PCI-DSS Requirement 10: Configuration Port Security

By Tom Kearns

The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate a broad adoption of consistent data security measures globally. PCI-DSS includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. It is a comprehensive standard that is intended to help organizations proactively protect customer account data.

PCI-DSS Version 2.0, Requirement 10 covers tracking and monitoring of all access to network resources and cardholder data. The intent of this requirement is that logging mechanisms and the ability to track privileged user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. This includes all actions, taken by any individual with root or administrative privileges to configuration ports.

My IT operations customers often struggle with the intent of this requirement as it relates to providing highly privileged access utilizing configuration ports. Since configuration ports are, by default, the emergency access point for every IT device, they are critical for improving mean time to repair (MTTR). Common vendor names for these type of ports are iLO2 (HP), DRAC (Dell), ALOM, ILOM (Sun/Oracle) and CIMC (Cisco).

For a discussion on privileged access to configuration ports, the significant threat they pose as it relates to the intent of PCI-DSS Version 2.0, Requirement 10, see our whitepaper on this subject at: http://www.tditechnologies.com/whitepaper-pci-requirement-10-configuration-ports

ConsoleWorks provides a comprehensive solution for tracking, monitoring, analyzing and alerting on actions taken by privileged individuals with administrative privileges as required by PCI-DSS V2.0, Requirement 10.

About author:

Tom Kearns is the Strategic Accounts Director at TDi Technologies in Plano, TX. He is an IT operations infrastructure, security and compliance solutions sales professional experienced in defining customer strategies, blueprints, roadmaps and global business partnerships that optimize company performance and deliver competitive market advantage. He received his B.S. in Computer Science from Saint John's University in New York. Tom is a Certified Information Systems Security Professional (CISSP) and a Certified Information Systems Auditor (CISA).

All entries by

Google Analytics Alternative