Base 6 - BeyondTrust

Remote Support 20.1Base 6.0

Vulnerability Scan Reports

©2003-2019 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company,or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC:11/15/2019

20.1.1 BeyondTrust Remote SupportFISMA Compatibility Report

ThisreportincludesimportantcomplianceinformationaboutBeyondTrustRemoteSupport20.1.1

[US] Federal Information Security Mgmt. Act (FISMA)Compliance ReportThisreportwascreatedbyIBMSecurityAppScanStandard9.0.3.13iFix001,Rules:19712Scanstarted:6/30/20208:31:25PM

Regulations

Federal Information Security Management Act (FISMA)

Summary

TheFederalInformationSecurityManagementAct(FISMA)waspassedbyCongressandsignedintolawbythePresidentaspartoftheElectronicGovernmentActof2002.Itprovidesaframeworktoensurecomprehensivemeasuresaretakentosecurefederalinformationandassets.Itrequireseachfederalagencytodevelop,document,andimplementanagency-wideprogramtoprovideinformationsecurityfortheinformationandinformationsystemsthatsupporttheoperationsandassetsoftheagency,includingthoseprovidedormanagedbyanotheragency,contractor,orothersource.

TheOfficeofManagementandBudget(OMB)requiresfederalagenciestopreparePlansofActionandMilestonesProcess(POAandMs)reportsforallprogramsandsystemswheretheyhavefoundanITsecurityweakness.CIOsandagencyprogramofficialsmustdevelop,implement,andmanagePOAandMsforallprogramsandsystemstheyoperateandcontrol.ProgramofficialsmustregularlyupdatetheagencyCIOontheirprogresssotheCIOcanmonitoragency-wideremediationeffortsandprovidetheagency’squarterlyupdatetoOMB.

AgenciesmustsubmitareporttotheOMBthatsummarizestheresultsofannualITsecurityreviewsofsystemsandprograms,andanyprogresstheagencyhasmadetowardsfulfillingtheirFISMAgoalsandmilestones.

OMBusesthereportstohelpevaluategovernment-widesecurityperformance,developitsannualsecurityreporttoCongress,assistinimprovingandmaintainingadequateagencysecurityperformance,andinformdevelopmentoftheE-GovernmentScorecardunderthePresident’sManagementAgenda.ThereportmustsummarizetheresultsofannualITsecurityreviewsofsystemsandprograms,andanyprogresstheagencyhasmadetowardsfulfillingtheirFISMAgoalsandmilestones.

FISMArequiresthatfederalagencyofficialsunderstandthecurrentstatusoftheirsecurityprogramsandthesecuritycontrolsplannedorinplacetoprotecttheirinformationandinformationsystemsinordertomakeinformedjudgmentsandinvestmentsthatappropriatelymitigaterisktoanacceptablelevel.Theultimateobjectiveistoconducttheday-to-dayoperationsoftheagencyandtoaccomplishtheagency'sstatedmissionswithadequatesecurity,orsecuritycommensuratewithrisk,includingthemagnitudeofharmresultingfromtheunauthorizedaccess,use,disclosure,disruption,modification,ordestructionofinformation.

FISMAImplementation

PhaseI:StandardsandGuidelinesDevelopment

ThefirstphaseoftheFISMAImplementationProjectfocusesonthedevelopmentandupdatingofthesecurity

7/2/2020 20.1.1 - 42276:8dfd57 1

standardsandguidancerequiredtoeffectivelyimplementtheprovisionsofthelegislation.TheimplementationoftheNISTstandardsandguidancewillhelpagenciescreateandmaintainrobustinformationsecurityprogramsandeffectivelymanagerisktoagencyoperations,agencyassets,andindividuals.

PhaseII:ImplementationandAssessmentAids

ThesecondphaseoftheFISMAImplementationProjectisfocusedonprovidinginformationsystemimplementationandassessmentreferencematerialsforbuildingcommonunderstandinginapplyingtheNISTsuiteofpublicationssupportingtheRiskManagementFramework(RMF).

NISTImplementationDocuments

NISTdevelopsandissuesstandards,guidelinesandotherpublicationstoassistfederalagenciesinimplementingFISMA,includingminimumrequirements,forprovidingadequateinformationsecurityforallagencyoperationsandassetsbutsuchstandardsandguidelinesshallnotapplytonationalsecuritysystems.

FederalInformationProcessingStandards(FIPS)areapprovedbytheSecretaryofCommerceandissuedbyNISTinaccordancewithFISMA.FIPSarecompulsoryandbindingforfederalagencies.FISMArequiresthatfederalagenciescomplywiththesestandards,andtherefore,agenciesmaynotwaivetheiruse.FIPS200mandatestheuseofSpecialPublication800-53,asamended.

AppScanandFISMA

AppScan'sFISMAcompliancereportwillautomaticallydetectpossibleissuesinyourWebenvironmentthatmayberelevanttoyouroverallcompliancewiththeminimumsecuritycontrolsrecommendationsassetinthesecuritycatalogofNISTSpecialPublication80053.ThisreportwasconstructedaccordingtotheHIGH-IMPACTInformationSystemsbaseline.Organizationsthatuselowormoderatecontrolbaselinemayhavetoadjusttheresultsaccordingly.

CoveredEntities

AllFederalagenciesandorganizationswhichpossessoruseFederalinformation--orwhichoperate,use,orhaveaccesstoFederalinformationsystems--onbehalfofaFederalagency,includingcontractors,grantees,Stateandlocalgovernments,andindustrypartners.

EffectiveDate

December2002

ComplianceRequiredby

FederalagenciesmustsubmittheirannualITreviewreportstotheOMBbyOctoberofeachyear.

7/2/2020 20.1.1 - 42276:8dfd57 2

Regulators/Auditors

TheOfficeofManagementandBudget(OMB).

Formoreinformationonsecuringwebapplications,pleasevisit:http://www-03.ibm.com/software/products/en/category/application-security

The information provided does not constitute legal advice. The results of a vulnerability assessment will demonstratepotential vulnerabilities in your application that should be corrected in order to reduce the likelihood that yourinformation will be compromised. As legal advice must be tailored to the specific application of each law, and lawsare constantly changing, nothing provided herein should be used as a substitute for the advice of competent counsel.IBM customers are responsible for ensuring their own compliance with legal requirements. It is the customer's soleresponsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevantlaws and regulatory requirements that may affect the customer's business and any actions the customer may need totake to comply with such laws.

Violated SectionIssuesdetectedacross0/23sectionsoftheregulation:

SectionsNumberofIssues

Sec.3544.(A),Sec.3547(1)-Theheadofeachagencyshallberesponsibleforprovidinginformationsecurityprotectionscommensuratewiththeriskandmagnitudeoftheharmresultingfromunauthorizedaccess,use,disclosure,disruption,modification,ordestructionof—(i)informationcollectedormaintainedbyoronbehalfoftheagency;and(ii)informationsystemsusedoroperatedbyanagencyorbyacontractorofanagencyorotherorganizationonbehalfofanagency;

0

Sec.3544.(B)-Theheadofeachagencyshallberesponsibleforcomplyingwiththerequirementsofthissubchapterandrelatedpolicies,procedures,standards,andguidelines,including—(i)informationsecuritystandardspromulgatedundersection11331oftitle40;and(ii)informationsecuritystandardsandguidelinesfornationalsecuritysystemsissuedinaccordancewithlawandasdirectedbythePresident;

0

NISTSP800_53,AC-3-Theinformationsystemenforcesapprovedauthorizationsforlogicalaccesstoinformationandsystemresourcesinaccordancewithapplicableaccesscontrolpolicies.

0

NISTSP800_53,AC-6-Theorganizationemploystheprincipleofleastprivilege,allowingonlyauthorizedaccessesforusers(orprocessesactingonbehalfofusers)whicharenecessarytoaccomplishassignedtasksinaccordancewithorganizationalmissionsandbusinessfunctions.

0

NISTSP800_53,AC-10-Theinformationsystemlimitsthenumberofconcurrentsessionsforeach[Assignment:organization-definedaccountand/oraccounttype]to[Assignment:organization-definednumber].

0

NISTSP800_53,AC-11-TheOrganizationpreventsfurtheraccesstothesystembyinitiatingasessionlockafter[Assignment:organization-definedtimeperiod]ofinactivityoruponreceivingarequestfromauser;andretainsthesessionlockuntiltheuserreestablishesaccessusingestablishedidentificationandauthenticationprocedures.

0

NISTSP800_53,AC-17-Theorganization:Establishesanddocumentsusagerestrictions,configuration/connectionrequirements,andimplementationguidanceforeachtypeofremoteaccessallowed;andAuthorizesremoteaccesstotheinformationsystempriortoallowingsuchconnections.

0

NISTSP800_53,CM-6-Theorganization:a.Establishesanddocumentsconfigurationsettingsforinformationtechnologyproductsemployedwithintheinformationsystemusing[Assignment:organization-definedsecurityconfigurationchecklists]thatreflectthemostrestrictivemodeconsistentwithoperationalrequirements;b.Implementstheconfigurationsettings;c.Identifies,documents,and

0

7/2/2020 20.1.1 - 42276:8dfd57 3

approvesanydeviationsfromestablishedconfigurationsettingsfor[Assignment:organization-definedinformationsystemcomponents]basedon[Assignment:organization-definedoperationalrequirements];andd.Monitorsandcontrolschangestotheconfigurationsettingsinaccordancewithorganizationalpoliciesandprocedures.NISTSP800_53,CM-7-Theorganization:a.Configurestheinformationsystemtoprovideonlyessentialcapabilities;andb.Prohibitsorrestrictstheuseofthefollowingfunctions,ports,protocols,and/orservices:[Assignment:organization-definedprohibitedorrestrictedfunctions,ports,protocols,and/orservices].

0

NISTSP800_53,IA-2-Theinformationsystemuniquelyidentifiesandauthenticatesorganizationalusers(orprocessesactingonbehalfoforganizationalusers).

0

NISTSP800_53,IA-4.D-Theorganizationmanagesinformationsystemidentifiersforusersanddevicesbypreventingreuseofuserordeviceidentifiersfor[Assignment:organization-definedtimeperiod].

0

NISTSP800_53,IA-4.E-Theorganizationmanagesinformationsystemidentifiersforusersanddevicesbydisablingtheuseridentifierafter[Assignment:organization-definedtimeperiodofinactivity].

0

NISTSP800_53,IA-5.C-Theorganizationmanagesinformationsystemauthenticatorsforusersanddevicesbyensuringthatauthenticatorshavesufficientstrengthofmechanismfortheirintendeduse.

0

NISTSP800_53,IA-5.E-Theorganizationmanagesinformationsystemauthenticatorsforusersanddevicesbychangingdefaultcontentofauthenticatorsuponinformationsysteminstallation.

0

NISTSP800_53,RA-5.A-Theorganization:a.Scansforvulnerabilitiesintheinformationsystemandhostedapplications[Assignment:organization-definedfrequencyand/orrandomlyinaccordancewithorganization-definedprocess]andwhennewvulnerabilitiespotentiallyaffectingthesystem/applicationsareidentifiedandreported.

0

NISTSP800_53,SC-5-Theinformationsystemprotectsagainstorlimitstheeffectsofthefollowingtypesofdenialofserviceattacks:[Assignment:organization-definedtypesofdenialofserviceattacksorreferencetosourceforsuchinformation]byemploying[Assignment:organization-definedsecuritysafeguards].

0

NISTSP800_53,SC-8-Theinformationsystemprotectsthe[Selection(oneormore):confidentiality;integrity]oftransmittedinformation.

0

NISTSP800_53,SC-13-Theinformationsystemimplements[Assignment:organization-definedcryptographicusesandtypeofcryptographyrequiredforeachuse]inaccordancewithapplicablefederallaws,ExecutiveOrders,directives,policies,regulations,andstandards.

