Symantec
Addendum
to
VMware
Solution
Guide
for
Payment
Card
Industry
Data
Security
Standard
The
findings
and
recommendations
contained
in
this
document
are
provided
by
VMware
‐
certified
professionals
at
Coalfire®,
a
leading
PCI
Qualified
Security
Assessor
and
independent
IT
audit
firm.
Coalfire’s
results
are
based
on
detailed
document
inspections
and
interviews
with
the
vendor’s
technical
teams.
Coalfire’s
guidance
and
recommendations
are
consistent
with
PCI
DSS
control
intent
generally
accepted
by
the
QSA
assessor
community.
The
results
contained
herein
are
intended
to
support
product
selection
and
high
‐
level
compliance
planning
for
VMware
‐
based
cloud
deployments.
More
information
about
Coalfire
can
be
found
at
www.coalfire.com
.
If
you
require
more
information
specific
to
this
solution
guide,
you
may
contact
us
here:
www.coalfire.com/symantec
3.
OVERVIEW
OF
PCI
AS
IT
APPLIES
TO
CLOUD/VIRTUAL
ENVIRONMENTS
...
12
4.
SYMANTEC
PCI
COMPLIANCE
SOLUTION
...
13
5.
SYMANTEC
PCI
REQUIREMENTS
MATRIX
(OVERVIEW)
...
18
Symantec
and
VMware
continue
to
collaborate
to
ensure
customers
have
both
the
security
and
compliance
controls
necessary
for
cloud
deployments,
both
on
‐
and
off
‐
premises.
Symantec
plans
to
leverage
VMware
vShield
Endpoint
with
its
endpoint
security
offerings
to
maximize
performance
in
Virtual
Desktop
Infrastructure
(VDI)
and
virtual
server
environments
without
sacrificing
powerful
security.
Symantec
has
also
developed
additional
integrations
with
VMware
in
key
areas
such
as
Data
Loss
Prevention,
critical
infrastructure
hardening
and
log
management.
With
Symantec’s
advanced
optimizations
for
VMware,
you’ll
be
able
to
secure
your
virtualized
infrastructure.
Symantec’s
high
performing
infrastructure
software
provides
the
enterprise
scale
data
protection
capabilities
that
enable
you
to
deploy
the
most
mission
‐
critical
workloads
on
VMware.
Symantec
Control
Compliance
Suite
Symantec
Critical
System
Protection
Symantec
Security
Information
Manager
Symantec
Data
Loss
Prevention
Symantec
Encryption
Products
Symantec
Endpoint
Protection
The
PCI
Private
Cloud
Use
Case
is
comprised
of
four
VMware
Product
Suites
‐
vCloud,
vCloud
Networking
and
Security,
vCenter
Operations
(vCOPs)
and
View.
These
product
suites
are
described
in
detail
in
the
VMware
Solution
Guide
for
PCI
.
The
use
case
also
provides
readers
with
a
mapping
of
the
specific
PCI
controls
to
VMware’s
product
suite,
partner
solutions,
and
organizations
involved
in
PCI
Private
Clouds.
While
every
cloud
is
unique,
VMware
and
its
partners
can
provide
a
solution
that
addresses
over
70%
of
the
PCI
DSS
requirements.
Figure 2: PCI Requirements
“Cloud
computing
is
an
approach
to
computing
that
leverages
the
efficient
pooling
of
on
‐
demand,
self
‐
managed
virtual
infrastructure,
consumed
as
a
service.
Sometimes
known
as
utility
computing,
clouds
provide
a
set
of
typically
virtualized
computers
which
can
provide
users
with
the
ability
to
start
and
stop
servers
or
use
compute
cycles
only
when
needed,
often
paying
only
upon
usage.”
There
are
commonly
accepted
definitions
for
the
cloud
computing
deployment
models
and
there
are
several
generally
accepted
service
models.
These
definitions
are
listed
below:
Private
Cloud
–
The
cloud
infrastructure
is
operated
solely
for
an
organization
and
may
be
managed
by
the
organization
or
a
third
party.
The
cloud
infrastructure
may
be
on
‐
premise
or
off
‐
premise.
