IBM BigFix Compliance PCI Add-on: Payment Card Industry ...€¦ · security configuration checklists that ar e based the Payment Car d Industry Data Security Standar d (PCI DSS).

IBM BigFix Compliance PCI Add-onVersion 9.5

Payment Card Industry Data SecurityStandard (PCI DSS)User's Guide

IBM

IBM BigFix Compliance PCI Add-onVersion 9.5

Payment Card Industry Data SecurityStandard (PCI DSS)User's Guide

IBM

NoteBefore using this information and the product it supports, read the information in “Notices” on page 33.

This edition applies to version 9, release 5, modification level 0 of IBM BigFix and to all subsequent releases andmodifications until otherwise indicated in new editions.

© Copyright IBM Corporation 2015, 2016.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

Chapter 1. Overview . . . . . . . . . 1What’s new in PCI DSS content update release . . . 1PCI DSS overview . . . . . . . . . . . . 2PCI DSS checklists . . . . . . . . . . . . 3Key users . . . . . . . . . . . . . . . 5

Chapter 2. Setup . . . . . . . . . . . 7Accessing the PCI DSS Fixlet sites . . . . . . . 7Configuring endpoints . . . . . . . . . . . 8

Filesystem scan configuration . . . . . . . 10

Chapter 3. Using checks and checklists 13Viewing check Fixlets from the IBM BigFix console 13Viewing checks from BigFix Compliance Analytics 14Creating custom checklists . . . . . . . . . 14Modifying check parameters. . . . . . . . . 15

Remediating configuration settings . . . . . . 16

Chapter 4. Understanding the results inBigFix Compliance Analytics . . . . . 19Starting BigFix Compliance Analytics . . . . . . 19Viewing reports from BigFix Compliance Analytics 20Viewing PCI DSS compliance results . . . . . . 21Filtering the check results view . . . . . . . . 26Creating exceptions. . . . . . . . . . . . 29

Appendix. Resources . . . . . . . . 31

Notices . . . . . . . . . . . . . . 33Trademarks . . . . . . . . . . . . . . 35Terms and conditions for product documentation. . 36

© Copyright IBM Corp. 2015, 2016 iii

iv IBM BigFix Compliance PCI Add-on: Payment Card Industry Data Security Standard (PCI DSS) User's Guide

Chapter 1. Overview

IBM BigFix Compliance PCI Add-on is a new chargeable component that providessecurity configuration checklists that are based the Payment Card Industry DataSecurity Standard (PCI DSS). These compliance checks are designed to help ensurecontinuous compliance at every endpoint in your organization.

This PCI component uses the Security Configuration Management (SCM), which isa module under BigFix Compliance. SCM provides a comprehensive library oftechnical controls to detect and enforce security configurations for endpoints andservers in your organization. By using BigFix Compliance, you have instantvisibility into the configurations of systems within a globally distributedinfrastructure.

SCM includes a web interface, BigFix Compliance Analytics (formerly known asSecurity and Compliance Analytics, or SCA), which summarizes and analyzes largedata streams and shows the health of your IT assets. BigFix Compliance Analyticsprovides report views and tools for managing the vulnerability that is found bythe BigFix Compliance checks. These compliance reporting tools and views helpyou to identify configuration issues, which consequently enforce constant policycompliance.

These technical controls and reporting tools are based on industry best practicesand standards for endpoints and server security configuration.

What’s new in PCI DSS content update releaseIBM BigFix Compliance PCI Add-on now supports the Payment Card IndustryData Security Standard (PCI DSS) Requirements and Security AssessmentProcedures v3.2 in several checklists. Several enhancements are also included inthis release.

For a detailed list of releases, see the PCI DSS Release Notes.

New benchmark support

PCI DSS Requirements and Security Assessment Procedures v3.2 is supported inthe following checklists:v PCI DSS checklists for Windows 2008v PCI DSS checklists for Windows 2012v PCI DSS checklists for Windows 7v PCI DSS checklists for Windows Embedded POSReady 7v PCI DSS checklists for Windows Embedded Standard 7v PCI DSS Checklist for MS IISv PCI DSS Checklist for MS SQL 2008v PCI DSS Checklist for MS SQL 2012v PCI DSS Checklist for Windows Embedded POSReady 2009

Existing checks are updated to adopt to the new standard for all checklists.

© Copyright IBM Corp. 2015, 2016 1

New checks are added to the Windows checklists, except for the PCI DSSchecklists for Windows Embedded POSReady 2009 to conform to the newrequirements.

Note: The new checks that are specific to PCI DSS Requirements and SecurityAssessment Procedures v3.2 are considered as best practices until they becomemandatory in 2018. You can exclude those checks from the compliance report byusing the standard exception mechanism available in BigFix Compliance (formerlyknown as SCA). For more information about exceptions, see “Creating exceptions”on page 29.