0

NISTSP800_53,SC-23-Theinformationsystemprotectstheauthenticityofcommunicationssessions. 0NISTSP800_53,SI-3.A-Employsmaliciouscodeprotectionmechanismsatinformationsystementryandexitpointstodetectanderadicatemaliciouscode;

0

NISTSP800_53,SI-3.B-Theorganizationupdatesmaliciouscodeprotectionmechanismswhenevernewreleasesareavailableinaccordancewithorganizationalconfigurationmanagementpolicyandprocedures;

0

NISTSP800_53,SI-10-Theinformationsystemchecksthevalidityofinformationinputs. 0NISTSP800_53,SI-11.A-Generateserrormessagesthatprovideinformationnecessaryforcorrectiveactionswithoutrevealinginformationthatcouldbeexploitedbyadversaries;

0

Section Violation By Issue0Uniqueissuesdetectedacross0/23sectionsoftheregulation:

URL Entity Issue Type Sections

7/2/2020 20.1.1 - 42276:8dfd57 4

Detailed Security Issues by Sections

Sec.3544.(A),Sec.3547(1)-Theheadofeachagencyshallberesponsibleforprovidinginformationsecurityprotectionscommensuratewiththeriskandmagnitudeoftheharmresultingfromunauthorizedaccess,use,disclosure,disruption,modification,ordestructionof—(i)informationcollectedormaintainedbyoronbehalfoftheagency;and(ii)informationsystemsusedoroperatedbyanagencyorbyacontractorofanagencyorotherorganizationonbehalfofanagency; 0

Sec.3544.(B)-Theheadofeachagencyshallberesponsibleforcomplyingwiththerequirementsofthissubchapterandrelatedpolicies,procedures,standards,andguidelines,including—(i)informationsecuritystandardspromulgatedundersection11331oftitle40;and(ii)informationsecuritystandardsandguidelinesfornationalsecuritysystemsissuedinaccordancewithlawandasdirectedbythePresident; 0

NISTSP800_53,AC-3-Theinformationsystemenforcesapprovedauthorizationsforlogicalaccesstoinformationandsystemresourcesinaccordancewithapplicableaccesscontrolpolicies. 0

NISTSP800_53,AC-6-Theorganizationemploystheprincipleofleastprivilege,allowingonlyauthorizedaccessesforusers(orprocessesactingonbehalfofusers)whicharenecessarytoaccomplishassignedtasksinaccordancewithorganizationalmissionsandbusinessfunctions. 0

NISTSP800_53,AC-10-Theinformationsystemlimitsthenumberofconcurrentsessionsforeach[Assignment:organization-definedaccountand/oraccounttype]to[Assignment:organization-definednumber]. 0

7/2/2020 20.1.1 - 42276:8dfd57 5

NISTSP800_53,AC-11-TheOrganizationpreventsfurtheraccesstothesystembyinitiatingasessionlockafter[Assignment:organization-definedtimeperiod]ofinactivityoruponreceivingarequestfromauser;andretainsthesessionlockuntiltheuserreestablishesaccessusingestablishedidentificationandauthenticationprocedures. 0

NISTSP800_53,AC-17-Theorganization:Establishesanddocumentsusagerestrictions,configuration/connectionrequirements,andimplementationguidanceforeachtypeofremoteaccessallowed;andAuthorizesremoteaccesstotheinformationsystempriortoallowingsuchconnections. 0

NISTSP800_53,CM-6-Theorganization:a.Establishesanddocumentsconfigurationsettingsforinformationtechnologyproductsemployedwithintheinformationsystemusing[Assignment:organization-definedsecurityconfigurationchecklists]thatreflectthemostrestrictivemodeconsistentwithoperationalrequirements;b.Implementstheconfigurationsettings;c.Identifies,documents,andapprovesanydeviationsfromestablishedconfigurationsettingsfor[Assignment:organization-definedinformationsystemcomponents]basedon[Assignment:organization-definedoperationalrequirements];andd.Monitorsandcontrolschangestotheconfigurationsettingsinaccordancewithorganizationalpoliciesandprocedures. 0

NISTSP800_53,CM-7-Theorganization:a.Configurestheinformationsystemtoprovideonlyessentialcapabilities;andb.Prohibitsorrestrictstheuseofthefollowingfunctions,ports,protocols,and/orservices:[Assignment:organization-definedprohibitedorrestrictedfunctions,ports,protocols,and/orservices]. 0

7/2/2020 20.1.1 - 42276:8dfd57 6

NISTSP800_53,IA-2-Theinformationsystemuniquelyidentifiesandauthenticatesorganizationalusers(orprocessesactingonbehalfoforganizationalusers). 0

NISTSP800_53,IA-4.D-Theorganizationmanagesinformationsystemidentifiersforusersanddevicesbypreventingreuseofuserordeviceidentifiersfor[Assignment:organization-definedtimeperiod]. 0

NISTSP800_53,IA-4.E-Theorganizationmanagesinformationsystemidentifiersforusersanddevicesbydisablingtheuseridentifierafter[Assignment:organization-definedtimeperiodofinactivity]. 0

NISTSP800_53,IA-5.C-Theorganizationmanagesinformationsystemauthenticatorsforusersanddevicesbyensuringthatauthenticatorshavesufficientstrengthofmechanismfortheirintendeduse. 0

NISTSP800_53,IA-5.E-Theorganizationmanagesinformationsystemauthenticatorsforusersanddevicesbychangingdefaultcontentofauthenticatorsuponinformationsysteminstallation. 0

NISTSP800_53,RA-5.A-Theorganization:a.Scansforvulnerabilitiesintheinformationsystemandhostedapplications[Assignment:organization-definedfrequencyand/orrandomlyinaccordancewithorganization-definedprocess]andwhennewvulnerabilitiespotentiallyaffectingthesystem/applicationsareidentifiedandreported. 0

7/2/2020 20.1.1 - 42276:8dfd57 7

NISTSP800_53,SC-5-Theinformationsystemprotectsagainstorlimitstheeffectsofthefollowingtypesofdenialofserviceattacks:[Assignment:organization-definedtypesofdenialofserviceattacksorreferencetosourceforsuchinformation]byemploying[Assignment:organization-definedsecuritysafeguards]. 0

NISTSP800_53,SC-8-Theinformationsystemprotectsthe[Selection(oneormore):confidentiality;integrity]oftransmittedinformation. 0

NISTSP800_53,SC-13-Theinformationsystemimplements[Assignment:organization-definedcryptographicusesandtypeofcryptographyrequiredforeachuse]inaccordancewithapplicablefederallaws,ExecutiveOrders,directives,policies,regulations,andstandards. 0

NISTSP800_53,SC-23-Theinformationsystemprotectstheauthenticityofcommunicationssessions. 0

NISTSP800_53,SI-3.A-Employsmaliciouscodeprotectionmechanismsatinformationsystementryandexitpointstodetectanderadicatemaliciouscode; 0

NISTSP800_53,SI-3.B-Theorganizationupdatesmaliciouscodeprotectionmechanismswhenevernewreleasesareavailableinaccordancewithorganizationalconfigurationmanagementpolicyandprocedures; 0

7/2/2020 20.1.1 - 42276:8dfd57 8

NISTSP800_53,SI-10-Theinformationsystemchecksthevalidityofinformationinputs. 0

NISTSP800_53,SI-11.A-Generateserrormessagesthatprovideinformationnecessaryforcorrectiveactionswithoutrevealinginformationthatcouldbeexploitedbyadversaries; 0

7/2/2020 20.1.1 - 42276:8dfd57 9

20.1.1 BeyondTrust Remote SupportGDPR Compatibility Report

ThisreportincludesimportantprivacyinformationaboutBeyondTrustRemoteSupport20.1.1

[EU] Regulation 2016/679 Of The European Parliament And OfThe Council (GDPR) Compliance ReportThisreportwascreatedbyIBMSecurityAppScanStandard9.0.3.13iFix001,Rules:19712Scanstarted:6/30/20208:31:25PM

Regulations

Regulation 2016/679 Of The European Parliament And Of TheCouncil - General Data Protection Regulation (GDPR)LearnmoreaboutIBMownGDPRreadinessjourneyandourGDPRcapabilitiesandofferingshere:https://ibm.com/gdpr

LearnmoreaboutGDPRontheEropeanUnion'sDataProtectionwebsitehere:https://ec.europa.eu/info/law/law-topic/data-protection_en

Please note that the table header 'Number of Issues' carries that naming due to technical reasons. It does notnecessarily indicate actual legal issues in the context GDPR, but rather points out areas of interest. A legally bindingassessment of applicability of any areas of interest shown in this report can and should only be made by a legalprofessional.

GDPR ArticlesIssuesdetectedacross0/4sectionsoftheregulation:


Article25(1)-Takingintoaccountthestateoftheart,thecostofimplementationandthenature,scope,contextandpurposesofprocessingaswellastherisksofvaryinglikelihoodandseverityforrightsandfreedomsofnaturalpersonsposedbytheprocessing,thecontrollershall,bothatthetimeofthedeterminationofthemeansforprocessingandatthetimeoftheprocessingitself,implementappropriatetechnicalandorganisationalmeasures,suchaspseudonymisation,whicharedesignedtoimplementdata-protectionprinciples,suchasdataminimisation,inaneffectivemannerandtointegratethenecessarysafeguardsintotheprocessinginordertomeettherequirementsofthisRegulationandprotecttherightsofdatasubjects.

0

Article32(1)(a)-Takingintoaccountthestateoftheart,thecostsofimplementationandthenature,scope,contextandpurposesofprocessingaswellastheriskofvaryinglikelihoodandseverityfortherightsandfreedomsofnaturalpersons,thecontrollerandtheprocessorshallimplementappropriatetechnicalandorganisationalmeasurestoensurealevelofsecurityappropriatetotherisk,includinginteraliaasappropriate:thepseudonymisationandencryptionofpersonaldata.

0

Article32(1)(b)-Takingintoaccountthestateoftheart,thecostsofimplementationandthenature,scope,contextandpurposesofprocessingaswellastheriskofvaryinglikelihoodandseverityfortherightsandfreedomsofnaturalpersons,thecontrollerandtheprocessorshallimplementappropriatetechnicalandorganisationalmeasurestoensurealevelofsecurityappropriatetotherisk,includinginteraliaasappropriate:theabilitytoensuretheongoingconfidentiality,integrity,availabilityandresilienceofprocessingsystemsandservices.

0

Article32(2)-Inassessingtheappropriatelevelofsecurityaccountshallbetakeninparticularofthe 0

7/2/2020 20.1.1 - 42276:8dfd57 1

risksthatarepresentedbyprocessing,inparticularfromaccidentalorunlawfuldestruction,loss,alteration,unauthoriseddisclosureof,oraccesstopersonaldatatransmitted,storedorotherwiseprocessed




Article25(1)-Takingintoaccountthestateoftheart,thecostofimplementationandthenature,scope,contextandpurposesofprocessingaswellastherisksofvaryinglikelihoodandseverityforrightsandfreedomsofnaturalpersonsposedbytheprocessing,thecontrollershall,bothatthetimeofthedeterminationofthemeansforprocessingandatthetimeoftheprocessingitself,implementappropriatetechnicalandorganisationalmeasures,suchaspseudonymisation,whicharedesignedtoimplementdata-protectionprinciples,suchasdataminimisation,inaneffectivemannerandtointegratethenecessarysafeguardsintotheprocessinginordertomeettherequirementsofthisRegulationandprotecttherightsofdatasubjects. 0

Article32(1)(a)-Takingintoaccountthestateoftheart,thecostsofimplementationandthenature,scope,contextandpurposesofprocessingaswellastheriskofvaryinglikelihoodandseverityfortherightsandfreedomsofnaturalpersons,thecontrollerandtheprocessorshallimplementappropriatetechnicalandorganisationalmeasurestoensurealevelofsecurityappropriatetotherisk,includinginteraliaasappropriate:thepseudonymisationandencryptionofpersonaldata. 0

7/2/2020 20.1.1 - 42276:8dfd57 2

Article32(1)(b)-Takingintoaccountthestateoftheart,thecostsofimplementationandthenature,scope,contextandpurposesofprocessingaswellastheriskofvaryinglikelihoodandseverityfortherightsandfreedomsofnaturalpersons,thecontrollerandtheprocessorshallimplementappropriatetechnicalandorganisationalmeasurestoensurealevelofsecurityappropriatetotherisk,includinginteraliaasappropriate:theabilitytoensuretheongoingconfidentiality,integrity,availabilityandresilienceofprocessingsystemsandservices. 0

Article32(2)-Inassessingtheappropriatelevelofsecurityaccountshallbetakeninparticularoftherisksthatarepresentedbyprocessing,inparticularfromaccidentalorunlawfuldestruction,loss,alteration,unauthoriseddisclosureof,oraccesstopersonaldatatransmitted,storedorotherwiseprocessed 0

7/2/2020 20.1.1 - 42276:8dfd57 3

20.1.1 BeyondTrust Remote SupportHIPPA Compatibility Report


[US] Healthcare Services (HIPAA) Compliance ReportThisreportwascreatedbyIBMSecurityAppScanStandard9.0.3.13iFix001,Rules:19712Scanstarted:6/30/20208:31:25PM

Regulations

The Health Insurance Portability and Accountability Act(HIPAA) of 1996 - Security and Privacy Regulations

Summary

HIPAAprovidesfederalprotectionsforpersonalhealthinformationheldbycoveredentitiesandgivespatientsasetofrightswithrespecttothatinformation.However,HIPAAdoespermitthedisclosureofpersonalhealthinformationneededforpatientcareandotherimportantandnecessarypurposes.

