| Requirement | Section | How Quest Can Help |
| Requirement 2: Do not use vendor-supplied default security parameters | 2.1 | Quest Reporter provides the ability to report on null passwords, last date passwords changed, SNMP settings, etc. |
| | 2.2 - 2.2.4 | By creating a system settings change management environment where Group Policy Objects are versioned & tracked Quest’s Group Policy Manager allows system administrators to set up a system settings test, rollout, rollback, and reporting environment (augmented by Quest Reporter for CIS-benchmarked servers) for safe deployment of system configuration setting changes to conform with industry benchmark configurations. With Quest Reporter configuration baselining feature, system administrators can compare the settings of their AD and Windows Server configurations with both internally developed and industry standard security benchmarks. Quest Reporter is CIS certified. |
| | 2.3 | With Quest Reporter configuration baselining feature, System Administers can determine which services and login methods are running for critical servers. Quest provides Unix users a version of OpenSSH that is linked to the Vintela Authentication Services security libraries. |
| Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks | 4.1 | With Quest Reporter configuration baselining feature, System Administers can determine which encryption services, if any, are running for Windows servers that transmit and receive cardholder data. |
| Requirement 5: Use and regularly update anti-virus software | 5.1 | Quest Reporter configuration baselining feature can ensure AV software is installed and configured on all Windows systems. In addition, InTrust provides AV event log information and reports on AV event data. |
| Requirement 6: Develop and maintain secure systems and applications | 6.3 | As part of a system configuration change test environment Quest’s Group Policy Manager can support testing of GPO changes which could include system configuration setting changes. |
| Requirement 7: Restrict access to data by business need-to-know | 7.1 - 7.2 | Quest’s Active Roles Server provides a full featured solution that greatly enhances the access controls available in Active Directory (AD) while Privilege Manager for Unix offers root delegation and granular privilege access management on Unix systems. SafeKeeping also offers automated password access controls on Unix Systems. In addition Quest’s Vintela Single sign-on for Java enhances and extends AD’s access controls for users of web-based application servers and Vintela Authentication Services can extend the access restriction functionality of AD’s group memberships to Unix, Linux and Mac systems that compose the organization’s cardholder data environment. Finally Group Policy Manager can manage the GPOs that contain "deny all" settings for file systems, applications, and system resources that could enable protected cardholder data access. |
| Requirement 8: Assign a unique ID to each person with computer access | 8.1 | Quest’s Privilege Manager for Unix helps to enforce unique User IDs by checking the rule sets based on userids and can be used to prevent people from sharing user accounts. In addition, Vintela Authentication Services supports corporate policies implemented in AD that require unique user names. Quest Identity Migration Wizard for Unix also provides tools to consolidate existing non-unique user accounts in AD. |
| | 8.5 | Quest SafeKeeping offers authentication via unique passwords on Unix Systems. In addition to standard password authentication Privilege Manager for Unix has the ability to make additional authentication calls to any PAM-enabled system or security mechanism. Vintela Single sign-on for Java extends AD’s Kerberos password authentication for users of web-based application servers while Vintela Authentication Services provides Kerberos-based authentication of Unix/Linux systems (or PAM-enabled Unix-based biometric applications) via password or smart card log in. |
| | 8.3 | An optional feature of Vintela Authentication Services is available to support multi-factor authentication of Unix/Linux systems using smart cards. Also, Quest Reporter can report on users that are leveraging smart cards. |
| 8.4 | AD offers this functionality natively within Windows. Vintela Authentication Services extends this basic functionality to Unix, Linux and Mac systems while Vintela Single sign-on for Java extends this functionality for users of web-based application servers. |
| Ensure proper user authentication and password management for non-consumer users and administrators, on all system components | 8.5 | AD offers basic user ID, computer ID and password administration. Quest’s Active Roles Server enhances AD’s user provisioning functionality by providing an automated change approval environment for all user changes including user rights, permissions, modification, creation and deletion. Group Policy Manager can support testing GPO changes which could include user group attributes. Vintela Single sign-on for Java extends AD’s basic user account management functionality to users of web-based application servers while Vintela Authentication Services permits Unix-enabled user IDs and passwords in AD to be administered either using standard AD tools or with the vastool utility. Privilege Manager for Unix and SafeKeeping both provide for the management of user IDs and credentials of Unix users regardless of whether they are also managed within AD. Quest Reporter can report on user access to validate access is in accordance with corresponding authorization form. |
| | 8.5.2 | Vintela Authentication Services extends AD’s basic functionality such that Unix, Linux and Mac users are required to log in with existing credentials before resetting passwords in response to password re-set requests. Vintela Single sign-on for Java does the same for users of web-based application servers Quest Password Manager provides additional self-service password re-set and change capabilities for users managed in AD as well as administrative password reset and management. For example, Password Manager enables organizations to setup a series of security questions before a user can change or update their password. Privilege Manager for Unix and SafeKeeping both verify the identity of Unix users regardless of whether they are also managed within AD. |
| | 8.5.3 | AD offers this functionality natively within Windows. Vintela Authentication Services extends this basic functionality to Unix, Linux and Mac systems while Vintela Single sign-on for Java does the same for users of web-based application servers. SafeKeeping does this for Unix users regardless of whether they are also managed within AD. |
