Install critical security patches within one month of release [Original PCI DSS2.0 Reference: Requirement 6: Develop and maintain secure systems and applications: 6.1]

High

030053 Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities [Original PCI DSS 2.0 Reference: Requirement 6: Develop and maintain secure systems and applications: 6.2] Compliant

030076For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: 1) Reviewing public-facingweb applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes, 2) Installing a web-application firewall in front of public-facing web applications[Original PCI DSS 2.0 Reference: Requirement 6: Develop and maintain secure systems and applications: 6.6]

Medium

030077Limit access to system components and cardholder data to only those individuals whose job requires such access. Access lim itations must include the restriction of access rights to privileged user IDs to least privileges necessary toperform job responsibilities [Original PCI DSS 2.0 Reference: Requirement 7: Restrict access to cardholder data by business need to know: 7.1.1]

Low

030078Limit access to system components and cardholder data to only those individuals whose job requires such access. Access lim itations must include the assignment of privileges is based on individual personnel"s job classificationand function [Original PCI DSS 2.0 Reference: Requirement 7: Restrict access to cardholder data by business need to know: 7.1.2]

Low

030079Limit access to system components and cardholder data to only those individuals whose job requires such access. Access lim itations must include the requirement for a documented approval by authorized parties specifyingrequired privileges [Original PCI DSS 2.0 Reference: Requirement 7: Restrict access to cardholder data by business need to know: 7.1.3]

Low

030080Limit access to system components and cardholder data to only those individuals whose job requires such access. Access lim itations must include the implementation of an automated access control system [Original PCI DSS 2.0Reference: Requirement 7: Restrict access to cardholder data by business need to know: 7.1.4]

Low

030081Establish an access control system for systems components with multiple users that restricts access based on a user"s need to know, and is set to "deny all" unless specifically allowed. This access control system must includecoverage of all system components [Original PCI DSS 2.0 Reference: Requirement 7: Restrict access to cardholder data by business need to know: 7.2.1]

Low

030082Establish an access control system for systems components with multiple users that restricts access based on a user"s need to know, and is set to "deny all" unless specifically allowed. This access control system must include theassignment privileges to individuals based on job classification and function [Original PCI DSS 2.0 Reference: Requirement 7: Restrict access to cardholder data by business need to know: 7.2.2]

Low


4/96


030083Establish an access control system for systems components with multiple users that restricts access based on a user"s need to know, and is set to "deny all" unless specifically allowed. This access control system must include adefault "deny-all" setting [Original PCI DSS 2.0 Reference: Requirement 7: Restrict access to cardholder data by business need to know: 7.2.3]

Low

030085In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users: a) Something you know, such as a password or passphrase, b) Something you have, such as a token device or smart card,c) Something you are, such as a biometric [Original PCI DSS 2.0 Reference: Requirement 8: Assign a unique ID to each person with computer access: 8.2]

Medium

030086Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties [Original PCI DSS 2.0 Reference: Requirement 8:Assign a unique ID to each person with computer access: 8.3]

Medium

030087 Render all passwords unreadable during transmission and storage on all system components using strong cryptography [Original PCI DSS 2.0 Reference: Requirement 8: Assign a unique ID to each person with computer access: 8.4] Compliant

030101 Set the lockout duration to a minimum of 30 minutes or until administrator enables the user ID [Original PCI DSS 2.0 Reference: Requirement 8: Assign a unique ID to each person with computer access: 8.5.14] Low

030102If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session [Original PCI DSS 2.0 Reference: Requirement 8: Assign a unique ID to each person with computer access:8.5.15]

High

030117 Send the media by secured courier or other delivery method that can be accurately tracked [Original PCI DSS 2.0 Reference: Requirement 9: Restrict physical access to cardholder data: 9.7.2] Medium

030125Implement automated audit trails for all system components to reconstruct all individual accesses to cardholder data [Original PCI DSS 2.0 Reference: Requirement 10: Track and monitor all access to network resources andcardholder data: 10.2.1]

Compliant

030126Implement automated audit trails for all system components to reconstruct all actions taken by any individual with root or administrative privileges [Original PCI DSS 2.0 Reference: Requirement 10: Track and monitor all access tonetwork resources and cardholder data: 10.2.2]

Compliant

030127 Implement automated audit trails for all system components to reconstruct access to all audit trails [Original PCI DSS 2.0 Reference: Requirement 10: Track and monitor all access to network resources and cardholder data: 10.2.3] Compliant

030128Implement automated audit trails for all system components to reconstruct invalid logical access attempts [Original PCI DSS 2.0 Reference: Requirement 10: Track and monitor all access to network resources and cardholder data:10.2.4]