TitleIofHIPAAprotectshealthinsurancecoverageforworkersandtheirfamilieswhentheychangeorlosetheirjobs.TitleIIofHIPAA,knownastheAdministrativeSimplificationprovisions,requirestheestablishmentofnationalstandardsforelectronichealthcaretransactionsandnationalidentifiersforproviders,healthinsuranceplans,andemployers.

TheAdministrationSimplificationprovisionsalsoaddressthesecurityandprivacyofhealthdata.Thestandardsaremeanttoimprovetheefficiencyandeffectivenessofthehealthcaresystem.

TheUnitedStatesDepartmentofHealthandHumanServices(HHS)hasissuedregulationsimplementingthoseprovisionsofHIPAAregulatingtheprivacyandsecurityofindividuals’medicalrecords.

CoveredInformation

TheRuleslimittheuseanddisclosureofpersonalhealthinformationbyCoveredEntities.Protectedhealthinformationisindividuallyidentifiablehealthinformationthatistransmittedormaintainedinanyformormedium,andwhichrelatestothepast,presentorfuturephysicalormentalheathorconditionofanindividual,theprovisionofheathcaretoanindividual,orthepast,presentorfuturepaymentfortheprovisionofhealthcare.Informationis“individuallyidentifiable”ifitactuallyidentifiesanindividualorcontainsinformationthatcouldreasonablybeusedtoidentifyandindividual.

HIPAArequiresmeasurestobetakentosecurethisinformationwhileinthecustodyofcoveredentitiesaswellasintransitbetweencoveredentitiesandfromcoveredentitiestoothers.

ThePrivacyRulerequiresthatcoveredentities,amongotherthings(i)obtainpriorwrittenauthorizationtouseordisclosecertainpersonalhealthinformationforanypurposeotherthanpayment,healthcaretreatmentorhealthcareoperations,(ii)givepatientsaccesstocertainpersonalhealthinformationuponrequest,(iii)instituteproceduralsafeguardstoprotectpersonalhealthinformation,and(iv)limittheuseanddisclosureofsuchinformationtotheminimumnecessarytoachievetheintendedpurposeforsuchinformation.

7/2/2020 20.1.1 - 42276:8dfd57 1

TheSecurityRulerequiresthatcoveredentities,amongotherthings,implementadministrative,technical,andphysicalsafeguardsto(i)ensuretheconfidentiality,integrityandavailabilityofallelectronicprotectedhealthinformationthecoveredentitycreates,receives,maintains,ortransmits;(ii)protectagainstanyreasonablyanticipatedthreatsorhazardstothesecurityorintegrityofsuchinformation;(iii)protectagainstanyreasonablyanticipatedusesordisclosuresofsuchinformationthatarenotpermittedorrequiredtheSecurityRule;and(iv)ensurecompliancewiththeSecurityRulebythecoveredentity'sworkforce.

InrecognitionofthesecuritythreatstoElectronicProtectedHealthInformation(EPHI),HHShaspublishedHIPAAPrivacyandSecurityRules`guidancedocumentstoimplementprivacyandsecurityframeworkforelectronicexchangeofindividuallyidentifiablehealthinformation.Theseguidancedocumentsdiscusshowtheprivacyandsecurityrulescanfacilitatethesafeandadequateexchangeofelectronichealthinformationandhowtodealwiththechallengesthattheuseandexchangeofelectronichealthinformationposses.

CoveredEntities

TheRulesapplytofourtypesofentities:healthcareproviders,healthplans,healthcareclearinghousesandprescriptiondrugcardsponsors(collectively"CoveredEntities").Thisgenerallymeansthoseprovidinghealthcare,thosepayingfor(insuring)healthcareanddataprocessorsthatassistinthepreceding.

CompliancePenalties

AfinemaybeimposedonanypersonorcoveredentitythatviolatesanyHIPAArequirement.Thecivilmonetarypenaltyforviolatingtransactionstandardsisupto$100perpersonperviolationandupto$25,000perpersonperviolationofasinglestandardpercalendaryear.

Thefinemaybereducedorwaivedentirelyiftheviolationwasnotduetowillfulneglectoftherequirements,andiftheentitycorrectsitwithin30daysofbecomingawareofit.

Federalcriminalpenaltiescanalsobeplaceduponhealthplans,providersandhealthcareclearinghousesthatknowinglyandimproperlydiscloseinformationorobtaininformationunderfalsepretenses.Penaltieswouldbehigherforactionsdesignedtogeneratemonetarygain.

Criminalpenaltiesareupto$50,000andoneyearinprisonforobtainingordisclosingprotectedhealthinformation;upto$100,000anduptofiveyearsinprisonforobtainingprotectedhealthinformationunder"falsepretenses";andupto$250,000anduptotenyearsinprisonforobtainingordisclosingprotectedhealthinformationwiththeintenttosell,transferoruseitforcommercialadvantage,personalgainormaliciousharm.

Effectivedate

April14,2001

SecurityRule–April21,2003

PrivacyRule–April14,2003

7/2/2020 20.1.1 - 42276:8dfd57 2


Privacyprovisions-April14,2003

Securityprovisions-April20,2005

Administrativeprovisions–July1,2005

Regulators/Administrators

UnitedStatesDepartmentofHealthandHumanServices

OfficeforCivilRights

AppScan'sHIPAAComplianceReport

AppScan'sHIPAAcompliancereportwillautomaticallydetectpossibleissuesinyourWebenvironmentthatmayberelevanttoyouroverallcompliancewiththeHIPAASecurityRulerequirementsandrelatedrequiredactivitiesasdescribedintheNISTresourceguideforHIPAAsecurityruleimplementation.

Note

AddressableIssue-asappearsinthisreportmeansacoveredentitymust-

(i)Assesswhethereachimplementationspecificationisareasonableandappropriatesafeguardinitsenvironment,whenanalyzedwithreferencetothelikelycontributiontoprotectingtheentity'selectronicprotectedhealthinformation;and

(ii)Asapplicabletotheentity-

(A)Implementtheimplementationspecificationifreasonableandappropriate;or

(B)Ifimplementingtheimplementationspecificationisnotreasonableandappropriate-

(1)Documentwhyitwouldnotbereasonableandappropriatetoimplementtheimplementationspecification;and

(2)Implementanequivalentalternativemeasureifreasonableandappropriate.

PossibleIssue-asappearsinthisreportmeansthedetectedresultsmayimplythatarequiredimplementationspecificationisnotmet.

Formoreinformationonsecuringwebapplications,pleasevisithttp://www-03.ibm.com/software/products/en/category/application-security

The information provided does not constitute legal advice. The results of a vulnerability assessment will demonstratepotential vulnerabilities in your application that should be corrected in order to reduce the likelihood that yourinformation will be compromised. As legal advice must be tailored to the specific application of each law, and lawsare constantly changing, nothing provided herein should be used as a substitute for the advice of competent counsel.IBM customers are responsible for ensuring their own compliance with legal requirements. It is the customer's sole

7/2/2020 20.1.1 - 42276:8dfd57 3

responsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevantlaws and regulatory requirements that may affect the customer's business and any actions the customer may need totake to comply with such laws.



S.Rule-Part164,SubpartC,164.308(a)(3)(i)-AddressableIssue-Implementpoliciesandprocedurestoensurethatallmembersofitsworkforcehaveappropriateaccesstoelectronicprotectedhealthinformation,asprovidedunder[theInformationAccessManagementstandard],andtopreventthoseworkforcememberswhodonothaveaccessunder[theInformationAccessManagementstandard]fromobtainingaccesstoelectronicprotectedhealthinformation.

0

S.Rule-Part164,SubpartC,164.308(a)(3)(ii)(A)-AddressableIssue-Implementproceduresfortheauthorizationand/orsupervisionofworkforcememberswhoworkwithelectronicprotectedhealthinformationorinlocationswhereitmightbeaccessed.

0

S.Rule-Part164,SubpartC,164.308(a)(4)(i)-PossibleIssue-ImplementpoliciesandproceduresforauthorizingaccesstoelectronicprotectedhealthinformationthatareconsistentwiththeapplicablerequirementsofsubpartEofthispartthePrivacyRule.

0

S.Rule-Part164,SubpartC,164.308(a)(4)(ii)(B)-PossibleIssue-Implementpoliciesandproceduresforgrantingaccesstoelectronicprotectedhealthinformation,forexample,throughaccesstoaworkstation,transaction,program,process,orothermechanism.

0

S.Rule-Part164,SubpartC,164.308(a)(5)(ii)(D)-AddressableIssue-Implementproceduresforcreating,changing,andsafeguardingpasswords

0

S.Rule-Part164,SubpartC,164.312(a)(1)-PossibleIssue-Implementtechnicalpoliciesandproceduresforelectronicinformationsystemsthatmaintainelectronicprotectedhealthinformationtoallowaccessonlytothosepersonsorsoftwareprogramsthathavebeengrantedaccessrightsasspecifiedinsection164.308(a)(4).

0

S.Rule-Part164,SubpartC,164.312(a)(2)(iv)-AddressableIssue-Implementamechanismtoencryptanddecryptelectronicprotectedhealthinformation.

0

NISTResourceGuide-Section4.14,Activity8-AddressableIssue-Implementelectronicproceduresthatterminateanelectronicsessionafterapredeterminedtimeofinactivity.

0

S.Rule-Part164,SubpartC,164.312(c)(1)-PossibleIssue-Implementpoliciesandprocedurestoprotectprivatehealthinformationfromimproperalterationordestruction

0

S.Rule-Part164,SubpartC,164.312(d)-PossibleIssue-Implementprocedurestoverifythatapersonorentityseekingaccesstoprivatehealthinformationistheoneclaimed

0

S.Rule-Part164,SubpartC,164.312(e)(1)-PossibleIssue-Implementtechnicalsecuritymeasurestoguardagainstunauthorizedaccesstoelectronicprotectedhealthinformationthatisbeingtransmittedoveranelectroniccommunicationsnetwork.