| | 8.5.4 | The definitive record of terminated employees and contractors is stored within the HR database. This often requires an additional step of revoking of access within AD. Vintela Authentication Services enforces revoked access for users disabled in or removed from AD on Unix, Linux and Mac systems and Vintela Single sign-on for Java does the same for users of web-based application servers. However, Quest’s ActiveRoles Server, which provides extra user provisioning and de-provisioning controls, can empower one designated authority (such as HR) to make termination and access revocation an immediate one-step process with ActiveRoles Quick Connect. Alternately, by continuously changing the password, SafeKeeping would prevent a terminated employee or contractor from gaining access after termination. Quest Reporter can report on users that have not logged in within a period of time such as 180 days and through action enabled reporting, easily disable or remove them from Active Directory. |
| | 8.5.5 | Quest Reporter can report on users that have been inactive for 90 days. Vintela Authentication Services works with AD such that administrators can know which Unix-enabled accounts are inactive for 90 days or more. Vintela Single sign-on for Java does the same for users of web-based application servers. Quest ActiveRoles Server product automates this control and serves as a complete de-provisioning solution. |
| | 8.5.6 | AD offers basic management of vendor accounts. Vintela Authentication Services works with AD to allow administrators to disable and re-enable (or enable only during specified log-on hours) any Unix-enabled AD account used by vendors on demand. Vintela Single sign-on for Java does the same for users of web-based application servers. ActiveRoles Direct and InTrust for AD crisply define, delegate, automate, track, log, audit and easily manage vendor accounts in AD. Privilege Manager for Unix and SafeKeeping can both manage Unix users performing remote maintenance within pre-defined time windows, especially when used together. |
| | 8.5.7 | This requirement must be satisfied by merchant’s own data security communication and awareness program |
| | 8.5.8 | InTrust can be configured to report on activity by Generic Accounts. InTrust for AD can help identify who is using Generic Accounts by providing source IP address. Vintela Authentication Services supports corporate policies that prohibit group, shared or generic accounts and passwords. Vintela Single sign-on for Java does the same for users of web-based application servers. Privilege Manager for Unix supports all such policies for Unix users regardless of whether they are also managed within AD. |
| | 8.5.9-14 | Quest Reporter can report on user accounts that have not had a password change within 90 days. Reporter can also report on these password related settings to ensure they are actually applied and in effect. Quest’s Active Roles Server and Password Manager combine to automate all of these password policies. Vintela Authentication Services extends and enforces AD’s password policies (or password policies implemented through an AD-based tool such as Quest Password Manager) for users of Unix, Linux and Mac systems. Vintela Single sign-on for Java does the same for users of web-based application servers. SafeKeeping does this for Unix users regardless of whether they are also managed within AD. Group Policy Manager can support testing of GPO changes including these password policy settings. Also, Group Policy Manager provides an automated way to ensure that all security options are set correctly throughout the domain. |
| | 8.5.15 | Quest Reporter can report on this setting to ensure it is accurate and in effect. Group Policy Manager can support testing of GPO changes including password reentry for idle time policy settings. Vintela Authentication Services can be used to deploy screensaver configurations through Windows Group Policy to Unix, Linux and Mac systems. This assumes the company has the additional capability to remotely control root access on end-user computers such that their screensaver configurations are not locally alterable |
| | 8.5.16 | Vintela Authentication Services provides authentication of Unix, Linux, and Mac operating system (OS) users and certain application users (e.g., users of SAP and Oracle). Vintela Single sign-on for Java does the same for users of a broader range of popular web-based application servers. |
| Requirement 10: Track and monitor all access to network resources and cardholder data | 10.1 | ActiveRoles Server links cardholder access to individual users by allowing delegation and tracking of administrative privileges for users managed in AD. Privilege Manager for Unix links cardholder access to individual users by enabling carefully controlled privilege access management (e.g. root delegation) for Unix and Linux users regardless of whether they are also managed within AD. InTrust enables organizations to forensically analyze all user activity whether it is from a general user or administrator. Changes can be tracked and point to a specific user |
| Implement automated audit trails to reconstruct the following events, for all system components. | 10.2.1 | InTrust can track and report on individual user access to the cardholder data stored on Windows file servers and database systems. Privilege Manager for Unix can do the same for cardholder data stored on Unix and Linux systems |
| | 10.2.2 | InTrust can track, report and alert on users activity with elevated user privileges throughout the organization. Privilege Manager for Unix offers carefully controlled privilege access management (e.g. root delegation) and even keystroke logging for Unix and Linux users regardless of whether they are also managed within AD. |
| | 10.2.3 | InTrust is an enterprise audit log solution which enables organizations to connect, collect, store and report on enterprise audit information including all attempts to access event log (and even its own “raw” audit log) data . Privilege Manager for Unix offers carefully controlled privilege access management (e.g. root delegation) and even keystroke logging for Unix and Linux users regardless of whether they are also managed within AD. |
| Requirement 12: Maintain a policy that addresses information security for employees and contractors | 12.4 | ActiveRoles Server, Vintela Authentication Services, SafeKeeping, and Privilege Manager for Unix can assist in automating and enforcing this policy. |
| Appendix A, Requirement A.1: Hosting providers protect cardholder data environment | A.1.1 | ActiveRoles Server and Vintela Single Sign-on for Java can be used by a hosting service provider to help ensure each hosted entity only has access to its own cardholder data environment. |
| Appendix B, Compensating Controls for Requirement 3.4 | B.2 (a) | Quest Privilege Manager for Unix can to restrict access to cardholder data based on IP address and/or MAC address |