1748019 Members
4380 Online
108757 Solutions
New Discussion юеВ

Re: PCI Compliance

 
SOLVED
Go to solution
patriceiggy
New Member

PCI Compliance

Is there any tool which maps OpenVMS operating system parameters to the PCI sata security standard, so that I can use it to prove to my auditors that the OpenVMS system meets current PCI requirements?
10 REPLIES 10
Robert Gezelter
Honored Contributor

Re: PCI Compliance

patriceiggy,

The general underpinnings are mostly in the OpenVMS Guide to System Security (available on the OpenVMS www site at http://www.hp.com/go/OpenVMS

I am not aware of an OpenVMS specific checklist for PCI, although the precise checklist should be deriveable from the precise checklist that is being used by your auditors (I am always careful in such situations to use the PRECISE checklist being asked, it does matter).

- Bob Gezelter, http://www.rlgsc.com
Author, "OpenVMS Security", Handbook of Information Security (H.Bidgoli, Ed., Wiley & Sons, 2006)
Hoff
Honored Contributor
Solution

Re: PCI Compliance

AFAIK, everybody gets to do their own specific and local PCI compliance investigation. (I could make a cynical comment or three around the likely PCI root goals, but that's probably not appropriate for ITRC.)

Above and beyond the OpenVMS security manual and the NCSC Class C2 recommendations in the appendix of same cited earlier, some of the accepted security-related evaluation and documentation pointers, and a compliance-testing tool, are referenced here:

http://64.223.189.234/node/43



patriceiggy
New Member

Re: PCI Compliance

Hoff, thanks for the links. I research the one from LJK and found that they have a tool that provides a mapping to NIST 800-53, but they are willing to create a PCI mapping policy for me -- immensely helpful!

Can you also point me to an OpenVMS operating system hardening document? I've read the one from Rob McMillan at Queensland, but I want to research what other documents are available.
Jan van den Ende
Honored Contributor

Re: PCI Compliance

patriceiggy,

I noticed you are new here, so let me begin with
WELCOME to the VMS forum!

As a Dutchie, I am not really familiar with USA regulation specifics, so I will refrain from comments apart from the general "VMS is by default already more secure than 'more popular' OSes can be made".

But I like to point out

http://forums1.itrc.hp.com/service/forums/helptips.do?#33

for the way to say "Thanks" to the ones you consider have been helpfull to you.

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
patriceiggy
New Member

Re: PCI Compliance

Jan, thanks for helping me out. I was wondering how to assign the points. I've done it for these questions here.

Re: PCI Compliance

Patrice:

This is a really serendipidous post! I JUST went through this same issue. We just passed SAS/70 type II AND PCI audits and I had to prove both TRU-64 and OpenVMS on Alpha were compliant. I have documentation I can probably share with you after a little clean-up and I'm happy to share my experience with you if it could help. Very few PCI auditors have much experience with VMS and at least for me, it took a good bit of handholding and education from me to get over their "bias of ignorance". You can contact me off forum using jack at cybermill dot com

Jack
Hoff
Honored Contributor

Re: PCI Compliance

I've posted various links at the site I referenced earlier, including the SRR and related.

Here's the link to a tag I've scattered around the site, as well.

64.223.189.234/taxonomy/term/9

As for hardening a system, there's no set and no single answer. A truly secure computer system is an entirely unusable system, after all.

patriceiggy
New Member

Re: PCI Compliance

Jack, I tried to contact you off forum, but received no response from th cybermill address. Would you send an e-mail to me at p51dpc@hotmail.com so I can reply to it in order to make contact?
Wim Van den Wyngaert
Honored Contributor

Re: PCI Compliance

This may help too (if not for you for the others to know what it is about).
http://en.wikipedia.org/wiki/PCI_DSS

There already was a question once about scanning all files for card number and other security info.

Wim
Wim