0

S.Rule-Part164,SubpartC,164.312(e)(2)(ii)-AddressableIssue-Implementamechanismtoencryptelectronicprivatehealthinformationwheneverdeemedappropriate

0


7/2/2020 20.1.1 - 42276:8dfd57 4



S.Rule-Part164,SubpartC,164.308(a)(3)(i)-AddressableIssue-Implementpoliciesandprocedurestoensurethatallmembersofitsworkforcehaveappropriateaccesstoelectronicprotectedhealthinformation,asprovidedunder[theInformationAccessManagementstandard],andtopreventthoseworkforcememberswhodonothaveaccessunder[theInformationAccessManagementstandard]fromobtainingaccesstoelectronicprotectedhealthinformation. 0

S.Rule-Part164,SubpartC,164.308(a)(3)(ii)(A)-AddressableIssue-Implementproceduresfortheauthorizationand/orsupervisionofworkforcememberswhoworkwithelectronicprotectedhealthinformationorinlocationswhereitmightbeaccessed. 0

S.Rule-Part164,SubpartC,164.308(a)(4)(i)-PossibleIssue-ImplementpoliciesandproceduresforauthorizingaccesstoelectronicprotectedhealthinformationthatareconsistentwiththeapplicablerequirementsofsubpartEofthispartthePrivacyRule. 0

S.Rule-Part164,SubpartC,164.308(a)(4)(ii)(B)-PossibleIssue-Implementpoliciesandproceduresforgrantingaccesstoelectronicprotectedhealthinformation,forexample,throughaccesstoaworkstation,transaction,program,process,orothermechanism. 0

7/2/2020 20.1.1 - 42276:8dfd57 5

S.Rule-Part164,SubpartC,164.308(a)(5)(ii)(D)-AddressableIssue-Implementproceduresforcreating,changing,andsafeguardingpasswords0

S.Rule-Part164,SubpartC,164.312(a)(1)-PossibleIssue-Implementtechnicalpoliciesandproceduresforelectronicinformationsystemsthatmaintainelectronicprotectedhealthinformationtoallowaccessonlytothosepersonsorsoftwareprogramsthathavebeengrantedaccessrightsasspecifiedinsection164.308(a)(4). 0

S.Rule-Part164,SubpartC,164.312(a)(2)(iv)-AddressableIssue-Implementamechanismtoencryptanddecryptelectronicprotectedhealthinformation. 0

NISTResourceGuide-Section4.14,Activity8-AddressableIssue-Implementelectronicproceduresthatterminateanelectronicsessionafterapredeterminedtimeofinactivity. 0

S.Rule-Part164,SubpartC,164.312(c)(1)-PossibleIssue-Implementpoliciesandprocedurestoprotectprivatehealthinformationfromimproperalterationordestruction 0

S.Rule-Part164,SubpartC,164.312(d)-PossibleIssue-Implementprocedurestoverifythatapersonorentityseekingaccesstoprivatehealthinformationistheoneclaimed 0

7/2/2020 20.1.1 - 42276:8dfd57 6

S.Rule-Part164,SubpartC,164.312(e)(1)-PossibleIssue-Implementtechnicalsecuritymeasurestoguardagainstunauthorizedaccesstoelectronicprotectedhealthinformationthatisbeingtransmittedoveranelectroniccommunicationsnetwork. 0

S.Rule-Part164,SubpartC,164.312(e)(2)(ii)-AddressableIssue-Implementamechanismtoencryptelectronicprivatehealthinformationwheneverdeemedappropriate 0

7/2/2020 20.1.1 - 42276:8dfd57 7

20.1.1 BeyondTrust Remote SupportPCI Compatibility Report


The Payment Card Industry Data Security Standard (PCI DSS)Compliance ReportThisreportwascreatedbyIBMSecurityAppScanStandard9.0.3.13iFix001,Rules:19712Scanstarted:6/30/20208:31:25PM

Regulations

The Payment Card Industry Data Security Standard (PCI)Version 3.2.1

Summary

ThePaymentCardIndustryDataSecurityStandard(PCIDSS)wasdevelopedtoencourageandenhancecardholderdatasecurityandfacilitatethebroadadoptionofconsistentdatasecuritymeasuresglobally.PCIDSSprovidesabaselineoftechnicalandoperationalrequirementsdesignedtoprotectaccountdata.

PCIDSScomprisesaminimumsetofrequirementsforprotectingcardholderdata,andmaybeenhancedbyadditionalcontrolsandpracticestofurthermitigaterisks,aswellaslocal,regionalandsectorlawsandregulations.Additionally,legislationorregulatoryrequirementsmayrequirespecificprotectionofpersonalinformationorotherdataelements(forexample,cardholdername).PCIDSSdoesnotsupersedelocalorregionallaws,governmentregulations,orotherlegalrequirements.

ThePCIDSSsecurityrequirementsapplytoallsystemcomponentsincludedinorconnectedtothecardholderdataenvironment.Thecardholderdataenvironment(CDE)iscomprisedofpeople,processesandtechnologiesthatstore,process,ortransmitcardholderdataorsensitiveauthenticationdata.

“Systemcomponents”includenetworkdevices,servers,computingdevices,andapplications.Examplesofsystemcomponentsincludebutarenotlimitedtothefollowing:Systemsthatprovidesecurityservices(forexample,authenticationservers),facilitatesegmentation(forexample,internalfirewalls),ormayimpactthesecurityof(forexample,nameresolutionorwebredirectionservers)theCDE.

Virtualizationcomponentssuchasvirtualmachines,virtualswitches/routers,virtualappliances,virtualapplications/desktops,andhypervisors.

Networkcomponentsincludingbutnotlimitedtofirewalls,switches,routers,wirelessaccesspoints,networkappliances,andothersecurityappliances.

Servertypesincludingbutnotlimitedtoweb,application,database,authentication,mail,proxy,NetworkTimeProtocol(NTP),andDomainNameSystem(DNS).

Applicationsincludingallpurchasedandcustomapplications,includinginternalandexternal(forexample,Internet)applications.AnyothercomponentordevicelocatedwithinorconnectedtotheCDE.

CoveredEntities

7/2/2020 20.1.1 - 42276:8dfd57 1

PCIDSSappliestoallentitiesinvolvedinpaymentcardprocessing—includingmerchants,processors,acquirers,issuers,andserviceproviders,aswellasallotherentitiesthatstore,processortransmitcardholderdata(CHD)and/orsensitiveauthenticationdata(SAD).

PCIDSSrequirementsapplytoorganizationsandenvironmentswhereaccountdata(cardholderdataand/orsensitiveauthenticationdata)isstored,processedortransmitted.SomePCIDSSrequirementsmayalsobeapplicabletoorganizationsthathaveoutsourcedtheirpaymentoperationsormanagementoftheirCDE1.Additionally,organizationsthatoutsourcetheirCDEorpaymentoperationstothirdpartiesareresponsibleforensuringthattheaccountdataisprotectedbythethirdpartypertheapplicablePCIDSSrequirements.

CompliancePenalties

Ifamerchantorserviceproviderdoesnotcomplywiththesecurityrequirementsorfailstorectifyasecurityissue,thecardcompaniesmayfinetheacquiringmember,orimposerestrictionsonthemerchantoritsagent.

ComplianceRequiredBy

PCIDSSversion3.2.1hasreplacedPCIDSSversion3.2andiseffectiveasofMay2018.ThePCIDSSversion3.2maynotbeusedforPCIDSScomplianceafterDecember31,2018.

Regulators

ThePCISecurityStandardsCouncil,anditsfoundingmembersincludingAmericanExpress,DiscoverFinancialServices,JCB,MasterCardWorldwideandVisaInternational.

FormoreinformationonthePCIDataSecurityStandard,pleasevisit:

https://www.pcisecuritystandards.org./index.htm

Formoreinformationonsecuringwebapplications,pleasevisithttp://www-01.ibm.com/software/rational/offerings/websecurity/

Copyright:ThePCIinformationcontainedinthisreportisproprietarytoPCISecurityStandardsCouncil,LLC.AnyuseofthismaterialissubjecttothePCISECURITYSTANDARDSCOUNCIL,LLCLICENSEAGREEMENTthatcanbefoundat:

https://www.pcisecuritystandards.org./tech/download_the_pci_dss.htm


7/2/2020 20.1.1 - 42276:8dfd57 2



Requirement2-Donotusevendor-supplieddefaultsforsystempasswordsandothersecurityparameters.

0

Requirement2.1-Alwayschangevendor-supplieddefaultsandremoveordisableunnecessarydefaultaccountsbeforeinstallingasystemonthenetwork.ThisappliestoALLdefaultpasswords,includingbutnotlimitedtothoseusedbyoperatingsystems,softwarethatprovidessecurityservices,applicationandsystemaccounts,point-of-sale(POS)terminals,paymentapplications,SimpleNetworkManagementProtocol(SNMP)communitystrings,etc.)

0

Requirement2.2.2-Enableonlynecessaryservices,protocols,daemons,etc.,asrequiredforthefunctionofthesystem.

0

Requirement2.2.4-Configuresystemsecurityparameterstopreventmisuse. 0Requirement2.2.5-Removeallunnecessaryfunctionality,suchasscripts,drivers,features,subsystems,filesystems.

0

Requirement2.3-Encryptallnon-consoleadministrativeaccessusingstrongcryptography. 0Requirement2.6-Thissectionappliestowebapplicationsthatareusedbyhostingprovidersforhostingpurposes–Hostingprovidersmustprotecteachentity’shostedenvironmentanddata.

0

Requirement4-Encrypttransmissionofcardholderdataacrossopen,publicnetworks. 0Requirement4.1-Usestrongcryptographyandsecurityprotocolstosafeguardsensitivecardholderdataduringtransmissionoveropen,publicnetworks,includingthefollowing:-Onlytrustedkeysandcertificatesareaccepted.-Theprotocolinuseonlysupportssecureversionsorconfigurations.-Theencryptionstrengthisappropriatefortheencryptionmethodologyinuse.

0

Requirement6-Developandmaintainsecuresystemsandapplications. 0Requirement6.1-Establishaprocesstoidentifysecurityvulnerabilities,usingreputableoutsidesourcesforsecurityvulnerabilityinformation,andassignariskranking(forexample,as“high,”“medium,”or“low”)tonewlydiscoveredsecurityvulnerabilities.

0

Requirement6.2-Ensurethatallsystemcomponentsandsoftwareareprotectedfromknownvulnerabilitiesbyinstallingapplicablevendor-suppliedsecuritypatches.Installcriticalsecuritypatcheswithinonemonthofrelease.CriticalsecuritypatchesshouldbeidentifiedaccordingtotheriskrankingprocessdefinedinRequirement6.1

0

Requirement6.3-Developinternalandexternalsoftwareapplications(includingweb-basedadministrativeaccesstoapplications)securely,asfollows:•InaccordancewithPCIDSS(forexample,secureauthenticationandlogging)•Basedonindustrystandardsand/orbestpractices.•Incorporatinginformationsecuritythroughoutthesoftware-developmentlifecycleNote:thisappliestoallsoftwaredevelopedinternallyaswellasbespokeorcustomsoftwaredevelopedbyathirdparty.

0

Requirement6.3.1-Removedevelopment,testand/orcustomapplicationaccounts,userIDs,andpasswordsbeforeapplicationsbecomeactiveorarereleasedtocustomers.

0

Requirement6.4.4-Removaloftestdataandaccountsfromsystemcomponentsbeforethesystembecomesactive/goesintoproduction.

0

Requirement6.5-Addresscommoncodingvulnerabilitiesinsoftware-developmentprocessesasfollows:•Traindevelopersinsecurecodingtechniques,includinghowtoavoidcommoncodingvulnerabilities,andunderstandinghowsensitivedataishandledinmemory.•Developapplicationsbasedonsecurecodingguidelines.Note:Thevulnerabilitieslistedat6.5.1through6.5.10werecurrentwithindustrybestpracticeswhenthisversionofPCIDSSwaspublished.However,asindustrybestpracticesforvulnerabilitymanagementareupdated(forexample,theOWASPGuide,SANSCWETop25,CERTSecureCoding,etc.),thecurrentbestpracticesmustbeusedfortheserequirements.

0

Requirement6.5.1-Injectionflaws,particularlySQLinjection.AlsoconsiderOSCommandInjection,LDAPandXPathinjectionflawsaswellasotherinjectionflaws.