Public
Cloud
–
The
cloud
infrastructure
is
made
available
to
the
general
public
or
to
a
large
industry
group
and
is
owned
by
an
organization
that
sells
cloud
services.
Hybrid
Cloud
–
The
cloud
infrastructure
is
a
composition
of
two
or
more
clouds
(private
and
public)
that
remain
unique
entities,
but
are
bound
together
by
standardized
technology.
This
enables
data
and
application
portability;
for
example,
cloud
bursting
for
load
balancing
between
clouds.
With
a
hybrid
cloud,
an
organization
gets
the
best
of
both
worlds,
gaining
the
ability
to
burst
into
the
public
cloud
when
needed
while
maintaining
critical
assets
on
‐
premise.
Community
Cloud
–
The
cloud
infrastructure
is
shared
by
several
organizations
and
supports
a
specific
community
that
has
shared
concerns
(for
example,
mission,
security
requirements,
policy,
and
compliance
considerations).
It
may
be
managed
by
the
organizations
or
a
third
party,
and
may
exist
on
‐
premise
or
off
‐
premise.
To
learn
more
about
VMware’s
approach
to
cloud
computing,
review
the
following:
http://www.vmware.com/solutions/cloud
‐
computing/index.html#tab3 ‐
VMware
Cloud
Computing
Overview
http://www.vmware.com/cloud
‐
computing/cloud
‐
architecture/vcat
‐
toolkit.html ‐
VMware’s
vCloud
Architecture
Toolkit
When
an
organization
is
considering
the
potential
impact
of
cloud
computing
to
their
highly
regulated
and
critical
applications,
they
may
want
to
start
by
asking:
Is
the
architecture
a
true
cloud
environment
(does
it
meet
the
definition
of
cloud)?
What
service
model
is
used
for
the
cardholder
data
environment
(SaaS,
PaaS,
IaaS)?
What
deployment
model
will
be
adopted?
Is
the
cloud
platform
a
trusted
platform?
To
get
started,
VMware
recommends
that
all
new
customers
undertake
a
compliance
assessment
of
their
current
environment.
VMware
offers
free
compliance
checkers
that
are
based
on
VMware’s
vCenter
Configuration
Manager
solution.
Customers
can
simply
point
the
checker
at
a
target
environment
and
execute
a
compliance
assessment
request.
The
resultant
compliance
report
provides
a
detailed
rule
by
rule
indication
of
pass
or
failure
against
a
given
standard.
Where
compliance
problems
are
identified,
customers
are
directed
to
a
detailed
knowledge
base
for
an
explanation
of
the
rule
violated
and
information
about
potential
remediation.
To
download
the
free
compliance
checkers
click
on
the
following
link:
https://my.vmware.com/web/vmware/evalcenter?p=compliance
‐
chk&lp=default&cid=70180000000MJsMAAW
Find
more
information
on
VMware
compliance
solutions
for
PCI,
please
visit
http://www.vmware.com/solutions/datacenter/cloud
‐
security
‐
compliance/protect
‐
critical
‐
applications.html
The
PCI
DSS
has
six
categories
with
twelve
total
requirements
as
outlined
below:
Table 1: PCI Data Security Standard
The
PCI
SSC
specifically
began
providing
formalized
guidance
for
cloud
and
virtual
environments
in
October,
2010.
These
guidelines
were
based
on
industry
feedback,
rapid
adoption
of
virtualization
technology,
and
the
move
to
cloud.
Version
2.0
of
the
Data
Security
Standard
(DSS)
specifically
mentions
the
term
“virtualization”
(previous
versions
did
not
use
the
word
“virtualization”).
This
was
followed
by
an
additional
document
explaining
the
intent
behind
the
PCI
DSS
v2.0,
“Navigating
PCI
DSS”.
These
documents
were
intended
to
clarify
that
virtual
components
should
be
considered
as
“components”
for
PCI,
but
did
not
go
into
the
specific
details
and
risks
relating
to
virtual
environments.
Instead,
they
address
virtual
and
cloud
specific
guidance
in
an
Information
Supplement,
“PCI
DSS
Virtualization
Guidelines,”
released
in
June
2011
by
the
PCI
SSC’s
Virtualization
Special
Interest
Group
(SIG).
