Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

PCI Compliance

 
SOLVED
Go to solution
patriceiggy
Occasional Visitor

PCI Compliance

Is there any tool which maps OpenVMS operating system parameters to the PCI sata security standard, so that I can use it to prove to my auditors that the OpenVMS system meets current PCI requirements?
10 REPLIES 10
Robert Gezelter
Honored Contributor

Re: PCI Compliance

patriceiggy,

The general underpinnings are mostly in the OpenVMS Guide to System Security (available on the OpenVMS www site at http://www.hp.com/go/OpenVMS

I am not aware of an OpenVMS specific checklist for PCI, although the precise checklist should be deriveable from the precise checklist that is being used by your auditors (I am always careful in such situations to use the PRECISE checklist being asked, it does matter).

- Bob Gezelter, http://www.rlgsc.com
Author, "OpenVMS Security", Handbook of Information Security (H.Bidgoli, Ed., Wiley & Sons, 2006)
Hoff
Honored Contributor
Solution

Re: PCI Compliance

AFAIK, everybody gets to do their own specific and local PCI compliance investigation. (I could make a cynical comment or three around the likely PCI root goals, but that's probably not appropriate for ITRC.)

Above and beyond the OpenVMS security manual and the NCSC Class C2 recommendations in the appendix of same cited earlier, some of the accepted security-related evaluation and documentation pointers, and a compliance-testing tool, are referenced here:

http://64.223.189.234/node/43



patriceiggy
Occasional Visitor

Re: PCI Compliance

Hoff, thanks for the links. I research the one from LJK and found that they have a tool that provides a mapping to NIST 800-53, but they are willing to create a PCI mapping policy for me -- immensely helpful!

Can you also point me to an OpenVMS operating system hardening document? I've read the one from Rob McMillan at Queensland, but I want to research what other documents are available.
Jan van den Ende
Honored Contributor

Re: PCI Compliance

patriceiggy,

I noticed you are new here, so let me begin with
WELCOME to the VMS forum!

As a Dutchie, I am not really familiar with USA regulation specifics, so I will refrain from comments apart from the general "VMS is by default already more secure than 'more popular' OSes can be made".

But I like to point out

http://forums1.itrc.hp.com/service/forums/helptips.do?#33

for the way to say "Thanks" to the ones you consider have been helpfull to you.

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
patriceiggy
Occasional Visitor

Re: PCI Compliance

Jan, thanks for helping me out. I was wondering how to assign the points. I've done it for these questions here.

Re: PCI Compliance

Patrice:

This is a really serendipidous post! I JUST went through this same issue. We just passed SAS/70 type II AND PCI audits and I had to prove both TRU-64 and OpenVMS on Alpha were compliant. I have documentation I can probably share with you after a little clean-up and I'm happy to share my experience with you if it could help. Very few PCI auditors have much experience with VMS and at least for me, it took a good bit of handholding and education from me to get over their "bias of ignorance". You can contact me off forum using jack at cybermill dot com

Jack
Hoff
Honored Contributor

Re: PCI Compliance

I've posted various links at the site I referenced earlier, including the SRR and related.

Here's the link to a tag I've scattered around the site, as well.

64.223.189.234/taxonomy/term/9

As for hardening a system, there's no set and no single answer. A truly secure computer system is an entirely unusable system, after all.

patriceiggy
Occasional Visitor

Re: PCI Compliance

Jack, I tried to contact you off forum, but received no response from th cybermill address. Would you send an e-mail to me at p51dpc@hotmail.com so I can reply to it in order to make contact?
Wim Van den Wyngaert
Honored Contributor

Re: PCI Compliance

This may help too (if not for you for the others to know what it is about).
http://en.wikipedia.org/wiki/PCI_DSS

There already was a question once about scanning all files for card number and other security info.

Wim
Wim
LJK Software
Occasional Visitor

Re: PCI Compliance

In response to these concerns, we have created a template command procedure for assessing VMS systems according to PCI DSS (Payment Card Industry Data Security Standard).

http://www.ljk.com/ljk/ljk_security_pci_dss.html

As might be guessed by thinking about the nature of software:

A. LJK/Security can do a good job of automatically measuring compliance with items like Requirement 8.5.9 (Change user passwords at least every 90 days).

B. LJK/Security cannot automatically measure compliance with items like Requirement 9.5 (Store media back-ups in a secure location).