Extended coverage

Additional checks on interactive logon are added to the PCI DSS checklists forWindows 2008, Windows 7, Windows Embedded POSReady 7, and WindowsEmbedded Standard 7 to extend the coverage for Windows.

Other enhancements

The following enhancements are made to the existing checklists for Windows 2008,Windows 2012, Windows 7, Windows Embedded POSReady 7, and WindowsEmbedded Standard 7:v The checks that are related to TLS and SSL and are not compliant with the

current benchmark version are removed from the checklists.v Mandatory checks that are related to TLS and SSL are renamed to comply with

the PCI DSS benchmark.v An extra check for TLS and SSL support is introduced.

The following enhancements are made to the existing checklists for MS SQL 2008and MS SQL 2012:v Checks are updated with an improved format for the measured values for

enhanced readability.v Some titles and descriptions are updated with the standardized format and

extensions.v Several checks are updated to improve the presentation of system exceptions

and parameter handling.

The following enhancement is made to the checklist for Windows EmbeddedPOSReady 2009:v Some titles and descriptions are updated with the standardized format and

extensions.

The following enhancement is made to the checklist for MS IIS:v Some descriptions are updated to correct the manual remediation steps.v Checks related to TLS and SSL are updated to comply with the mandatory

requirement.

PCI DSS overviewIBM BigFix Compliance PCI Add-on provides checklists for PCI compliance. ThePayment Card Industry Data Security Standard (PCI DSS) is a baseline of technicaland organizational requirements that are related to the Payment Card Industry.

2 IBM BigFix Compliance PCI Add-on: Payment Card Industry Data Security Standard (PCI DSS) User's Guide

The PCI DSS states that you must establish a secure payments environmentthroughout your organization to achieve compliance. BigFix Compliance enforcessecurity configurations for endpoints and servers in your organization. It can helpyour organization protect endpoints and assure assessors or regulators that you aremeeting security compliance for PCI DSS.

By complying with the PCI DSS standards you ensure that cardholder data andsensitive authentication data are secure and well protected from malicious usersand attacks.

The PCI DSS applies to all entities involved in payment card processing andrequires continuous compliance with the security standards and best practices setby the PCI Security Standards Council. For more information about PCI DSS, seethe PCI Security Standards Council website at https://www.pcisecuritystandards.org/security_standards/.

When endpoints are protected, all entities that are involved in payment cardprocessing are secure.

PCI DSS checklistsSCM is organized through checklists that assess and manage the endpoint andserver configurations. Each compliance checklist is distributed by BigFix as anexternal Fixlet site.

SCM provides a large number of checklists to report compliance and remediateendpoint security configurations based on industry best practices, such as Centerof Internet Security (CIS) and Defense Information Systems Agency SecurityTechnical Implementation Guide (DISA STIG). IBM BigFix Compliance alsoprovides security configuration checklists for Payment Card Industry Data SecurityStandard (PCI DSS) compliance.

Each PCI DSS checklist contains technical checks that are based on the PCIstandard (PCI DSS Requirements and Security Assessment Procedures v3.0, PCIDSS Requirements and Security Assessment Procedures v3.1, and PCI DSSRequirements and Security Assessment Procedures v3.2.

Note: The checks that are specific to PCI DSS Requirements and SecurityAssessment Procedures v3.2 are considered as best practices until they becomemandatory in 2018. You can exclude those checks from the compliance report usingthe standard exception mechanism available in BigFix Compliance (formerlyknown as SCA). For more information, see “Creating exceptions” on page 29

These technical checks assess security policies and configurations on eachendpoint, provide remediation steps to fix vulnerabilities, and provide reportingcapabilities.

Note: PCI DSS requirements 9, 11, and 12, which are process-oriented in nature,are not covered in SCM.

Each PCI DSS checklist targets a specific type of operating system or middleware,and is composed of a collection of checks that get evaluated on the endpoints.

The following PCI DSS checklists are available:

Chapter 1. Overview 3

Table 1. Available PCI DSS Checklists

Checklist Name Supported Operating Systems and Servers

PCI DSS Checklist for AIX 7 AIX 7.1

PCI DSS Checklist for MS IIS Microsoft IIS 7

PCI DSS Checklist for MS SQL Server 2008 Microsoft SQL Server 2008

PCI DSS Checklist for MS SQL Server 2012 Microsoft SQL Server 2012

PCI DSS Checklist for Windows 7 Microsoft Windows 7

PCI DSS Checklist for Windows 2008 Microsoft Windows 2008Microsoft Windows 2008 R2

PCI DSS Checklist for Windows 2012 Microsoft Windows 2012Microsoft Windows 2012 R2