The
virtualization
supplement
was
written
to
address
a
broad
set
of
users
(from
small
retailers
to
large
cloud
providers)
and
remains
product
agnostic
(no
specific
mentions
of
vendors
and
their
solutions).
*
VMware solutions are designed to help organizations address various regulatory compliance requirements. This document is intended to provide general guidance for organizations that are considering VMware solutions to help them address such requirements. VMware encourages any organization that is considering VMware solutions to engage appropriate legal,
business, technical, and audit expertise within their specific organization for review of regulatory compliance requirements. It is the responsibility of each organization to determine
what is required to meet any and all requirements. The information contained in this document is for educational and informational purposes only. This document is not intended to
provide legal advice and is provided “AS IS”. VMware makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein.
Nothing that you read in this document should be used as a substitute for the advice of competent legal counsel.
coverage
across
PCI
DSS
Requirements
and
Prioritized
Approach
Milestones,
for
cross
‐
compatible
protection
that
includes:
Table
2:
Symantec
Solutions
Solution
Description
Control
Compliance
Suite
Symantec
Control
Compliance
Suite
automates
the
compliance
process
from
policy
definition
through
assessment,
remediation
and
reporting.
Control
Compliance
Suite
uses
centralized
vulnerability
and
control
assessments
to
provide
seamless
discovery
of
unknown
or
unauthorized
virtual
machines
to
reduce
security
risk
in
the
physical
and
virtual
infrastructure.
Leveraging
VMware
‐
published
security
standards,
Control
Compliance
Suite
is
also
able
to
assess
virtual
settings
to
identify
areas
of
risk
and
help
prioritize
remediation
efforts.
This
helps
prevent
application
failure
or
data
corruption
on
virtual
machines,
while
facilitating
compliance
with
mandates
such
as
PCI
or
HIPAA.
In
addition,
Control
Compliance
Suite
can
ensure
that
the
VMware
process
guidelines
are
being
followed
with
procedural
questionnaires
while
automatically
reporting
on
configuration
changes,
patch
levels
and
critical
policy
violations
on
VMware
vSphere.
The
products
that
support
Symantec’s
Compliance
Suite
are:
Control Compliance Suite Standards Manager
Control Compliance Suite Policy Manager
Control Compliance Suite Assessment Manager
Control Compliance Suite External Data Integration
Control Compliance Suite Ad‐Hoc query
Control Compliance Suite Vulnerability Manager
Symantec
Critical
System
Protection
Critical
System
Protection
currently
protects
ESX®
guest
and
hypervisors
with
granular,
policy
‐
based
controls.
Symantec
supports
VMware
vSphere
5,
leveraging
out
‐
of
‐
the
‐
box
VMware
‐
prescribed
server
security
policies
for
ESXi
and
VMware
vCenter™
that
will
enable
organizations
to
identify
server
compliance
violations
and
suspicious
activity
in
real
‐
time,
limit
administrative
control,
restrict
network
communications
and
prevent
file
and
configuration
tampering
of
the
virtual
infrastructure.
Because
Symantec
Critical
System
Protection
is
a
non
‐
signature,
policy
‐
based
technology
it
also
allows
organizations
to
stop
unauthorized
services
from
running
on
servers
and
protect
against
zero
‐
day
attacks,
without
impacting
system
performance.
Symantec Critical System Protection
Symantec Data Loss Prevention for Network
Symantec Data Loss Prevention for Endpoint
Symantec Data Loss Prevention for Mobile
Symantec Data Loss Prevention for Storage
Symantec Data Loss Prevention Enforce Platform
Symantec
Encryption
Products
Symantec
Encryption
encompasses a
wide
range
of
PGP
products.
Data
protection
through
encryption
plays
a
very
important
part
in
protecting
card
data.
From
to
full
disk
encryption
Symantec
provides
the
best
of
class
tools
and
products.
PGP Universal Server
PGP Universal Gateway Email (PGP
Messenger
is
an
add
‐
on
for
Gateway
Email)
PGP Command Line
PGP NetShare
PGP Whole Disk Encryption
PGP Desktop Email (PGP
for
Blackberry
is
an
add
‐
on
for
Desktop
Email)
Symantec
Endpoint
Protection
Optimized
Endpoint
Protection
for
High
‐
density
Virtual
Environments
‐
Symantec
plans
to
leverage
VMware
vShield
Endpoint
with
its
endpoint
security
offerings
to
maximize
performance
in
Virtual
Desktop
Infrastructure
(VDI)
and
virtual
server
environments
without
sacrificing
powerful
security.