Compliant

030129Implement automated audit trails for all system components to reconstruct use of identification and authentication mechanisms [Original PCI DSS 2.0 Reference: Requirement 10: Track and monitor all access to network resourcesand cardholder data: 10.2 5]

Compliant

030130Implement automated audit trails for all system components to reconstruct initialization of the audit logs [Original PCI DSS 2.0 Reference: Requirement 10: Track and monitor all access to network resources and cardholder data:10.2.6]

Compliant

030131Implement automated audit trails for all system components to reconstruct creation and deletion of system-level objects [Original PCI DSS 2.0 Reference: Requirement 10: Track and monitor all access to network resources andcardholder data: 10.2.7]

Compliant

030132Record user identification in the audit trail entries for all system components for all events listed in 10.2.1 - 10.2.7 [Original PCI DSS 2.0 Reference: Requirement 10: Track and monitor all access to network resources and cardholderdata: 10.3.1]

Compliant


5/96


030133Record event type in the audit trail entries for all system components for all events listed in 10.2.1 - 10.2.7 [Original PCI DSS 2.0 Reference: Requirement 10: Track and monitor all access to network resources and cardholder data:10.3.2]

Compliant

030134Record date and time in the audit trail entries for all system components for all events listed in 10.2.1 - 10.2.7 [Original PCI DSS 2.0 Reference: Requirement 10: Track and monitor all access to network resources and cardholder data:10.3.3]

Compliant

030135Record a success or failure indication in the audit trail entries for all system components for all events listed in 10.2.1 - 10.2.7 [Original PCI DSS 2.0 Reference: Requirement 10: Track and monitor all access to network resources andcardholder data: 10.3.4]

Compliant

030136Record the origination of the event in the audit trail entries for all system components for all events listed in 10.2.1 - 10.2.7 [Original PCI DSS 2.0 Reference: Requirement 10: Track and monitor all access to network resources andcardholder data: 10.3.5]

Compliant

030137Record the identity or name of the affected data, system component or resource in the audit trail entries for all system components for all events listed in 10.2.1 - 10.2.7 [Original PCI DSS 2.0 Reference: Requirement 10: Track andmonitor all access to network resources and cardholder data: 10.3.6]

Compliant

030144 Promptly backing up audit trail files to a centralized log server or media that is difficult to alter [Original PCI DSS 2.0 Reference: Requirement 10: Track and monitor all access to network resources and cardholder data: 10.5.3] Medium

030145 Write logs for external-facing technologies onto a log server on the internal LAN [Original PCI DSS 2.0 Reference: Requirement 10: Track and monitor all access to network resources and cardholder data: 10.5.4] Medium

030146Use file integrity monitoring or change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert) [Original PCI DSS 2.0Reference: Requirement 10: Track and monitor all access to network resources and cardholder data: 10.5.5]

Compliant

030148Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup) [Original PCI DSS 2.0 Reference: Requirement 10: Trackand monitor all access to network resources and cardholder data: 10.7]

Medium

030150 Perform quarterly internal vulnerability scans [Original PCI DSS 2.0 Reference: Requirement 11: Regularly test security systems and processes: 11.2.1] Medium

030152 Perform internal and external scans after any significant change [Original PCI DSS 2.0 Reference: Requirement 11: Regularly test security systems and processes: 11.2.3] Medium

030156Use intrusion detection systems, and/or intrusion prevention systems to monitor all traffic at the perimeter of the cardholder data environment as well as at critical points inside of the cardholder data environment, and alertpersonnel to suspected compromises. Keep all intrusion detection and prevention engines, baselines, and signatures up-to-date [Original PCI DSS 2.0 Reference: Requirement 11: Regularly test security systems and processes: 11.4]

High

030170Ensure usage policies for critical technologies require automatic disconnect of sessions for remote access technologies after a specific period of inactivity [Original PCI DSS 2.0 Reference: Requirement 12: Maintain a policy thataddresses information security for all personnel: 12.3.8]

Medium

030192 Include alerts from intrusion detection, intrusion prevention, and file integrity monitoring systems [Original PCI DSS 2.0 Reference: Requirement 12: Maintain a policy that addresses information security for all personnel: 12.9.5] Compliant

PCI DSS 2.0 - 030007 7

7/96

ID Security Best Practice Blade Status

DLP109 This checks that the DLP policy includes a rule or rules to restrict the sending of PCI - Cardholder data outside the organization. Data Loss Prevention Medium

DLP135 This checks that the DLP policy includes a rule or rules to restrict the sending of PCI - Credit Card Numbers - 5 or more outside the organization. Data Loss Prevention Medium