PCI DSS Checklist for WindowsEmbedded POSReady 7

Microsoft Windows Embedded POSReady 7

PCI DSS Checklist for WindowsEmbedded POSReady 2009

Microsoft Windows Embedded POSReady2009

PCI DSS Checklist for WindowsEmbedded Standard 7

Microsoft Windows Embedded Standard 7

PCI DSS Checklist for RHEL 5 Red Hat Enterprise Linux 5

PCI DSS Checklist for RHEL 6 Red Hat Enterprise Linux 6

PCI DSS Checklist for RHEL 7 Red Hat Enterprise Linux 7

Note: The Linux support is exclusively for Red Hat Enterprise Linux operatingsystems. It does not include add-ons or middleware such as JBoss and Apache.

PCI DSS checklist content

You can access a checklist by subscribing to the external Fixlet sites that areprovided by SCM. A single site can contain checks for multiple requirements.

Each site contains a set of Fixlets and Analyses, where Fixlets or checks correspondto a specific configuration setting in accordance with the PCI DSS requirements. AFixlet evaluates a system setting against a specific policy value and displays thecompliance state of an endpoint. An analysis is associated to each Fixlet thatretrieves the actual state of each configuration item on an endpoint.

Most of the Fixlets have a parameterized setting to enable customization forcompliance evaluation.

Each Fixlet contains instructions on how to manually remediate a noncompliantendpoint. These steps can be found in the Description tab. Some of these Fixletsprovide actions that you can take to automatically remediate noncompliant settingson endpoints. For more information about remediation support, see the PCI DSSRelease Notes.

The compliance status of each PCI DSS check and checklist is calculated bySecurity and Compliance Analytics (SCA), which is now known as BigFixCompliance Analytics, during a periodic Extract Transform and Load (ETL)process. Some checklists require you to run the Environment Setup Task. For moreinformation, see “Configuring endpoints” on page 8.

4 IBM BigFix Compliance PCI Add-on: Payment Card Industry Data Security Standard (PCI DSS) User's Guide

Key usersLearn how users use the PCI DSS checklists for their role.

IT managers use the PCI DSS checklists to enforce security policies and documentthe current state of compliance against corporate policies.

IBM BigFix console operators focus on the detailed day-to-day configurationmanagement of all systems to use detailed information for each endpoint.

Security Administrators use PCI DSS checklists to determine the current state ofcompliance for systems within the entire organization.

Note: If concerns regarding separation of duties arise, use BigFix version 9.2 orhigher where access control for actions is allowed.

Chapter 1. Overview 5

6 IBM BigFix Compliance PCI Add-on: Payment Card Industry Data Security Standard (PCI DSS) User's Guide

Chapter 2. Setup

Note: IBM BigFix for Security and Compliance Analytics (SCA) is now called IBMBigFix Compliance Analytics. The listed resources have yet to be rebranded.

This guide assumes that you have installed and configured Security ManagementConfiguration (SCM) successfully. You can access the PCI DSS checklists only afterthat step is completed and if you have a license for IBM BigFix PCI Add-on.

This guide does not describe the installation and configuration steps for IBMBigFix nor for BigFix Compliance Analytics. For a list of documentation on SCMand BigFix Compliance Analytics, see “Resources,” on page 31.

Accessing the PCI DSS Fixlet sitesBefore you can access the security configuration checklists that are related to PCIDSS, you must acquire the sites and accept the license agreement. After youacquire the site, you must gather the contents of the site to your console. You mustalso subscribe your computers to the site so they can access the PCI DSS content.

Before you begin

If you have enabled any of the PCI DSS beta sites in your environment, you mustfirst remove them to avoid any conflicting issues with the production sites. If youfail to do so, the content in the production sites will fail.

About this task

You cannot access the PCI DSS sites unless you have a license for the IBM BigFixCompliance PCI Add-on component. For more information about getting a license,contact the BigFix licensing team at [email protected].

The procedure for acquiring the PCI DSS sites and gathering the contents of thesite is similar to the procedure for other BigFix applications and sites. You cansubscribe to a PCI DSS site by using the License Overview Dashboard from theBigFix Management domain only if you have purchased the license.

Procedure1. From the BigFix console, go to the BigFix Management domain and click

License Overview.2. Scroll down to the PCI DSS Security and Compliance section of the License

Overview dashboard.

Note: The PCI DSS Security and Compliance section will only be visible if youhave purchased the license.

3. Click Enable beside the PCI DSS sites that you want to your computers tosubscribe to. The site is added as an external site in the IBM BigFix Console. Ittypically takes a few minutes for the contents to become available on yoursystem.