0

Requirement6.5.2-Bufferoverflow 0

7/2/2020 20.1.1 - 42276:8dfd57 3

Requirement6.5.3-Insecurecryptographicstorage 0Requirement6.5.4-Insecurecommunications 0Requirement6.5.5-Impropererrorhandling 0Requirement6.5.7-Crosssitescripting(XSS) 0Requirement6.5.8-Improperaccesscontrol(suchasinsecuredirectobjectreferences,failuretorestrictURLaccess,directorytraversal,andfailuretorestrictuseraccesstofunctions).

0

Requirement6.5.9-Crosssiterequestforgery(CSRF) 0Requirement6.5.10-BrokenauthenticationandsessionmanagementNote:Requirement6.5.10isabestpracticeuntilJune30,2015,afterwhichitbecomesarequirement

0

Requirement6.6-Forpublic-facingwebapplications,addressnewthreatsandvulnerabilitiesonanongoingbasisandensuretheseapplicationsareprotectedagainstknownattacksbyeitherofthefollowingmethods:•Reviewingpublic-facingwebapplicationsviamanualorautomatedapplicationvulnerabilitysecurityassessmenttoolsormethods,atleastannuallyandafteranychangesNote:ThisassessmentisnotthesameasthevulnerabilityscansperformedforRequirement11.2.•Installinganautomatedtechnicalsolutionthatdetectsandpreventsweb-basedattacks(forexample,aweb-applicationfirewall)infrontofpublic-facingwebapplications,tocontinuallycheckalltraffic.

0

Requirement7-Restrictaccesstodatabybusinessneed-to-know 0Requirement7.1-Limitaccesstosystemcomponentsandcardholderdatatoonlythoseindividualswhosejobrequiressuchaccess.

0

Requirement7.1.2-RestrictaccesstoprivilegeduserIDstoleastprivilegesnecessarytoperformjobresponsibilities.

0

Requirement8.2-InadditiontoassigningauniqueID,ensureproperuser-authenticationmanagementfornon-consumerusersandadministratorsonallsystemcomponentsbyemployingatleastoneofthefollowingmethodstoauthenticateallusers:•Somethingyouknow,suchasapasswordorpassphrase•Somethingyouhave,suchasatokendeviceorsmartcard•Somethingyouare,suchasabiometric.

0

Requirement8.2.1-Usingstrongcryptography,renderallauthenticationcredentials(suchaspasswords/phrases)unreadableduringtransmissionandstorageonallsystemcomponents.

0

Requirement8.7-Allaccesstoanydatabasecontainingcardholderdata(includingaccessbyapplications,administrators,andallotherusers)isrestrictedasfollows:•Alluseraccessto,userqueriesof,anduseractionsondatabasesarethroughprogrammaticmethods.•Onlydatabaseadministratorshavetheabilitytodirectlyaccessorquerydatabases.•ApplicationIDsfordatabaseapplicationscanonlybeusedbytheapplications(andnotbyindividualusersorothernon-applicationprocesses).

0




7/2/2020 20.1.1 - 42276:8dfd57 4

Requirement2-Donotusevendor-supplieddefaultsforsystempasswordsandothersecurityparameters. 0

Requirement2.1-Alwayschangevendor-supplieddefaultsandremoveordisableunnecessarydefaultaccountsbeforeinstallingasystemonthenetwork.ThisappliestoALLdefaultpasswords,includingbutnotlimitedtothoseusedbyoperatingsystems,softwarethatprovidessecurityservices,applicationandsystemaccounts,point-of-sale(POS)terminals,paymentapplications,SimpleNetworkManagementProtocol(SNMP)communitystrings,etc.) 0

Requirement2.2.2-Enableonlynecessaryservices,protocols,daemons,etc.,asrequiredforthefunctionofthesystem. 0

Requirement2.2.4-Configuresystemsecurityparameterstopreventmisuse. 0

Requirement2.2.5-Removeallunnecessaryfunctionality,suchasscripts,drivers,features,subsystems,filesystems. 0

Requirement2.3-Encryptallnon-consoleadministrativeaccessusingstrongcryptography. 0

7/2/2020 20.1.1 - 42276:8dfd57 5

Requirement2.6-Thissectionappliestowebapplicationsthatareusedbyhostingprovidersforhostingpurposes–Hostingprovidersmustprotecteachentity’shostedenvironmentanddata. 0

Requirement4-Encrypttransmissionofcardholderdataacrossopen,publicnetworks. 0

Requirement4.1-Usestrongcryptographyandsecurityprotocolstosafeguardsensitivecardholderdataduringtransmissionoveropen,publicnetworks,includingthefollowing:-Onlytrustedkeysandcertificatesareaccepted.-Theprotocolinuseonlysupportssecureversionsorconfigurations.-Theencryptionstrengthisappropriatefortheencryptionmethodologyinuse. 0

Requirement6-Developandmaintainsecuresystemsandapplications. 0

Requirement6.1-Establishaprocesstoidentifysecurityvulnerabilities,usingreputableoutsidesourcesforsecurityvulnerabilityinformation,andassignariskranking(forexample,as“high,”“medium,”or“low”)tonewlydiscoveredsecurityvulnerabilities. 0

Requirement6.2-Ensurethatallsystemcomponentsandsoftwareareprotectedfromknownvulnerabilitiesbyinstallingapplicablevendor-suppliedsecuritypatches.Installcriticalsecuritypatcheswithinonemonthofrelease.CriticalsecuritypatchesshouldbeidentifiedaccordingtotheriskrankingprocessdefinedinRequirement6.1 0

7/2/2020 20.1.1 - 42276:8dfd57 6

Requirement6.3-Developinternalandexternalsoftwareapplications(includingweb-basedadministrativeaccesstoapplications)securely,asfollows:•InaccordancewithPCIDSS(forexample,secureauthenticationandlogging)•Basedonindustrystandardsand/orbestpractices.•Incorporatinginformationsecuritythroughoutthesoftware-developmentlifecycleNote:thisappliestoallsoftwaredevelopedinternallyaswellasbespokeorcustomsoftwaredevelopedbyathirdparty. 0

Requirement6.3.1-Removedevelopment,testand/orcustomapplicationaccounts,userIDs,andpasswordsbeforeapplicationsbecomeactiveorarereleasedtocustomers. 0

Requirement6.4.4-Removaloftestdataandaccountsfromsystemcomponentsbeforethesystembecomesactive/goesintoproduction. 0

Requirement6.5-Addresscommoncodingvulnerabilitiesinsoftware-developmentprocessesasfollows:•Traindevelopersinsecurecodingtechniques,includinghowtoavoidcommoncodingvulnerabilities,andunderstandinghowsensitivedataishandledinmemory.•Developapplicationsbasedonsecurecodingguidelines.Note:Thevulnerabilitieslistedat6.5.1through6.5.10werecurrentwithindustrybestpracticeswhenthisversionofPCIDSSwaspublished.However,asindustrybestpracticesforvulnerabilitymanagementareupdated(forexample,theOWASPGuide,SANSCWETop25,CERTSecureCoding,etc.),thecurrentbestpracticesmustbeusedfortheserequirements. 0

Requirement6.5.1-Injectionflaws,particularlySQLinjection.AlsoconsiderOSCommandInjection,LDAPandXPathinjectionflawsaswellasotherinjectionflaws. 0

7/2/2020 20.1.1 - 42276:8dfd57 7


Requirement6.5.3-Insecurecryptographicstorage 0

Requirement6.5.4-Insecurecommunications 0

Requirement6.5.5-Impropererrorhandling 0

Requirement6.5.7-Crosssitescripting(XSS) 0

Requirement6.5.8-Improperaccesscontrol(suchasinsecuredirectobjectreferences,failuretorestrictURLaccess,directorytraversal,andfailuretorestrictuseraccesstofunctions). 0

Requirement6.5.9-Crosssiterequestforgery(CSRF) 0

Requirement6.5.10-BrokenauthenticationandsessionmanagementNote:Requirement6.5.10isabestpracticeuntilJune30,2015,afterwhichitbecomesarequirement 0

7/2/2020 20.1.1 - 42276:8dfd57 8

Requirement6.6-Forpublic-facingwebapplications,addressnewthreatsandvulnerabilitiesonanongoingbasisandensuretheseapplicationsareprotectedagainstknownattacksbyeitherofthefollowingmethods:•Reviewingpublic-facingwebapplicationsviamanualorautomatedapplicationvulnerabilitysecurityassessmenttoolsormethods,atleastannuallyandafteranychangesNote:ThisassessmentisnotthesameasthevulnerabilityscansperformedforRequirement11.2.•Installinganautomatedtechnicalsolutionthatdetectsandpreventsweb-basedattacks(forexample,aweb-applicationfirewall)infrontofpublic-facingwebapplications,tocontinuallycheckalltraffic. 0

Requirement7-Restrictaccesstodatabybusinessneed-to-know 0

Requirement7.1-Limitaccesstosystemcomponentsandcardholderdatatoonlythoseindividualswhosejobrequiressuchaccess. 0

Requirement7.1.2-RestrictaccesstoprivilegeduserIDstoleastprivilegesnecessarytoperformjobresponsibilities. 0

Requirement8.2-InadditiontoassigningauniqueID,ensureproperuser-authenticationmanagementfornon-consumerusersandadministratorsonallsystemcomponentsbyemployingatleastoneofthefollowingmethodstoauthenticateallusers:•Somethingyouknow,suchasapasswordorpassphrase•Somethingyouhave,suchasatokendeviceorsmartcard•Somethingyouare,suchasabiometric. 0

7/2/2020 20.1.1 - 42276:8dfd57 9

Requirement8.2.1-Usingstrongcryptography,renderallauthenticationcredentials(suchaspasswords/phrases)unreadableduringtransmissionandstorageonallsystemcomponents. 0

Requirement8.7-Allaccesstoanydatabasecontainingcardholderdata(includingaccessbyapplications,administrators,andallotherusers)isrestrictedasfollows:•Alluseraccessto,userqueriesof,anduseractionsondatabasesarethroughprogrammaticmethods.•Onlydatabaseadministratorshavetheabilitytodirectlyaccessorquerydatabases.•ApplicationIDsfordatabaseapplicationscanonlybeusedbytheapplications(andnotbyindividualusersorothernon-applicationprocesses). 0

7/2/2020 20.1.1 - 42276:8dfd57 10

BeyondTrust Remote SupportAppliance 6.0 FISMA CompatibilityReport

ThisreportincludesimportantcomplianceinformationabouttheBeyondTrustRemoteSupportAppliance

[US] Federal Information Security Mgmt. Act (FISMA)Compliance ReportThisreportwascreatedbyIBMSecurityAppScanStandard9.0.3.13iFix001,Rules:19712Scanstarted:6/30/20205:01:28PM

Regulations

Federal Information Security Management Act (FISMA)

Summary

TheFederalInformationSecurityManagementAct(FISMA)waspassedbyCongressandsignedintolawbythePresidentaspartoftheElectronicGovernmentActof2002.Itprovidesaframeworktoensurecomprehensivemeasuresaretakentosecurefederalinformationandassets.Itrequireseachfederalagencytodevelop,document,andimplementanagency-wideprogramtoprovideinformationsecurityfortheinformationandinformationsystemsthatsupporttheoperationsandassetsoftheagency,includingthoseprovidedormanagedbyanotheragency,contractor,orothersource.

TheOfficeofManagementandBudget(OMB)requiresfederalagenciestopreparePlansofActionandMilestonesProcess(POAandMs)reportsforallprogramsandsystemswheretheyhavefoundanITsecurityweakness.CIOsandagencyprogramofficialsmustdevelop,implement,andmanagePOAandMsforallprogramsandsystemstheyoperateandcontrol.ProgramofficialsmustregularlyupdatetheagencyCIOontheirprogresssotheCIOcanmonitoragency-wideremediationeffortsandprovidetheagency’squarterlyupdatetoOMB.