FW101This checks whether the 'Clean up Rule' is the last row listed in the Firewall Rule Base and is applied to all Gateways. A 'Clean up Rule' is defined as: Source= Any; Destination= Any; VPN= Any Traffic;Service= Any; Action= Drop; Track= log ; Install on= Policy Targets; T ime= Any

Firewall Low

FW146This checks whether an 'Any Any Accept' rule is listed in the Firewall Rule Base and if so, that it is not applied to any Gateway. An 'Any Any accept'' is defined as: Source= Any; Destination= Any;Service= Any; Action= Accept

Firewall Low

ID: 030007

Description: Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment [Original PCI DSS 2.0 Reference: Requirement 1: Install and maintain a firewall configuration to protectcardholder data: 1.2.1]

Requirement Details

Status: Low

PCI DSS 2.0 - 030017 16

16/96


FW104 This checks each cluster to ensure that 'Enable extended cluster Anti-Spoofing' is enabled Firewall Secure

FW116 This checks the NAT settings on each Gateway that 'Internal networks are hidden behind the external IP' is selected Firewall High

FW102 This checks defined interfaces for all Gateways to ensure that 'Perform Anti-Spoofing based on interface topology' is enabled Firewall Medium

FW103 This checks defined interfaces for all Gateways to ensure that the Anti-Spoofing action is set to Prevent Firewall Medium

ID: 030017

Description: Do not disclose private IP addresses and routing information to unauthorized parties [Original PCI DSS 2.0 Reference: Requirement 1: Install and maintain a firewall configuration to protect cardholder data: 1.3.8]

Requirement Details

Status: High

PCI DSS 2.0 - 030050 ( 1 out of 3 ) 51

51/96


AB104 This checks that each Gateway is activated according to the profiles defined in the Anti-Bot policy Anti-Bot N/A

AB102 This checks the 'Suspicious Mail Detection' settings in the Anti-Bot blade for each defined Profile, and that 'Inspect first (KB) of email messages' is set to at least 4 KB. Anti-Bot Secure

AB110 This checks whether the 'Low Confidence' setting in the 'Protection Activation Policy' for each profile in the Anti-Bot blade is set to 'Prevent' or 'Detect' Anti-Bot Secure

AB109 This checks whether the 'Medium Confidence' setting in the 'Protection Activation Policy' for each profile in the Anti-Bot blade is set to 'Prevent' Anti-Bot Secure

AB105 This checks whether the Malware Database in the Anti-Bot blade is being updated automatically. Anti-Bot Secure

AB108 This checks whether the 'High Confidence' setting in the 'Protection Activation Policy' for each profile in the Anti-Bot blade is set to 'Prevent' Anti-Bot Secure

AB107 This test checks that all Gateways that have the Anti-Bot blade installed have HTTPS Inspection enabled. Anti-Bot Secure

AB106 This checks whether the Malware Database in the Anti-Bot blade is being updated at least every two hours. Anti-Bot Secure

AV117 This checks that each Gateway is activated according to the profiles defined in the Anti-Virus policy Anti-Virus N/A

AV104 This checks whether the HTTP protocol has been enabled in the Anti-Virus settings Anti-Virus Secure

AV106 This checks that the maximum number of levels to be scanned in a MIME email with nested contents is not less than 7 Anti-Virus Secure

AV105 This checks whether the SMTP protocol has been enabled in the Anti-Virus settings Anti-Virus Secure

ID: 030050

Description: Ensure that all anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software [Original PCI DSS 2.0 Reference: Requirement 5: Use and regularly update anti-virus software or programs: 5.1.1]

Requirement Details

Status: High

PCI DSS 2.0 - 030050 ( 2 out of 3 ) 52

52/96


AV113 This checks whether the Malware Database in the Anti-Bot blade is being updated at least every two hours. Anti-Virus Secure

AV115 This checks that the frequency of automatic updates to the Anti-Virus database is at least every 120 minutes. Anti-Virus Secure

AV112This checks whether the Malware Database in the Anti-Bot blade is being updated automatically. Note that this won't be checked if 'Traditional Anti-Virus' is enabled on all Gateways. In this case the checkwill have an NA status.

Anti-Virus Secure

AV107 This checks that the Anti-Virus blocks files if the number of MIME nesting levels in an email has been exceeded Anti-Virus Secure

AV109 This checks that the Malware DNS Trap is enabled and at least one DNS server is defined. Anti-Virus Secure

AV103 This checks whether the 'Low Confidence' setting in the 'Protection Activation Policy' for each profile in the Anti-Virus blade is set to 'Prevent', 'Ask' or 'Detect' Anti-Virus Secure

AV111 This checks that HTTPS Inspection is enabled all Gateways which Anti Virus blade installed on Anti-Virus Secure

AV101 This checks whether the 'High Confidence' setting in the 'Protection Activation Policy' for each profile in the Anti-Virus blade is set to 'Prevent' Anti-Virus Secure

AV102 This checks whether the 'Medium Confidence' setting in the 'Protection Activation Policy' for each profile in the Anti-Virus blade is set to 'Prevent' Anti-Virus Secure

AV114This test checks that the Anti-Virus database is being automatically updated from the Check Point cloud. Note that this will only be checked if at least one of the Gateways has 'Traditional Anti-Virus' enabled.Otherwise this check will have an NA status.