© Copyright IBM Corp. 2015, 2016 7

4. Go to the Security Configuration domain.5. Click All Security Configuration > Sites > External Sites, and then click the

added site.6. Click the Computer Subscriptions tab to subscribe the computers to a site.

Note: Limit the access to the site to only the computers that you want to beable to use the PCI DSS checklists.

Configuring endpointsSome checklists require you to run the Environment Setup Task to populate thenecessary properties on the endpoints to enable relevance evaluation. Run this taskwhen it shows as relevant and refresh the results on the endpoint.

About this task

You must run the Environment Setup Task if you are using any of the followingsites or checklists:v PCI DSS Checklist for AIX 7v PCI DSS Checklist for MS IISv PCI DSS Checklist for MS SQL 2008v PCI DSS Checklist for MS SQL 2012v PCI DSS Checklist for RHEL 5v PCI DSS Checklist for RHEL 6v PCI DSS Checklist for RHEL 7

Figure 1. License Overview dashboard

8 IBM BigFix Compliance PCI Add-on: Payment Card Industry Data Security Standard (PCI DSS) User's Guide

The check Fixlets from these sites will only show the current results when theEnvironment Setup Task completes.

Note: You do not need to complete this task if you are not using any of thesechecklists.

Schedule periodic execution of the Environment Setup Task if you are using anyof the mixed content sites.

Procedure1. From the Security Configuration domain, click All Security Configuration >

Sites > External Sites.2. Select a checklist, and click Fixlets and Tasks.3. In the List panel, locate and click Environment Setup Task.

4. Click Take Action to deploy the task. You can also click the appropriate link inthe Actions box.

5. Select the appropriate endpoints in your environment.6. Click the Execution tab.

Figure 2. Environment Setup Task in the PCI DSS Checklist for MS IIS site

Chapter 2. Setup 9

7. Set the environment task to run daily and click OK.8. When the task completes, refresh the endpoints.

What to do next

The Environment Setup Task also updates the reports in the Security andCompliance Analytics console (now known as BigFix Compliance Analytics) withthe latest results. To ensure that you get the latest content, run this task on theendpoint before running an import. For automatic, daily import to BigFixCompliance Analytics, there is no need to schedule more than one run of theEnvironment Setup Task action.

Filesystem scan configurationIf you are using PCI DSS checklist for AIX 7, you can further configure the rangeof filesystems and directories to be included in the property file used for relevanceelevation.

Some of the AIX Fixlets verify attributes and ownership of various subsets of fileson local drives, including the property file that is created by the EnvironmentSetup Task. This property file denotes the list of files that are used by the Fixletsin the PCI DSS checklist for AIX. It contains a list of all local and regular files withthe exclusion of remote filesystems and special filesystems such as /tmp or /dev.

BigFix provides the globalfind feature to help prevent multiple scanning of localfilesystems, which in turn provides better performance results.

Figure 3. Take Action - Execution tab

10 IBM BigFix Compliance PCI Add-on: Payment Card Industry Data Security Standard (PCI DSS) User's Guide

You can set the parameters for the globalfind feature from Configure FilesystemScan Options to indicate the mount points, directories, or filesystems that are notto be included in the property file. For example, you can specify to skip the datapartitions that have too many files.

Note: The parameter changes will only take effect after next the EnvironmentSetup Task run.

Chapter 2. Setup 11

12 IBM BigFix Compliance PCI Add-on: Payment Card Industry Data Security Standard (PCI DSS) User's Guide

Chapter 3. Using checks and checklists

The check Fixlets in Configuration Management checklists assess an endpointagainst a configuration standard. Many check Fixlets have a correspondinganalysis, sometimes referred to as measured values, that report the value of theelement that the check Fixlet evaluates.

Viewing check Fixlets from the IBM BigFix consoleA check Fixlet becomes relevant when a client computer is out of compliance witha configuration standard. By viewing the Configuration Management Fixlets,Console Operators can identify non-compliant computers and the correspondingstandards.

Before you begin

Subscribe to the PCI DSS Fixlet sites to gain access to the check Fixlets.

About this task

Complete the following steps to view the check Fixlets in the IBM BigFix Consoleafter subscribing and gathering the site content.

Procedure1. From the Security Configuration domain, click All Security Configuration >

Sites > External Sites.2. Expand a checklist.3. Click Fixlets and Tasks. The Fixlets and Tasks section opens.4. Click one of the Fixlets displayed in the list. The Fixlet opens with the

following tabs: Description, Details, Applicable Computers, and ActionHistory.

5. Click the Description tab to view the text that describes the Fixlet.The Fixlet is applicable to a subset of endpoints on your network. The size ofthat subset is shown in the Applicable Computers tab.A Fixlet typically has a description of the check appended with the rationaleand guidelines of the actions for remediation. If the Fixlet is relevant, you musttake an action listed in the Remediation section of the description to remediatethe noncompliance. You can also access the associated analysis from thedescription.