Available
in
the
second
half
of
2012,
these
solutions
will
offload
critical
security
analysis
from
protected
virtual
machines
to
a
dedicated
security
virtual
appliance
resulting
in
optimized
scan
performance,
reduced
resource
utilization,
and
increased
management
visibility.
Built
upon
Symantec
Insight,
these
solutions
will
provide
fast
and
effective
endpoint
security
for
VMware
environments,
offering
unique
protection
against
modern
polymorphic
malware,
zero
‐
day
attacks
and
rootkits.
Symantec Endpoint Protection
P CI
DSS
R EQ U I R EM E NT
NUMBER OF REQUIR EMEN CONTROL C O M P LI AN C SYMAN T EC CRIT ICA L SYS PROTEC TIO N SYMAN T EC SECURIT Y INFORM AT ION MANAGER SYMAN T EC DA LOSS PREVEN SYMAN T EC E N C R YP TI O N PRODUCTS SYMAN T EC ENDPO IN T PROTEC TIO N COLLEC T IVE CONTROLS ADDRESSE D SYMAN T EC PRODUCTS
Requirement
1:
Install
and
maintain
a
firewall
configuration
to
protect
cardholder
data
25
4
2
4
Requirement
2:
Do
not
use
vendor
‐
supplied
defaults
for
system
passwords
and
other
security
parameters
24
12
8
12
Requirement
3:
Protect
stored
cardholder
data
33
13
17
27
Requirement
4:
Encrypt
transmission
of
cardholder
data
across
open,
public
networks
9
1
1
1
Requirement
5:
Use
and
regularly
update
anti
‐
virus
software
or
programs
6
3
5
5
Requirement
6:
Develop
and
maintain
secure
systems
and
applications
32
4
4
Requirement
8:
Assign
a
unique
ID
to
each
person
with
computer
access
32
14
14
Requirement
10:
Track
and
monitor
all
access
to
network
resources
and
cardholder
data
29
6
20
20
Requirement
11:
Regularly
test
security
systems
and
processes.
24
6
5
3
11
Requirement
12:
Maintain
a
policy
that
addresses
the
information
security
for
all
personnel.
40
4
1
5
TOTAL
297
37
26
21
14
18
10
103
Note:
Control
totals
do
not
add
up
to
297
due
to
overlapping
features
of
Symantec
products.
vSphere®.
Table 4: Applicability of PCI Controls to Symantec Control Compliance
P CI
DSS
V2.0
A PPLI CABILI TY
M AT RI X
R EQ UI RE M EN T
CONTROLS
ADDRESSED
DESCRIPTI ON
Requirement 2:
Do not
use vendor‐supplied
defaults for system
passwords and other
security parameters
2.1, 2.2.a, 2.2.b, 2.2.c,
2.2.2.a, 2.2.2.b,
2.2.3.b, 2.2.3.c,
2.2.4.a, 2.2.4.b,
2.2.4.c, 2.3.b
Control Compliance Suite validates configuration settings through the use of custom configured policies
or with standards set by industry recognized organizations like CIS, ISO, NIST or COBIT. This validation of
system configuration will help identify and alert system administrators to systems that fall out of
compliance with configuration standards. Through review of configuration, identification of
unnecessary or insecure services can be reported on and corrected by system administrators.
Requirement 6:
Develop
and maintain secure
systems and applications
6.1.a, 6.1.b, 6.2.a,
6.2.b
Control Compliance Suite which has several modules is documented to perform the following functions:
Patch assessments for deployed patches, which can provide a mechanism to validate that
patches are deployed with in the required time lines.
Scans the network to discover devices running on it.
Probes vulnerabilities of the discovered devices.
Discovers the data which is associated with each device, for example, installed software and
services running on the devices.
Discovers external attacks such as vulnerability exploits, malicious file downloads, SQL
Injections or buffer overflows, as well as insider abuse such as changing permissions, and
tampering with system or application files.