Anti-Virus Medium

AV108 This checks that Archive scanning in the Anti-Virus settings has been enabled Anti-Virus Low

FW104 This checks each cluster to ensure that 'Enable extended cluster Anti-Spoofing' is enabled Firewall Secure

FW102 This checks defined interfaces for all Gateways to ensure that 'Perform Anti-Spoofing based on interface topology' is enabled Firewall Medium

FW103 This checks defined interfaces for all Gateways to ensure that the Anti-Spoofing action is set to Prevent Firewall Medium

IPS104 This checks that the IPS Policy automatically activates Client Protections for each profile. IPS Secure

IPS102 This checks the IPS Mode for each Profile whether the 'default action for existing protection' is set to Prevent IPS Secure

PCI DSS 2.0 - 030050 ( 3 out of 3 ) 53

53/96


IPS103 This checks that IPS Protections have been activated on each profile in accordance with the IPS policy IPS Secure

IPS106 This checks the severity-based protection settings in the IPS policy for each profile to ensure that protections with a Low severity status are not being activated IPS Secure

IPS110 This checks that the Profile's IPS Policy activates all applicable protections IPS Secure

IPS107 This checks the confidence level-based protection settings in the IPS policy for each profile to ensure that protections with a Low or Medium-Low severity status are not being activated IPS Secure

IPS105 This checks that the IPS Policy automatically activates Server Protections for each profile. IPS Secure

IPS111 This checks all IPS Profiles that the ability to automatically switch all protections to Detect-Only has been disabled IPS Secure

IPS108 This checks each Profile's IPS Policy to ensure that activated protections include those that have a performance impact IPS High

IPS113 This checks that the Protection Scope for the IPS on each Gateway is set to perform IPS inspection on all traffic.Note that the implementation of this recommendation has a Wide Impact. IPS Medium

IPS109 This checks each Profile's IPS Policy to ensure that the activated protections include those that are categorized as Protocol Anomalies IPS Low

IPS114 This checks that the IPS Blade is up to date and that there are no available IPS updates older than three days that have not been downloaded IPS Low

PCI DSS 2.0 - 030077 61

61/96


FW130This checks whether the 'Stealth Rule' is configured in the Firewall Rule Base and is applied to all Gateways. A 'Stealth Rule' is defined as:Source= Any; Destination= GW's ; Service= Any; Action= Drop; Track=log ; Install on= Policy Target ; T ime= Any

Firewall Low

FW146This checks whether an 'Any Any Accept' rule is listed in the Firewall Rule Base and if so, that it is not applied to any Gateway. An 'Any Any accept'' is defined as: Source= Any; Destination= Any; Service= Any;Action= Accept

Firewall Low

FW101This checks whether the 'Clean up Rule' is the last row listed in the Firewall Rule Base and is applied to all Gateways. A 'Clean up Rule' is defined as: Source= Any; Destination= Any; VPN= Any Traffic; Service=Any; Action= Drop; Track= log ; Install on= Policy Targets; T ime= Any

Firewall Low

ID: 030077

Description: Limit access to system components and cardholder data to only those individuals whose job requires such access. Access limitations must include the restriction of access rights to privileged user IDs to least privilegesnecessary to perform job responsibilities [Original PCI DSS 2.0 Reference: Requirement 7: Restrict access to cardholder data by business need to know: 7.1.1]

Requirement Details

Status: Low

PCI DSS 2.0 - 030125 74

74/96


FW122 This checks that all activities of the system administrator and the system operator are logged Firewall Secure

FW105 This checks each Firewall rule to ensure that it has a defined Log setting under the Track option Firewall Secure

FW171 This checks that all Firewall audit trails include the date and time of all logged events Firewall Secure

ID: 030125

Description: Implement automated audit trails for all system components to reconstruct all individual accesses to cardholder data [Original PCI DSS 2.0 Reference: Requirement 10: Track and monitor all access to networkresources and cardholder data: 10.2.1]

Requirement Details

Status: Compliant

Sample PCI-DSS Report - Check Point Software · PCI-DSS is a legal obligation mandated not by...

Documents

Transcript of Sample PCI-DSS Report - Check Point Software · PCI-DSS is a legal obligation mandated not by...