Note: The Check ID refers to the Source ID of the Fixlet.6. If you are using any of the checklists for MS SQL 2008, MS SQL 2012, MS IIS,

or RHEL, run the Environment Setup Task.

Note: Run the Environment Setup Task periodically to gather the latestresults. For more information about this task, see “Configuring endpoints” onpage 8.

© Copyright IBM Corp. 2015, 2016 13

Viewing checks from BigFix Compliance AnalyticsThe compliance status of each PCI DSS check and checklist is calculated by BigFixCompliance Analytics (formerly known as Security and Compliance Analytics orSCA) during a periodic Extract Transform and Load (ETL) process.

For more information about using BigFix Compliance Analytics, see Chapter 4,“Understanding the results in BigFix Compliance Analytics,” on page 19.

Creating custom checklistsCreate custom copies of the PCI DSS content if you want to modify the checksbased on a specific corporate policy. You can manually create a custom site to hostthe PCI DSS checklists or use the Create Custom Checklist wizard to create copiesof the PCI DSS checklists and save them in a custom site.

Before you begin

You must subscribe to the SCM Reporting external site.

About this task

You can use custom checklists to fine-tune your ability to customize ConfigurationManagement parameters, which gives you control over your security status.Custom checklists target specific sets of computers with tailored content using thesubscription mechanism. This allows statistics to be gathered with finer granularity.For more information, see “Modifying check parameters” on page 15.

Procedurev Creating custom checklists manually

1. From the Security Configuration Domain, go to Configuration Management> Checklist Tools > Create Custom Checklist.

2. Enter the name of the new checklist.3. Select the target platform.4. Click the drop-down menu to select which external checklist you copy the

checks from. As you select the checks, they are shown in the staged list atthe lower part of the window.

5. Click the Activate Measured Value analyses after copying check box toactivate all analyses that were copied.

6. Click Create Checklist.

The console begins copying the checks in the selected lists into your new customchecklist. The process might take several minutes, depending on the number andsize of the checklists selected.

v Creating custom checklist by using the Create Custom Checklist wizard1. Select Tools > Create Custom Site.2. You are prompted for a name for your custom site. Enter a name and click

OK.3. From the Domain panel, find your site under Sites > Custom and click it to

describe your site. From the Details tab, enter a description of your site.From the Domain pull-down menu, select a Domain to house your site.

4. From the Computer Subscriptions tab, indicate which subset of your BigFixclient computers you want to subscribe to this site.

14 IBM BigFix Compliance PCI Add-on: Payment Card Industry Data Security Standard (PCI DSS) User's Guide

5. From the Operator Permissions tab, you can grant specific accesspermissions to specific operators.

6. Click the Save Changes button above the work area to complete thedescription of your site. You must enter your password to propagate yournew custom site.

What to do next

Subscribe computers to the custom checklist.

Note: Custom checklists do not support site relevance, so take extra precautionwhen you subscribe computers to custom checklists.

Modifying check parametersIn addition to monitoring compliance status and remediating settings that are outof compliance, you can also modify the values for the defined configurationsettings according to company policies.

Before you begin

To modify the desired value of the check parameter in the Fixlet check description,you must first create a custom site. For more information about custom sites, see“Creating custom checklists” on page 14.

Parameters are stored as site settings, so you can parameterize the same checkdifferently for each site containing a copy of the check.

Note: Not all checks in custom sites can be parameterized.

About this task

Some of the Fixlet checks allow you to set a more restrictive value than the onespecified by the PCI DSS, giving you greater flexibility to customize securitypolicies to meet a specific situation.

Important: Custom parameterization may take a few minutes to process. Allowenough time between updating a check parameter and executing the EnvironmentSetup Task for optimum results.

Procedure1. Open the Fixlet check and click the Description tab.2. Scroll down to the Parameters section and enter the value.

Figure 4. Parameterization

Chapter 3. Using checks and checklists 15

3. Click Save.4. Deploy the Fixlet.

Remediating configuration settingsThe PCI DSS checklists for Red Hat Enterprise Linux (RHEL) 5, RHEL 6, RHEL 7,Windows 2008, Windows 2012, Windows 7, Windows Embedded POSReady 7, andWindows Embedded Standard 7 support remediation. Console operators canresolve a vulnerability issue with a single action. A remediation action can only betaken on an endpoint where the Fixlet is relevant.

About this task

You can audit, assess, and remediate configuration settings using Security andCompliance Analytics (SCA), which is now known as BigFix Compliance Analytics.For Fixlet checks that can be automatically remediated, an action is displayed inthe relevant Fixlet. You can take a remediation action only on the relevant andselected endpoints.