AgenciesmustsubmitareporttotheOMBthatsummarizestheresultsofannualITsecurityreviewsofsystemsandprograms,andanyprogresstheagencyhasmadetowardsfulfillingtheirFISMAgoalsandmilestones.

OMBusesthereportstohelpevaluategovernment-widesecurityperformance,developitsannualsecurityreporttoCongress,assistinimprovingandmaintainingadequateagencysecurityperformance,andinformdevelopmentoftheE-GovernmentScorecardunderthePresident’sManagementAgenda.ThereportmustsummarizetheresultsofannualITsecurityreviewsofsystemsandprograms,andanyprogresstheagencyhasmadetowardsfulfillingtheirFISMAgoalsandmilestones.

FISMArequiresthatfederalagencyofficialsunderstandthecurrentstatusoftheirsecurityprogramsandthesecuritycontrolsplannedorinplacetoprotecttheirinformationandinformationsystemsinordertomakeinformedjudgmentsandinvestmentsthatappropriatelymitigaterisktoanacceptablelevel.Theultimateobjectiveistoconducttheday-to-dayoperationsoftheagencyandtoaccomplishtheagency'sstatedmissionswithadequatesecurity,orsecuritycommensuratewithrisk,includingthemagnitudeofharmresultingfromtheunauthorizedaccess,use,disclosure,disruption,modification,ordestructionofinformation.

FISMAImplementation

PhaseI:StandardsandGuidelinesDevelopment

ThefirstphaseoftheFISMAImplementationProjectfocusesonthedevelopmentandupdatingofthesecurity

7/2/2020 6.0 - 40092:A33698 1

standardsandguidancerequiredtoeffectivelyimplementtheprovisionsofthelegislation.TheimplementationoftheNISTstandardsandguidancewillhelpagenciescreateandmaintainrobustinformationsecurityprogramsandeffectivelymanagerisktoagencyoperations,agencyassets,andindividuals.

PhaseII:ImplementationandAssessmentAids

ThesecondphaseoftheFISMAImplementationProjectisfocusedonprovidinginformationsystemimplementationandassessmentreferencematerialsforbuildingcommonunderstandinginapplyingtheNISTsuiteofpublicationssupportingtheRiskManagementFramework(RMF).

NISTImplementationDocuments

NISTdevelopsandissuesstandards,guidelinesandotherpublicationstoassistfederalagenciesinimplementingFISMA,includingminimumrequirements,forprovidingadequateinformationsecurityforallagencyoperationsandassetsbutsuchstandardsandguidelinesshallnotapplytonationalsecuritysystems.

FederalInformationProcessingStandards(FIPS)areapprovedbytheSecretaryofCommerceandissuedbyNISTinaccordancewithFISMA.FIPSarecompulsoryandbindingforfederalagencies.FISMArequiresthatfederalagenciescomplywiththesestandards,andtherefore,agenciesmaynotwaivetheiruse.FIPS200mandatestheuseofSpecialPublication800-53,asamended.

AppScanandFISMA

AppScan'sFISMAcompliancereportwillautomaticallydetectpossibleissuesinyourWebenvironmentthatmayberelevanttoyouroverallcompliancewiththeminimumsecuritycontrolsrecommendationsassetinthesecuritycatalogofNISTSpecialPublication80053.ThisreportwasconstructedaccordingtotheHIGH-IMPACTInformationSystemsbaseline.Organizationsthatuselowormoderatecontrolbaselinemayhavetoadjusttheresultsaccordingly.

CoveredEntities

AllFederalagenciesandorganizationswhichpossessoruseFederalinformation--orwhichoperate,use,orhaveaccesstoFederalinformationsystems--onbehalfofaFederalagency,includingcontractors,grantees,Stateandlocalgovernments,andindustrypartners.

EffectiveDate

December2002


FederalagenciesmustsubmittheirannualITreviewreportstotheOMBbyOctoberofeachyear.

7/2/2020 6.0 - 40092:A33698 2

Regulators/Auditors

TheOfficeofManagementandBudget(OMB).

Formoreinformationonsecuringwebapplications,pleasevisit:http://www-03.ibm.com/software/products/en/category/application-security




Sec.3544.(A),Sec.3547(1)-Theheadofeachagencyshallberesponsibleforprovidinginformationsecurityprotectionscommensuratewiththeriskandmagnitudeoftheharmresultingfromunauthorizedaccess,use,disclosure,disruption,modification,ordestructionof—(i)informationcollectedormaintainedbyoronbehalfoftheagency;and(ii)informationsystemsusedoroperatedbyanagencyorbyacontractorofanagencyorotherorganizationonbehalfofanagency;

0

Sec.3544.(B)-Theheadofeachagencyshallberesponsibleforcomplyingwiththerequirementsofthissubchapterandrelatedpolicies,procedures,standards,andguidelines,including—(i)informationsecuritystandardspromulgatedundersection11331oftitle40;and(ii)informationsecuritystandardsandguidelinesfornationalsecuritysystemsissuedinaccordancewithlawandasdirectedbythePresident;

0

NISTSP800_53,AC-3-Theinformationsystemenforcesapprovedauthorizationsforlogicalaccesstoinformationandsystemresourcesinaccordancewithapplicableaccesscontrolpolicies.

0

NISTSP800_53,AC-6-Theorganizationemploystheprincipleofleastprivilege,allowingonlyauthorizedaccessesforusers(orprocessesactingonbehalfofusers)whicharenecessarytoaccomplishassignedtasksinaccordancewithorganizationalmissionsandbusinessfunctions.

0

NISTSP800_53,AC-10-Theinformationsystemlimitsthenumberofconcurrentsessionsforeach[Assignment:organization-definedaccountand/oraccounttype]to[Assignment:organization-definednumber].

0

NISTSP800_53,AC-11-TheOrganizationpreventsfurtheraccesstothesystembyinitiatingasessionlockafter[Assignment:organization-definedtimeperiod]ofinactivityoruponreceivingarequestfromauser;andretainsthesessionlockuntiltheuserreestablishesaccessusingestablishedidentificationandauthenticationprocedures.

0

NISTSP800_53,AC-17-Theorganization:Establishesanddocumentsusagerestrictions,configuration/connectionrequirements,andimplementationguidanceforeachtypeofremoteaccessallowed;andAuthorizesremoteaccesstotheinformationsystempriortoallowingsuchconnections.

0

NISTSP800_53,CM-6-Theorganization:a.Establishesanddocumentsconfigurationsettingsforinformationtechnologyproductsemployedwithintheinformationsystemusing[Assignment:organization-definedsecurityconfigurationchecklists]thatreflectthemostrestrictivemodeconsistentwithoperationalrequirements;b.Implementstheconfigurationsettings;c.Identifies,documents,and

0

7/2/2020 6.0 - 40092:A33698 3

approvesanydeviationsfromestablishedconfigurationsettingsfor[Assignment:organization-definedinformationsystemcomponents]basedon[Assignment:organization-definedoperationalrequirements];andd.Monitorsandcontrolschangestotheconfigurationsettingsinaccordancewithorganizationalpoliciesandprocedures.NISTSP800_53,CM-7-Theorganization:a.Configurestheinformationsystemtoprovideonlyessentialcapabilities;andb.Prohibitsorrestrictstheuseofthefollowingfunctions,ports,protocols,and/orservices:[Assignment:organization-definedprohibitedorrestrictedfunctions,ports,protocols,and/orservices].

0

NISTSP800_53,IA-2-Theinformationsystemuniquelyidentifiesandauthenticatesorganizationalusers(orprocessesactingonbehalfoforganizationalusers).

0

NISTSP800_53,IA-4.D-Theorganizationmanagesinformationsystemidentifiersforusersanddevicesbypreventingreuseofuserordeviceidentifiersfor[Assignment:organization-definedtimeperiod].

0

NISTSP800_53,IA-4.E-Theorganizationmanagesinformationsystemidentifiersforusersanddevicesbydisablingtheuseridentifierafter[Assignment:organization-definedtimeperiodofinactivity].

0

NISTSP800_53,IA-5.C-Theorganizationmanagesinformationsystemauthenticatorsforusersanddevicesbyensuringthatauthenticatorshavesufficientstrengthofmechanismfortheirintendeduse.

0

NISTSP800_53,IA-5.E-Theorganizationmanagesinformationsystemauthenticatorsforusersanddevicesbychangingdefaultcontentofauthenticatorsuponinformationsysteminstallation.

0

NISTSP800_53,RA-5.A-Theorganization:a.Scansforvulnerabilitiesintheinformationsystemandhostedapplications[Assignment:organization-definedfrequencyand/orrandomlyinaccordancewithorganization-definedprocess]andwhennewvulnerabilitiespotentiallyaffectingthesystem/applicationsareidentifiedandreported.

0

NISTSP800_53,SC-5-Theinformationsystemprotectsagainstorlimitstheeffectsofthefollowingtypesofdenialofserviceattacks:[Assignment:organization-definedtypesofdenialofserviceattacksorreferencetosourceforsuchinformation]byemploying[Assignment:organization-definedsecuritysafeguards].

0

NISTSP800_53,SC-8-Theinformationsystemprotectsthe[Selection(oneormore):confidentiality;integrity]oftransmittedinformation.

0

NISTSP800_53,SC-13-Theinformationsystemimplements[Assignment:organization-definedcryptographicusesandtypeofcryptographyrequiredforeachuse]inaccordancewithapplicablefederallaws,ExecutiveOrders,directives,policies,regulations,andstandards.

0

NISTSP800_53,SC-23-Theinformationsystemprotectstheauthenticityofcommunicationssessions. 0NISTSP800_53,SI-3.A-Employsmaliciouscodeprotectionmechanismsatinformationsystementryandexitpointstodetectanderadicatemaliciouscode;

0

NISTSP800_53,SI-3.B-Theorganizationupdatesmaliciouscodeprotectionmechanismswhenevernewreleasesareavailableinaccordancewithorganizationalconfigurationmanagementpolicyandprocedures;

0

NISTSP800_53,SI-10-Theinformationsystemchecksthevalidityofinformationinputs. 0NISTSP800_53,SI-11.A-Generateserrormessagesthatprovideinformationnecessaryforcorrectiveactionswithoutrevealinginformationthatcouldbeexploitedbyadversaries;

0



7/2/2020 6.0 - 40092:A33698 4


Sec.3544.(A),Sec.3547(1)-Theheadofeachagencyshallberesponsibleforprovidinginformationsecurityprotectionscommensuratewiththeriskandmagnitudeoftheharmresultingfromunauthorizedaccess,use,disclosure,disruption,modification,ordestructionof—(i)informationcollectedormaintainedbyoronbehalfoftheagency;and(ii)informationsystemsusedoroperatedbyanagencyorbyacontractorofanagencyorotherorganizationonbehalfofanagency; 0

Sec.3544.(B)-Theheadofeachagencyshallberesponsibleforcomplyingwiththerequirementsofthissubchapterandrelatedpolicies,procedures,standards,andguidelines,including—(i)informationsecuritystandardspromulgatedundersection11331oftitle40;and(ii)informationsecuritystandardsandguidelinesfornationalsecuritysystemsissuedinaccordancewithlawandasdirectedbythePresident; 0

NISTSP800_53,AC-3-Theinformationsystemenforcesapprovedauthorizationsforlogicalaccesstoinformationandsystemresourcesinaccordancewithapplicableaccesscontrolpolicies. 0

NISTSP800_53,AC-6-Theorganizationemploystheprincipleofleastprivilege,allowingonlyauthorizedaccessesforusers(orprocessesactingonbehalfofusers)whicharenecessarytoaccomplishassignedtasksinaccordancewithorganizationalmissionsandbusinessfunctions. 0

NISTSP800_53,AC-10-Theinformationsystemlimitsthenumberofconcurrentsessionsforeach[Assignment:organization-definedaccountand/oraccounttype]to[Assignment:organization-definednumber]. 0