With Control Compliance Suite a risk score is used to quantify the risk that is associated with an
asset in your organization based on CVSS scoring.
The capability to scan a target computer to locate and identify the presence of known
vulnerabilities and evaluate the software patches status. The patch status is evaluated to
determine the compliance with a defined patch policy using the target computer's logon
privileges.
with computer access
8.5.10.b, 8.5.11.a,
8.5.11.b, 8.5.12.a,
8.5.12.b, 8.5.13.a,
8.5.13.b, 8.5.14,
8.5.15
the organization. The Entitlements view provides the means to efficiently gather the
permissions data from the various platforms and enables the user to generate reports.
Policies elements like password complexity, length and other values can be audited for using
custom policies or policies from industry standards like NIST, ISO or COBIT.
Requirement 11:
Regularly test security
systems and processes.
11.2.1.a, 11.2.1.b,
11.2.1.c, 11.2.3.a,
11.2.3.b, 11.2.3.c
CCS Vulnerability Manager does the following:
Scans the network to discover devices running on it.
Probes vulnerabilities of the discovered devices.
Discovers the data which is associated with each device. For example, installed software and
services running on the devices.
CCS Vulnerability Manager generates the data which is mainly associated with the devices. The data
comprises the list of scans which are performed on the network, discovered devices, and associated
vulnerabilities for discovered devices. Risk ratings are based on CVSS.
Requirement 12:
Maintain a policy that
addresses information
security for all personnel.
12.1.3, 12.2, 12.3.5,
12.4
The policy management module can support compliance with 12.1.3 in the following way. The policy
management module of CCS simplifies the process of complying with multiple mandates to improve the
security and compliance posture of your environment. The module provides pre‐shipped policy content
mapped to technical and procedural controls. Policy updates are done on changes to regulations and
frameworks. You can report on policy compliance through reports and web‐based dashboards. By
mapping policies to control statements, you connect the mandates that you must comply with to the
security and configuration assessment policies that validate compliance.
Table 5: Applicability of PCI Controls to Symantec Critical System Protection
P CI
DSS
V2.0
A PPLI CABILI TY
M AT RI X
R EQ UI RE M EN T
CONTROLS
ADDRESSED
DESCRIPTI ON
Requirement 1:
Install
and maintain a firewall
configuration to protect
cardholder data
1.3.5, 1.3.7, 1.4.a,
1.4.b
Critical System Protection Host based Firewall enables organizations to:
Control inbound and outbound network traffic to and from servers
Requirement 2:
Do not
use vendor‐supplied
defaults for system
passwords and other
security parameters
2.2.a, 2.2.b, 2.2.c,
2.2.d, 2.2.2.a, 2.2.3.b,
2.2.3.c, 2.2.4.a
Symantec Critical System Protection has the ability to control process behavior by allowing or
disallowing specific actions. These configurations are managed with existing policies or by creating
custom policies. These policies can be used to support specific system configuration requirements that
include security specific parameters.
Requirement 5:
Use and
regularly update anti‐
virus software or
programs
5.2.b, 5.2.c, 5.2.d
Symantec Critical Systems Protection can support prevention policies that restrict applications and
services to specific behaviors and will prevent inappropriate modification or access to system resources.
Symantec Critical System Protection agents detect behavior by auditing and monitoring processes, files,
log data, and Windows registry settings.
Requirement 10:
Track
and monitor all access to
network resources and
cardholder data
10.3.1, 10.3.2, 10.3.3,
10.3.4, 10.3.5,10.3.6
Symantec Critical System Protection Monitoring provides:
Real time monitoring – Increases detection of changes to system, data and application files,
registry keys, configuration settings and notifies on inappropriate user and application
behaviors.
Event logging and reporting – Promotes effective host integrity and efficient demonstration of
compliance with consolidated event logs and advanced log analysis capabilities for high
availability and security across heterogeneous platforms.