Note: Not all Fixlets have a remediation action.

Note: When the external global policy is enabled, any changes to the localendpoint is overwritten. In such case, the remediation action must be run using theexternal global policy solution.

Procedure1. From the Security Configuration Domain, go to All Security Configuration >

Fixlets and Tasks.2. Expand the sub-folders to search for the Fixlet you want to enable.3. In the Fixlet window, click the Description tab and scroll down to the Actions

box.4. Click in the Actions box link to remediate the specified policy issue.

Figure 5. Check containing an action for remediation

16 IBM BigFix Compliance PCI Add-on: Payment Card Industry Data Security Standard (PCI DSS) User's Guide

5. Set your parameters in the Take Action dialog and click OK.

Chapter 3. Using checks and checklists 17

18 IBM BigFix Compliance PCI Add-on: Payment Card Industry Data Security Standard (PCI DSS) User's Guide

Chapter 4. Understanding the results in BigFix ComplianceAnalytics

Use BigFix Compliance Analytics (formerly known as Security and ComplianceAnalytics or SCA) to navigate and explore security configuration check results.

BigFix Compliance Analytics is a web-based application designed to help youmanage security, vulnerability, and risk assessment. The application tabulatessecurity and vulnerability compliance check results to identify configuration issuesand report levels of compliance toward security configuration goals. Compliancedata is collected with each nightly import and is presented with historical contextfor trend analysis.

These reports can be filtered, sorted, grouped, customized, or exported accordingto your preferences and requirements.

For more information about using BigFix Compliance Analytics, see the BigFixCompliance Analytics User's Guide.

Starting BigFix Compliance AnalyticsUse any of the supported web browsers to open the web-based application.

Before you begin

Before you can use the Security and Compliance Analytics (SCA), which is nowknown as BigFix Compliance Analytics, you must complete the necessaryinstallation and configuration steps. For more information, see the BigFixCompliance Analytics Setup Guide.

Procedure1. Open Mozilla Firefox or Internet Explorer.2. In the URL field, enter http://localhost:<port>/scm, where port is the server

HTTP port that was specified during the BigFix Compliance Analyticsinstallation.

© Copyright IBM Corp. 2015, 2016 19

Viewing reports from BigFix Compliance AnalyticsBigFix Compliance Analytics (formerly known as Security and ComplianceAnalytics or SCA) displays reports containing graphical and tabular views ofdifferent aspects of your deployment compliance status. Each checklist and itschecks are exported periodically into Compliance Analytics.

Before you begin

Note: If you were involved in the Early Access Program, unsubscribe from any ofthe PCI DSS beta sites to avoid any issues during import.

Depending on your configuration, the Extract Transform and Load (ETL) processthat computes the compliance status of each check and checklist, could take a longtime. To ensure that you are viewing the latest reports, verify that imports areconfigured to run automatically and that a recent import has completedsuccessfully.

To run an import, complete the following steps:1. From the BigFix Compliance Analytics console, click Management > Imports.

Figure 6. BigFix Compliance Analytics - Overview page

20 IBM BigFix Compliance PCI Add-on: Payment Card Industry Data Security Standard (PCI DSS) User's Guide

2. Click Import Now.

Viewing PCI DSS compliance resultsThis section shows how you can view the results of PCI DSS compliance fromchecklist level down to the check level.

Note: Data is updated in BigFix Compliance Analytics once a day. To ensure thatyour reports contain the latest data, run the import feature after running theEnvironment Setup tasks in the applicable sites.

Figure 7. Management menu

Figure 8. Import Now button

Chapter 4. Understanding the results in BigFix Compliance Analytics 21

Viewing Checklists

To view the checklists from BigFix Compliance Analytics, click Reports >Checklists.

A list of all the available checklists is displayed. This report view provideshigh-level compliance information at a checklist level. It displays the list ofchecklists in the deployment together with the attributes of each checklist and theoverall, historical aggregate compliance results of all checks on all visiblecomputers for each checklist.

Viewing the Checklist Overview

To view more information about a checklist, click its name. The PCI DSS Checklistfor Windows 2008 is shown as an example.

The Checklist Overview Report displays.

Figure 9. Reports menu

Figure 10. List of available checklists

22 IBM BigFix Compliance PCI Add-on: Payment Card Industry Data Security Standard (PCI DSS) User's Guide

The Overview shows a graphic representation of compliance history, computers bycompliance quartile, and check results history with an overall compliancepercentage shown in the top-left corner of the console.

Viewing Checks

Figure 9 shows that there are 209 checks available in the PCI DSS Checklist forWindows 2008. To view these checks in detail, drill down to the checks.

The Checks report shows the list of checks in the given scope together with theattributes of each check and the overall, historical aggregate compliance results (theaggregate of all visible computer’s pass and fail score) of each check.