7/2/2020 6.0 - 40092:A33698 5

NISTSP800_53,AC-11-TheOrganizationpreventsfurtheraccesstothesystembyinitiatingasessionlockafter[Assignment:organization-definedtimeperiod]ofinactivityoruponreceivingarequestfromauser;andretainsthesessionlockuntiltheuserreestablishesaccessusingestablishedidentificationandauthenticationprocedures. 0

NISTSP800_53,AC-17-Theorganization:Establishesanddocumentsusagerestrictions,configuration/connectionrequirements,andimplementationguidanceforeachtypeofremoteaccessallowed;andAuthorizesremoteaccesstotheinformationsystempriortoallowingsuchconnections. 0

NISTSP800_53,CM-6-Theorganization:a.Establishesanddocumentsconfigurationsettingsforinformationtechnologyproductsemployedwithintheinformationsystemusing[Assignment:organization-definedsecurityconfigurationchecklists]thatreflectthemostrestrictivemodeconsistentwithoperationalrequirements;b.Implementstheconfigurationsettings;c.Identifies,documents,andapprovesanydeviationsfromestablishedconfigurationsettingsfor[Assignment:organization-definedinformationsystemcomponents]basedon[Assignment:organization-definedoperationalrequirements];andd.Monitorsandcontrolschangestotheconfigurationsettingsinaccordancewithorganizationalpoliciesandprocedures. 0

NISTSP800_53,CM-7-Theorganization:a.Configurestheinformationsystemtoprovideonlyessentialcapabilities;andb.Prohibitsorrestrictstheuseofthefollowingfunctions,ports,protocols,and/orservices:[Assignment:organization-definedprohibitedorrestrictedfunctions,ports,protocols,and/orservices]. 0

7/2/2020 6.0 - 40092:A33698 6

NISTSP800_53,IA-2-Theinformationsystemuniquelyidentifiesandauthenticatesorganizationalusers(orprocessesactingonbehalfoforganizationalusers). 0

NISTSP800_53,IA-4.D-Theorganizationmanagesinformationsystemidentifiersforusersanddevicesbypreventingreuseofuserordeviceidentifiersfor[Assignment:organization-definedtimeperiod]. 0

NISTSP800_53,IA-4.E-Theorganizationmanagesinformationsystemidentifiersforusersanddevicesbydisablingtheuseridentifierafter[Assignment:organization-definedtimeperiodofinactivity]. 0

NISTSP800_53,IA-5.C-Theorganizationmanagesinformationsystemauthenticatorsforusersanddevicesbyensuringthatauthenticatorshavesufficientstrengthofmechanismfortheirintendeduse. 0

NISTSP800_53,IA-5.E-Theorganizationmanagesinformationsystemauthenticatorsforusersanddevicesbychangingdefaultcontentofauthenticatorsuponinformationsysteminstallation. 0

NISTSP800_53,RA-5.A-Theorganization:a.Scansforvulnerabilitiesintheinformationsystemandhostedapplications[Assignment:organization-definedfrequencyand/orrandomlyinaccordancewithorganization-definedprocess]andwhennewvulnerabilitiespotentiallyaffectingthesystem/applicationsareidentifiedandreported. 0

7/2/2020 6.0 - 40092:A33698 7

NISTSP800_53,SC-5-Theinformationsystemprotectsagainstorlimitstheeffectsofthefollowingtypesofdenialofserviceattacks:[Assignment:organization-definedtypesofdenialofserviceattacksorreferencetosourceforsuchinformation]byemploying[Assignment:organization-definedsecuritysafeguards]. 0

NISTSP800_53,SC-8-Theinformationsystemprotectsthe[Selection(oneormore):confidentiality;integrity]oftransmittedinformation. 0

NISTSP800_53,SC-13-Theinformationsystemimplements[Assignment:organization-definedcryptographicusesandtypeofcryptographyrequiredforeachuse]inaccordancewithapplicablefederallaws,ExecutiveOrders,directives,policies,regulations,andstandards. 0

NISTSP800_53,SC-23-Theinformationsystemprotectstheauthenticityofcommunicationssessions. 0

NISTSP800_53,SI-3.A-Employsmaliciouscodeprotectionmechanismsatinformationsystementryandexitpointstodetectanderadicatemaliciouscode; 0

NISTSP800_53,SI-3.B-Theorganizationupdatesmaliciouscodeprotectionmechanismswhenevernewreleasesareavailableinaccordancewithorganizationalconfigurationmanagementpolicyandprocedures; 0

7/2/2020 6.0 - 40092:A33698 8

NISTSP800_53,SI-10-Theinformationsystemchecksthevalidityofinformationinputs. 0

NISTSP800_53,SI-11.A-Generateserrormessagesthatprovideinformationnecessaryforcorrectiveactionswithoutrevealinginformationthatcouldbeexploitedbyadversaries; 0

7/2/2020 6.0 - 40092:A33698 9

BeyondTrust Remote SupportAppliance 6.0 GDPR CompatibilityReport


[EU] Regulation 2016/679 Of The European Parliament And OfThe Council (GDPR) Compliance ReportThisreportwascreatedbyIBMSecurityAppScanStandard9.0.3.13iFix001,Rules:19712Scanstarted:6/30/20205:01:28PM

Regulations

Regulation 2016/679 Of The European Parliament And Of TheCouncil - General Data Protection Regulation (GDPR)LearnmoreaboutIBMownGDPRreadinessjourneyandourGDPRcapabilitiesandofferingshere:https://ibm.com/gdpr

LearnmoreaboutGDPRontheEropeanUnion'sDataProtectionwebsitehere:https://ec.europa.eu/info/law/law-topic/data-protection_en

Please note that the table header 'Number of Issues' carries that naming due to technical reasons. It does notnecessarily indicate actual legal issues in the context GDPR, but rather points out areas of interest. A legally bindingassessment of applicability of any areas of interest shown in this report can and should only be made by a legalprofessional.

GDPR ArticlesIssuesdetectedacross0/4sectionsoftheregulation:


Article25(1)-Takingintoaccountthestateoftheart,thecostofimplementationandthenature,scope,contextandpurposesofprocessingaswellastherisksofvaryinglikelihoodandseverityforrightsandfreedomsofnaturalpersonsposedbytheprocessing,thecontrollershall,bothatthetimeofthedeterminationofthemeansforprocessingandatthetimeoftheprocessingitself,implementappropriatetechnicalandorganisationalmeasures,suchaspseudonymisation,whicharedesignedtoimplementdata-protectionprinciples,suchasdataminimisation,inaneffectivemannerandtointegratethenecessarysafeguardsintotheprocessinginordertomeettherequirementsofthisRegulationandprotecttherightsofdatasubjects.

0

Article32(1)(a)-Takingintoaccountthestateoftheart,thecostsofimplementationandthenature,scope,contextandpurposesofprocessingaswellastheriskofvaryinglikelihoodandseverityfortherightsandfreedomsofnaturalpersons,thecontrollerandtheprocessorshallimplementappropriatetechnicalandorganisationalmeasurestoensurealevelofsecurityappropriatetotherisk,includinginteraliaasappropriate:thepseudonymisationandencryptionofpersonaldata.

0

Article32(1)(b)-Takingintoaccountthestateoftheart,thecostsofimplementationandthenature,scope,contextandpurposesofprocessingaswellastheriskofvaryinglikelihoodandseverityfortherightsandfreedomsofnaturalpersons,thecontrollerandtheprocessorshallimplementappropriatetechnicalandorganisationalmeasurestoensurealevelofsecurityappropriatetotherisk,includinginteraliaasappropriate:theabilitytoensuretheongoingconfidentiality,integrity,availabilityandresilienceofprocessingsystemsandservices.

0

Article32(2)-Inassessingtheappropriatelevelofsecurityaccountshallbetakeninparticularofthe 0

7/2/2020 6.0 - 40092:A33698 1

risksthatarepresentedbyprocessing,inparticularfromaccidentalorunlawfuldestruction,loss,alteration,unauthoriseddisclosureof,oraccesstopersonaldatatransmitted,storedorotherwiseprocessed




Article25(1)-Takingintoaccountthestateoftheart,thecostofimplementationandthenature,scope,contextandpurposesofprocessingaswellastherisksofvaryinglikelihoodandseverityforrightsandfreedomsofnaturalpersonsposedbytheprocessing,thecontrollershall,bothatthetimeofthedeterminationofthemeansforprocessingandatthetimeoftheprocessingitself,implementappropriatetechnicalandorganisationalmeasures,suchaspseudonymisation,whicharedesignedtoimplementdata-protectionprinciples,suchasdataminimisation,inaneffectivemannerandtointegratethenecessarysafeguardsintotheprocessinginordertomeettherequirementsofthisRegulationandprotecttherightsofdatasubjects. 0

Article32(1)(a)-Takingintoaccountthestateoftheart,thecostsofimplementationandthenature,scope,contextandpurposesofprocessingaswellastheriskofvaryinglikelihoodandseverityfortherightsandfreedomsofnaturalpersons,thecontrollerandtheprocessorshallimplementappropriatetechnicalandorganisationalmeasurestoensurealevelofsecurityappropriatetotherisk,includinginteraliaasappropriate:thepseudonymisationandencryptionofpersonaldata. 0

7/2/2020 6.0 - 40092:A33698 2

Article32(1)(b)-Takingintoaccountthestateoftheart,thecostsofimplementationandthenature,scope,contextandpurposesofprocessingaswellastheriskofvaryinglikelihoodandseverityfortherightsandfreedomsofnaturalpersons,thecontrollerandtheprocessorshallimplementappropriatetechnicalandorganisationalmeasurestoensurealevelofsecurityappropriatetotherisk,includinginteraliaasappropriate:theabilitytoensuretheongoingconfidentiality,integrity,availabilityandresilienceofprocessingsystemsandservices. 0

Article32(2)-Inassessingtheappropriatelevelofsecurityaccountshallbetakeninparticularoftherisksthatarepresentedbyprocessing,inparticularfromaccidentalorunlawfuldestruction,loss,alteration,unauthoriseddisclosureof,oraccesstopersonaldatatransmitted,storedorotherwiseprocessed 0

7/2/2020 6.0 - 40092:A33698 3

BeyondTrust Remote SupportAppliance 6.0 HIPPA CompatibilityReport


[US] Healthcare Services (HIPAA) Compliance ReportThisreportwascreatedbyIBMSecurityAppScanStandard9.0.3.13iFix001,Rules:19712Scanstarted:6/30/20205:01:28PM

Regulations

The Health Insurance Portability and Accountability Act(HIPAA) of 1996 - Security and Privacy Regulations

Summary

HIPAAprovidesfederalprotectionsforpersonalhealthinformationheldbycoveredentitiesandgivespatientsasetofrightswithrespecttothatinformation.However,HIPAAdoespermitthedisclosureofpersonalhealthinformationneededforpatientcareandotherimportantandnecessarypurposes.

TitleIofHIPAAprotectshealthinsurancecoverageforworkersandtheirfamilieswhentheychangeorlosetheirjobs.TitleIIofHIPAA,knownastheAdministrativeSimplificationprovisions,requirestheestablishmentofnationalstandardsforelectronichealthcaretransactionsandnationalidentifiersforproviders,healthinsuranceplans,andemployers.

TheAdministrationSimplificationprovisionsalsoaddressthesecurityandprivacyofhealthdata.Thestandardsaremeanttoimprovetheefficiencyandeffectivenessofthehealthcaresystem.

TheUnitedStatesDepartmentofHealthandHumanServices(HHS)hasissuedregulationsimplementingthoseprovisionsofHIPAAregulatingtheprivacyandsecurityofindividuals’medicalrecords.

CoveredInformation

TheRuleslimittheuseanddisclosureofpersonalhealthinformationbyCoveredEntities.Protectedhealthinformationisindividuallyidentifiablehealthinformationthatistransmittedormaintainedinanyformormedium,andwhichrelatestothepast,presentorfuturephysicalormentalheathorconditionofanindividual,theprovisionofheathcaretoanindividual,orthepast,presentorfuturepaymentfortheprovisionofhealthcare.Informationis“individuallyidentifiable”ifitactuallyidentifiesanindividualorcontainsinformationthatcouldreasonablybeusedtoidentifyandindividual.