Table 6: Applicability of PCI Controls to Symantec Security Information Manager
P CI
DSS
V2.0
A PPLI CABILI TY
M AT RI X
R EQ UI RE M EN T
CONTROLS
ADDRESSED
DESCRIPTI ON
Requirement 10:
Track
and monitor all access to
network resources and
cardholder data
10.1, 10.2.1, 10.2.2,
10.2.3, 10.2.4, 10.2.5,
10.2.6, 10.3.1, 10.3.2,
10.3.3, 10.3.4, 10.3.5,
10.3.6, 10.5.1, 10.5.2,
10.5.3, 10.5.4, 10.6.a,
10.7.a, 10.7.b
Symantec Security Information Manager:
Can enable organizations to produce executive, technical, and audit‐level reports that are highly
effective at communicating risk levels and the security posture of the organization.
Can help organizations gain visibility into user access of systems and produce audit trails showing
access and changes to critical applications and assets.
Can help keep track of user behaviors relative to sensitive data, changes in access privileges,
failed login attempts and other events that can collectively indicate disruptive incidents.
Contains logging information that identifies the user, the type of event, success or failure of that
event, origination and name of the affected resource.
Will scan and create file watch lists or asset policies and roles to help prioritize incident
identification.
Enables organizations to collect, store, and analyze log data as well as monitor and respond to
security events to meet IT compliance requirements.
Stores events in a collection of archive files within a specified location. The archive is
implemented as a self‐maintained module where it monitors disk usage and the age of individual
archive files. Based on policy, when a specified maximum disk space is reached or files approach
their expiration date, the system deletes old archives to make room for new ones.
Requirement 12:
Maintain a policy that
addresses information
security for all personnel.
12.9.5
Symantec Security Information Manager uses over 150 predefined source collectors and provides flexible
options for customizing the additional collection of unique source logs. This will allow for alerts to be
generated and acted upon in support of the incident response process.
P CI
DSS
V2.0
A PPLI CABILI TY
M AT RI X
R EQ UI RE M EN T
CONTROLS
ADDRESSED
DESCRIPTI ON
Requirement 3:
Protect
stored cardholder data
3.1.1.a, 3.1.1.b,
3.1.1.d, 3.1.1.e, 3.2.a,
3.2.1, 3.2.2, 3.2.3, 3.3,
3.4.a, 3.4.b, 3.4.c,
3.4.d
Symantec Data Loss Prevention covers both agent and network based monitoring for sensitive data.
Symantec Data Loss Prevention:
Enables you to do the following: Locate confidential information on file and Web servers, in
databases, and on endpoints like, desktop and laptop systems.
Protect confidential information through quarantine.
Monitor network traffic for transmission of confidential data.
Monitor the use of sensitive data on endpoint computers.
Prevent transmission of confidential data to outside locations.
Automatically enforce data security and encryption policies.
Data Loss Prevention/Enterprise Vault:
Data Loss Prevention for Storage includes Symantec Enterprise Vault ‐ Enterprise Vault enables
this by putting intelligence around archive, retention and deletion policies.
Relevant items are easily preserved on legal hold and provided to the requesting party though a
flexible and auditable export process to simplify production.
Manage email and files with more granular control for the identification, retention, and
deletion of information.
Symantec Data Loss Prevention Discovery and Storage:
Advanced endpoint agent tamper‐proofing protects you against technically savvy malicious
insiders who try to avoid DLP protection by tampering with the Endpoint Agent services and
files in Microsoft Windows.
R EQ UI RE M EN T
CONTROLS
ADDRESSED
DESCRIPTI ON
Requirement 3:
Protect
stored cardholder data
3.4.a, 3.4.c, 3.4.d,
3.4.1.a, 3.4.1.b,
3.4.1.c, 3.5.1, 3.5.2.a,
3.5.2.b, 3.6.a, 3.6.1,
3.6.2, 3.6.3, 3.6.4,
3.6.5.a, 3.6.5.b, 3.6.7
Symantec Encryption Products/PGP Key Management:
Using the PGP Key Management Server, organizations can monitor access controls from a
central location to make sure that all keys stay safe.
Key management creates, distributes, and stores encryption keys while maintaining the
organization’s ability to recover data.
Provides a comprehensive system for managing multiple types of encryption keys for use
throughout a distributed enterprise with a broad number of applications. It consists of a server
that acts as the administrative point, along with a number of methods to connect, including an
agent, API, and SDK.
Prior to a key being generated, there must be an established set of policies that define how
keys should be created, what workflow must be followed, and the circumstances that govern
its usage.