Figure 11. Checklist overview

Figure 12. Number of available checks in a checklist

Chapter 4. Understanding the results in BigFix Compliance Analytics 23

Viewing Checks Overview

You can drill down to each check to view more details. Click any check in the list.

The Checks Overview report shows a graphic representation of Compliance andCheck Results history with an overall compliance percentage shown in the top-leftcorner of the console.

Figure 13. List of checks

24 IBM BigFix Compliance PCI Add-on: Payment Card Industry Data Security Standard (PCI DSS) User's Guide

Viewing Check Results

The Check Results List Report shows the checklist, check name, computer name,the date results were last seen, and level of compliance.

To access this report, click Reports > Check Results.

Figure 12 shows that all the checklists that are listed in the report.

Figure 14. Check overview

Chapter 4. Understanding the results in BigFix Compliance Analytics 25

You can filter the list to display only the PCI DSS checks by configuring the view.You can use the source ID as the filtering condition. For more information, see“Filtering the check results view.”

Filtering the check results viewUse the source ID as the filtering condition to configure the view for the result listto display only the PCI DSS checks.

About this task

The Source ID that is used in the PCI DSS checks contains the requirement numberthat is in the PCI DSS Requirements and Security Assessment Procedures v3.2.

Procedure1. Click Configure View from the upper-right corner of the console.

Figure 15. Check Results

Figure 16. PCI DSS chapter and Source ID mapping

26 IBM BigFix Compliance PCI Add-on: Payment Card Industry Data Security Standard (PCI DSS) User's Guide

2. Select Source ID.

3. Scroll down to the Filters section and add the following filtering conditions tofilter by chapter number or by requirement number:

Figure 17. Configure View option

Figure 18. Filtering by a check's Source ID

Chapter 4. Understanding the results in BigFix Compliance Analytics 27

Use the following conditions:v Filter by chapter

pcidss-<chapter_number>.

where chapter_number refers to the PCI DSS chapter.For example:Type pcidss-1. to filter checks for chapter 1. Type pcidss-10. to filter checksfor chapter 10.

Note: Ensure that the period (.) is included. If you type only pcidss-1, bothchapters 1 and 10 are included in the report view.

v Filter by requirementpcidss-<chapter_number>.<requirement_number>.<requirement_subnumber>_

where requirement_number and requirement_subnumber refers to theidentification for a specific PCI DSS requirement.For example:Type pcidss-10.2.2_ to filter checks that are applicable to requirement 10.2.2.

Note: Ensure that the separators, both period (.) and underscore (_), areincluded.

4. Click Submit.

Results

Only the PCI DSS checks are now listed in the report.

Figure 19. Filters section

28 IBM BigFix Compliance PCI Add-on: Payment Card Industry Data Security Standard (PCI DSS) User's Guide

You can save this customized view for future use, without creating the samesettings each time. When you save a report, it becomes available in the SavedReports list report and visible in the drop-down box on the left side of thesub-navigation area when viewing that report type.

Creating exceptionsYou can file for the endpoint to be excluded from the PCI DSS checks if someendpoints require compliance to older policies or standards.

About this task

Security and Compliance Analytics (SCA), which is now known as BigFixCompliance Analytics, provides a separate interface for Exception Managementwhere you can set exceptions to exclude data from your compliance reports.

Figure 20. Configured view

Figure 21. Saved Reports

Chapter 4. Understanding the results in BigFix Compliance Analytics 29

To access the Exceptions interface, click Management > Exceptions.

You can create and edit exceptions for checks, computers, computer groups, andchecklists with or without an expiration date.

Figure 22. Exceptions page

Figure 23. Management menu

30 IBM BigFix Compliance PCI Add-on: Payment Card Industry Data Security Standard (PCI DSS) User's Guide

Appendix. Resources

You can find more information about Security Configuration Management and PCIDSS in the following resources.

Each document opens in a new window.v PCI DSS Requirements and Security Assessment Procedures v3.2v PCI DSS Requirements and Security Assessment Procedures v3.1v PCI DSS Requirements and Security Assessment Procedures v3.0v PCI DSS Release Notesv Security Configuration Management User’s Guidev Security and Compliance Analytics Setup Guidev Security and Compliance Analytics User’s Guidev Security and Compliance developerWorks wikiv Endpoint Security and Compliance Management Design Guide Using IBM Tivoli

Endpoint Manager

© Copyright IBM Corp. 2015, 2016 31

32 IBM BigFix Compliance PCI Add-on: Payment Card Industry Data Security Standard (PCI DSS) User's Guide

Notices

This information was developed for products and services offered in the US. Thismaterial might be available from IBM in other languages. However, you may berequired to own a copy of the product or product version in that language in orderto access it.

IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user's responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not grant youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle Drive, MD-NC119Armonk, NY 10504-1785United States of America

For license inquiries regarding double-byte character set (DBCS) information,contact the IBM Intellectual Property Department in your country or sendinquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan Ltd.19-21, Nihonbashi-Hakozakicho, Chuo-kuTokyo 103-8510, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law:INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express orimplied warranties in certain transactions, therefore, this statement may not applyto you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

© Copyright IBM Corp. 2015, 2016 33

Any references in this information to non-IBM websites are provided forconvenience only and do not in any manner serve as an endorsement of thosewebsites. The materials at those websites are not part of the materials for this IBMproduct and use of those websites is at your own risk.

IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM Director of LicensingIBM CorporationNorth Castle Drive, MD-NC119Armonk, NY 10504-1785US

Such information may be available, subject to appropriate terms and conditions,including in some cases, payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.

The performance data discussed herein is presented as derived under specificoperating conditions. Actual results may vary.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

Statements regarding IBM's future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

All IBM prices shown are IBM's suggested retail prices, are current and are subjectto change without notice. Dealer prices may vary.

This information is for planning purposes only. The information herein is subject tochange before the products described become available.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to actual people or business enterprises is entirelycoincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, whichillustrate programming techniques on various operating platforms. You may copy,

34 IBM BigFix Compliance PCI Add-on: Payment Card Industry Data Security Standard (PCI DSS) User's Guide

modify, and distribute these sample programs in any form without payment toIBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written. These examples have notbeen thoroughly tested under all conditions. IBM, therefore, cannot guarantee orimply reliability, serviceability, or function of these programs. The sampleprograms are provided "AS IS", without warranty of any kind. IBM shall not beliable for any damages arising out of your use of the sample programs.

© (your company name) (year).Portions of this code are derived from IBM Corp. Sample Programs.© Copyright IBM Corp. _enter the year or years_.

TrademarksIBM, the IBM logo, and ibm.com are trademarks or registered trademarks ofInternational Business Machines Corp., registered in many jurisdictions worldwide.Other product and service names might be trademarks of IBM or other companies.A current list of IBM trademarks is available on the web at www.ibm.com/legal/copytrade.shtml.

Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registeredtrademarks or trademarks of Adobe Systems Incorporated in the United States,other countries, or both.

IT Infrastructure Library is a registered trademark of the Central Computer andTelecommunications Agency which is now part of the Office of GovernmentCommerce.

Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo,Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks orregistered trademarks of Intel Corporation or its subsidiaries in the United Statesand other countries.

Linux is a trademark of Linus Torvalds in the United States, other countries, orboth.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks ofMicrosoft Corporation in the United States, other countries, or both.

ITIL is a registered trademark, and a registered community trademark of TheMinister for the Cabinet Office, and is registered in the U.S. Patent and TrademarkOffice.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Java™ and all Java-based trademarks and logos are trademarks or registeredtrademarks of Oracle and/or its affiliates.

Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in theUnited States, other countries, or both and is used under license therefrom.

Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo aretrademarks of HP, IBM® Corp. and Quantum in the U.S. and other countries.

Notices 35

Terms and conditions for product documentationPermissions for the use of these publications are granted subject to the followingterms and conditions.

Applicability

These terms and conditions are in addition to any terms of use for the IBMwebsite.

Personal use

You may reproduce these publications for your personal, noncommercial useprovided that all proprietary notices are preserved. You may not distribute, displayor make derivative work of these publications, or any portion thereof, without theexpress consent of IBM.

Commercial use

You may reproduce, distribute and display these publications solely within yourenterprise provided that all proprietary notices are preserved. You may not makederivative works of these publications, or reproduce, distribute or display thesepublications or any portion thereof outside your enterprise, without the expressconsent of IBM.

Rights

Except as expressly granted in this permission, no other permissions, licenses orrights are granted, either express or implied, to the publications or anyinformation, data, software or other intellectual property contained therein.

IBM reserves the right to withdraw the permissions granted herein whenever, in itsdiscretion, the use of the publications is detrimental to its interest or, asdetermined by IBM, the above instructions are not being properly followed.

You may not download, export or re-export this information except in fullcompliance with all applicable laws and regulations, including all United Statesexport laws and regulations.

IBM MAKES NO GUARANTEE ABOUT THE CONTENT OF THESEPUBLICATIONS. THE PUBLICATIONS ARE PROVIDED "AS-IS" AND WITHOUTWARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDINGBUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY,NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE.

36 IBM BigFix Compliance PCI Add-on: Payment Card Industry Data Security Standard (PCI DSS) User's Guide

Notices 37

IBM®

Printed in USA