topic Re: PCI Compliance in Operating System - OpenVMS

PCI Compliance

patriceiggy — Mon, 23 Jun 2008 14:07:00 GMT

Is there any tool which maps OpenVMS operating system parameters to the PCI sata security standard, so that I can use it to prove to my auditors that the OpenVMS system meets current PCI requirements?

Re: PCI Compliance

Robert Gezelter — Mon, 23 Jun 2008 15:03:57 GMT

patriceiggy,

The general underpinnings are mostly in the OpenVMS Guide to System Security (available on the OpenVMS www site at http://www.hp.com/go/OpenVMS

I am not aware of an OpenVMS specific checklist for PCI, although the precise checklist should be deriveable from the precise checklist that is being used by your auditors (I am always careful in such situations to use the PRECISE checklist being asked, it does matter).

- Bob Gezelter, http://www.rlgsc.com
Author, "OpenVMS Security", Handbook of Information Security (H.Bidgoli, Ed., Wiley & Sons, 2006)

Re: PCI Compliance

Hoff — Mon, 23 Jun 2008 17:04:16 GMT

AFAIK, everybody gets to do their own specific and local PCI compliance investigation. (I could make a cynical comment or three around the likely PCI root goals, but that's probably not appropriate for ITRC.)

Above and beyond the OpenVMS security manual and the NCSC Class C2 recommendations in the appendix of same cited earlier, some of the accepted security-related evaluation and documentation pointers, and a compliance-testing tool, are referenced here:

http://64.223.189.234/node/43

Re: PCI Compliance

patriceiggy — Wed, 25 Jun 2008 16:56:14 GMT

Hoff, thanks for the links. I research the one from LJK and found that they have a tool that provides a mapping to NIST 800-53, but they are willing to create a PCI mapping policy for me -- immensely helpful!

Can you also point me to an OpenVMS operating system hardening document? I've read the one from Rob McMillan at Queensland, but I want to research what other documents are available.

Re: PCI Compliance

Jan van den Ende — Wed, 25 Jun 2008 18:43:01 GMT

patriceiggy,

I noticed you are new here, so let me begin with
WELCOME to the VMS forum!

As a Dutchie, I am not really familiar with USA regulation specifics, so I will refrain from comments apart from the general "VMS is by default already more secure than 'more popular' OSes can be made".

But I like to point out

http://forums1.itrc.hp.com/service/forums/helptips.do?#33

for the way to say "Thanks" to the ones you consider have been helpfull to you.

Proost.

Have one on me.

jpe

Re: PCI Compliance

patriceiggy — Wed, 25 Jun 2008 21:09:06 GMT

Jan, thanks for helping me out. I was wondering how to assign the points. I've done it for these questions here.

Re: PCI Compliance

Jack M. Estes II — Wed, 25 Jun 2008 21:34:39 GMT

Patrice:

This is a really serendipidous post! I JUST went through this same issue. We just passed SAS/70 type II AND PCI audits and I had to prove both TRU-64 and OpenVMS on Alpha were compliant. I have documentation I can probably share with you after a little clean-up and I'm happy to share my experience with you if it could help. Very few PCI auditors have much experience with VMS and at least for me, it took a good bit of handholding and education from me to get over their "bias of ignorance". You can contact me off forum using jack at cybermill dot com

Jack

Re: PCI Compliance

Hoff — Thu, 26 Jun 2008 02:15:10 GMT

I've posted various links at the site I referenced earlier, including the SRR and related.

Here's the link to a tag I've scattered around the site, as well.

64.223.189.234/taxonomy/term/9

As for hardening a system, there's no set and no single answer. A truly secure computer system is an entirely unusable system, after all.

Re: PCI Compliance

patriceiggy — Tue, 01 Jul 2008 22:09:22 GMT

Jack, I tried to contact you off forum, but received no response from th cybermill address. Would you send an e-mail to me at p51dpc@hotmail.com so I can reply to it in order to make contact?

Re: PCI Compliance

Wim Van den Wyngaert — Wed, 02 Jul 2008 06:07:11 GMT

This may help too (if not for you for the others to know what it is about).
http://en.wikipedia.org/wiki/PCI_DSS

There already was a question once about scanning all files for card number and other security info.

Wim

Re: PCI Compliance

LJK Software — Fri, 19 Sep 2008 11:55:04 GMT

In response to these concerns, we have created a template command procedure for assessing VMS systems according to PCI DSS (Payment Card Industry Data Security Standard).

http://www.ljk.com/ljk/ljk_security_pci_dss.html

As might be guessed by thinking about the nature of software:

A. LJK/Security can do a good job of automatically measuring compliance with items like Requirement 8.5.9 (Change user passwords at least every 90 days).

B. LJK/Security cannot automatically measure compliance with items like Requirement 9.5 (Store media back-ups in a secure location).