Provides organizations concerned or required to rotate keys on a periodic basis may need to set
a policy to rotate the key within a given time frame, such as on an annual basis.
Retired key should be removed from production, but it may exist in a state that it might be
required under certain circumstances even though it’s no longer in use.
Keys that are no longer in use and no longer needed may need to be destroyed properly. For
example, if an archive tape is stolen, an organization may choose to destroy the key to
effectively destroy the ability to recover any data on that tape.
Key Management Server, organizations can monitor access controls from a central location to
make sure that all keys stay safe.
protecting all your files when you are not using them. You can use PGP Whole Disk Encryption
and PGP Virtual Disk volumes on the same system. On Windows systems, you can protect
whole disk encrypted drives with a passphrase or with a keypair on a USB token for added
security.
Requirement 4:
Encrypt
transmission of
cardholder data across
open, public networks
4.2.a
PGP Universal Server can be configured to do the following:
Automatically creates and maintains a Self‐Managing Security Architecture (SMSA) by
monitoring authenticated users and their email traffic.
Allows you to send protected messages to addresses that are not part of the SMSA.
Automatically encrypts, decrypts, signs, and verifies messages.
Table 9: Applicability of PCI Controls to Symantec Endpoint Protection
P CI
DSS
V2.0
A PPLI CABILI TY
M AT RI X
R EQ UI RE M EN T
CONTROLS
ADDRESSED
DESCRIPTI ON
Requirement 1:
Install
and maintain a firewall
configuration to protect
cardholder data
1.4.a, 1.4.b
Symantec Network Access Control:
Is a complete, end‐to‐end network access control solution that enables organizations to
efficiently and securely control access to corporate networks through integration with existing
network infrastructures, regardless of how endpoints connect to the network, Symantec
Network Access Control discovers and evaluates endpoint compliance status, provisions the
appropriate network access, provides remediation capabilities, if needed, and continually
monitors endpoints for changes in compliance status. The result is a network environment
where corporations can realize significant reductions in security incidents and increased levels
of compliance with corporate IT security policy.
Inbound and outbound traffic is limited to need.
The Symantec desktop firewall will police network access, providing host based network port
and protocol enforcement.
Peer‐to‐peer enforcement ensures that client‐to‐client communication occurs only between
the company computers and compliant computers outside the company. Compliant computers
have the latest company security policy.
Requirement 5:
Use and
regularly update anti‐
virus software or
programs
5.1, 5.1.1, 5.2.b, 5.2.c,
5.2.d
Symantec Endpoint Protection:
Real‐time SONAR examines programs as they run, identifying and stopping malicious behavior
even for new and previously unknown threats.
P C I R E Q U I R E M E N T P C I T E S T I N G P R O C E D U R E S
V C L OUD SUI T E V C L OUD NET W ORKING AND SECURI T Y SUI V CM ( V CO PS S U IT V IEW SYM AN T E C CON T COMPL IANCE SUI SYM AN T E C CRI T SY STEM P R O T E C SYM AN T E C SECURI IN F O RM AT IO N
MANAGER SYM
AN T E C DA T A PR EV EN TI ON SYM AN T E C ENCRYPT PR ODUCTS SYM AN T E C ENDPOIN PR O T EC TI ON
Number of PCI DSS Controls Addressed
104 116 113 80 37 26 21 14 18 10
1.1 Establish firewall and router configuration standards that include the following:
1.1 Obtain and inspect the firewall and router
configuration standards and other documentation specified below to verify that standards are complete. Complete the following:
1.1.1 A formal process for approving and testing all network connections and changes to the firewall and router configurations
1.1.1 Verify that there is a formal process for testing and approval of all network connections and changes to firewall and router configurations.
104 116 113 80 37 26 21 14 18 10 1.1.2 Current network
diagram with all
connections to cardholder data, including any wireless networks
1.1.2.a Verify that a current network diagram (for example, one that shows cardholder data flows over the network) exists and that it documents all
connections to cardholder data, including any wireless networks.
1.1.2. b Verify that the diagram is kept current.
1.1.3 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone.
1.1.3 a Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone.
1.1.3. b Verify that the current network diagram is consistent with the firewall