HIPAArequiresmeasurestobetakentosecurethisinformationwhileinthecustodyofcoveredentitiesaswellasintransitbetweencoveredentitiesandfromcoveredentitiestoothers.

ThePrivacyRulerequiresthatcoveredentities,amongotherthings(i)obtainpriorwrittenauthorizationtouseordisclosecertainpersonalhealthinformationforanypurposeotherthanpayment,healthcaretreatmentorhealthcareoperations,(ii)givepatientsaccesstocertainpersonalhealthinformationuponrequest,(iii)instituteproceduralsafeguardstoprotectpersonalhealthinformation,and(iv)limittheuseanddisclosureofsuchinformationtotheminimumnecessarytoachievetheintendedpurposeforsuchinformation.

7/2/2020 6.0 - 40092:A33698 1

TheSecurityRulerequiresthatcoveredentities,amongotherthings,implementadministrative,technical,andphysicalsafeguardsto(i)ensuretheconfidentiality,integrityandavailabilityofallelectronicprotectedhealthinformationthecoveredentitycreates,receives,maintains,ortransmits;(ii)protectagainstanyreasonablyanticipatedthreatsorhazardstothesecurityorintegrityofsuchinformation;(iii)protectagainstanyreasonablyanticipatedusesordisclosuresofsuchinformationthatarenotpermittedorrequiredtheSecurityRule;and(iv)ensurecompliancewiththeSecurityRulebythecoveredentity'sworkforce.

InrecognitionofthesecuritythreatstoElectronicProtectedHealthInformation(EPHI),HHShaspublishedHIPAAPrivacyandSecurityRules`guidancedocumentstoimplementprivacyandsecurityframeworkforelectronicexchangeofindividuallyidentifiablehealthinformation.Theseguidancedocumentsdiscusshowtheprivacyandsecurityrulescanfacilitatethesafeandadequateexchangeofelectronichealthinformationandhowtodealwiththechallengesthattheuseandexchangeofelectronichealthinformationposses.

CoveredEntities

TheRulesapplytofourtypesofentities:healthcareproviders,healthplans,healthcareclearinghousesandprescriptiondrugcardsponsors(collectively"CoveredEntities").Thisgenerallymeansthoseprovidinghealthcare,thosepayingfor(insuring)healthcareanddataprocessorsthatassistinthepreceding.

CompliancePenalties

AfinemaybeimposedonanypersonorcoveredentitythatviolatesanyHIPAArequirement.Thecivilmonetarypenaltyforviolatingtransactionstandardsisupto$100perpersonperviolationandupto$25,000perpersonperviolationofasinglestandardpercalendaryear.

Thefinemaybereducedorwaivedentirelyiftheviolationwasnotduetowillfulneglectoftherequirements,andiftheentitycorrectsitwithin30daysofbecomingawareofit.

Federalcriminalpenaltiescanalsobeplaceduponhealthplans,providersandhealthcareclearinghousesthatknowinglyandimproperlydiscloseinformationorobtaininformationunderfalsepretenses.Penaltieswouldbehigherforactionsdesignedtogeneratemonetarygain.

Criminalpenaltiesareupto$50,000andoneyearinprisonforobtainingordisclosingprotectedhealthinformation;upto$100,000anduptofiveyearsinprisonforobtainingprotectedhealthinformationunder"falsepretenses";andupto$250,000anduptotenyearsinprisonforobtainingordisclosingprotectedhealthinformationwiththeintenttosell,transferoruseitforcommercialadvantage,personalgainormaliciousharm.

Effectivedate

April14,2001

SecurityRule–April21,2003

PrivacyRule–April14,2003

7/2/2020 6.0 - 40092:A33698 2


Privacyprovisions-April14,2003

Securityprovisions-April20,2005

Administrativeprovisions–July1,2005

Regulators/Administrators

UnitedStatesDepartmentofHealthandHumanServices

OfficeforCivilRights

AppScan'sHIPAAComplianceReport

AppScan'sHIPAAcompliancereportwillautomaticallydetectpossibleissuesinyourWebenvironmentthatmayberelevanttoyouroverallcompliancewiththeHIPAASecurityRulerequirementsandrelatedrequiredactivitiesasdescribedintheNISTresourceguideforHIPAAsecurityruleimplementation.

Note

AddressableIssue-asappearsinthisreportmeansacoveredentitymust-

(i)Assesswhethereachimplementationspecificationisareasonableandappropriatesafeguardinitsenvironment,whenanalyzedwithreferencetothelikelycontributiontoprotectingtheentity'selectronicprotectedhealthinformation;and

(ii)Asapplicabletotheentity-

(A)Implementtheimplementationspecificationifreasonableandappropriate;or

(B)Ifimplementingtheimplementationspecificationisnotreasonableandappropriate-

(1)Documentwhyitwouldnotbereasonableandappropriatetoimplementtheimplementationspecification;and

(2)Implementanequivalentalternativemeasureifreasonableandappropriate.

PossibleIssue-asappearsinthisreportmeansthedetectedresultsmayimplythatarequiredimplementationspecificationisnotmet.

Formoreinformationonsecuringwebapplications,pleasevisithttp://www-03.ibm.com/software/products/en/category/application-security

The information provided does not constitute legal advice. The results of a vulnerability assessment will demonstratepotential vulnerabilities in your application that should be corrected in order to reduce the likelihood that yourinformation will be compromised. As legal advice must be tailored to the specific application of each law, and lawsare constantly changing, nothing provided herein should be used as a substitute for the advice of competent counsel.IBM customers are responsible for ensuring their own compliance with legal requirements. It is the customer's sole

7/2/2020 6.0 - 40092:A33698 3

responsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevantlaws and regulatory requirements that may affect the customer's business and any actions the customer may need totake to comply with such laws.



S.Rule-Part164,SubpartC,164.308(a)(3)(i)-AddressableIssue-Implementpoliciesandprocedurestoensurethatallmembersofitsworkforcehaveappropriateaccesstoelectronicprotectedhealthinformation,asprovidedunder[theInformationAccessManagementstandard],andtopreventthoseworkforcememberswhodonothaveaccessunder[theInformationAccessManagementstandard]fromobtainingaccesstoelectronicprotectedhealthinformation.

0

S.Rule-Part164,SubpartC,164.308(a)(3)(ii)(A)-AddressableIssue-Implementproceduresfortheauthorizationand/orsupervisionofworkforcememberswhoworkwithelectronicprotectedhealthinformationorinlocationswhereitmightbeaccessed.

0

S.Rule-Part164,SubpartC,164.308(a)(4)(i)-PossibleIssue-ImplementpoliciesandproceduresforauthorizingaccesstoelectronicprotectedhealthinformationthatareconsistentwiththeapplicablerequirementsofsubpartEofthispartthePrivacyRule.

0

S.Rule-Part164,SubpartC,164.308(a)(4)(ii)(B)-PossibleIssue-Implementpoliciesandproceduresforgrantingaccesstoelectronicprotectedhealthinformation,forexample,throughaccesstoaworkstation,transaction,program,process,orothermechanism.

0

S.Rule-Part164,SubpartC,164.308(a)(5)(ii)(D)-AddressableIssue-Implementproceduresforcreating,changing,andsafeguardingpasswords

0

S.Rule-Part164,SubpartC,164.312(a)(1)-PossibleIssue-Implementtechnicalpoliciesandproceduresforelectronicinformationsystemsthatmaintainelectronicprotectedhealthinformationtoallowaccessonlytothosepersonsorsoftwareprogramsthathavebeengrantedaccessrightsasspecifiedinsection164.308(a)(4).

0

S.Rule-Part164,SubpartC,164.312(a)(2)(iv)-AddressableIssue-Implementamechanismtoencryptanddecryptelectronicprotectedhealthinformation.

0

NISTResourceGuide-Section4.14,Activity8-AddressableIssue-Implementelectronicproceduresthatterminateanelectronicsessionafterapredeterminedtimeofinactivity.

0

S.Rule-Part164,SubpartC,164.312(c)(1)-PossibleIssue-Implementpoliciesandprocedurestoprotectprivatehealthinformationfromimproperalterationordestruction

0

S.Rule-Part164,SubpartC,164.312(d)-PossibleIssue-Implementprocedurestoverifythatapersonorentityseekingaccesstoprivatehealthinformationistheoneclaimed

0

S.Rule-Part164,SubpartC,164.312(e)(1)-PossibleIssue-Implementtechnicalsecuritymeasurestoguardagainstunauthorizedaccesstoelectronicprotectedhealthinformationthatisbeingtransmittedoveranelectroniccommunicationsnetwork.

0

S.Rule-Part164,SubpartC,164.312(e)(2)(ii)-AddressableIssue-Implementamechanismtoencryptelectronicprivatehealthinformationwheneverdeemedappropriate

0


7/2/2020 6.0 - 40092:A33698 4



S.Rule-Part164,SubpartC,164.308(a)(3)(i)-AddressableIssue-Implementpoliciesandprocedurestoensurethatallmembersofitsworkforcehaveappropriateaccesstoelectronicprotectedhealthinformation,asprovidedunder[theInformationAccessManagementstandard],andtopreventthoseworkforcememberswhodonothaveaccessunder[theInformationAccessManagementstandard]fromobtainingaccesstoelectronicprotectedhealthinformation. 0

S.Rule-Part164,SubpartC,164.308(a)(3)(ii)(A)-AddressableIssue-Implementproceduresfortheauthorizationand/orsupervisionofworkforcememberswhoworkwithelectronicprotectedhealthinformationorinlocationswhereitmightbeaccessed. 0

S.Rule-Part164,SubpartC,164.308(a)(4)(i)-PossibleIssue-ImplementpoliciesandproceduresforauthorizingaccesstoelectronicprotectedhealthinformationthatareconsistentwiththeapplicablerequirementsofsubpartEofthispartthePrivacyRule. 0

S.Rule-Part164,SubpartC,164.308(a)(4)(ii)(B)-PossibleIssue-Implementpoliciesandproceduresforgrantingaccesstoelectronicprotectedhealthinformation,forexample,throughaccesstoaworkstation,transaction,program,process,orothermechanism. 0

7/2/2020 6.0 - 40092:A33698 5

S.Rule-Part164,SubpartC,164.308(a)(5)(ii)(D)-AddressableIssue-Implementproceduresforcreating,changing,andsafeguardingpasswords0

S.Rule-Part164,SubpartC,164.312(a)(1)-PossibleIssue-Implementtechnicalpoliciesandproceduresforelectronicinformationsystemsthatmaintainelectronicprotectedhealthinformationtoallowaccessonlytothosepersonsorsoftwareprogramsthathavebeengrantedaccessrightsasspecifiedinsection164.308(a)(4). 0

S.Rule-Part164,SubpartC,164.312(a)(2)(iv)-AddressableIssue-Implementamechanismtoencryptanddecryptelectronicprotectedhealthinformation. 0

NISTResourceGuide-Section4.14,Activity8-AddressableIssue-Implementelectronicproceduresthatterminateanelectronicsessionafterapredeterminedtimeofinactivity. 0

S.Rule-Part164,SubpartC,164.312(c)(1)-PossibleIssue-Implementpoliciesandprocedurestoprotectprivatehealthinformationfromimproperalterationordestruction 0

S.Rule-Part164,SubpartC,164.312(d)-PossibleIssue-Implementprocedurestoverifythatapersonorentityseekingaccesstoprivatehealthinformationistheoneclaimed 0

7/2/2020 6.0 - 40092:A33698 6

S.Rule-Part164,SubpartC,164.312(e)(1)-PossibleIssue-Implementtechnicalsecuritymeasurestoguardagainstunauthorizedaccesstoelectronicprotectedhealthinformationthatisbeingtransmittedoveranelectroniccommunicationsnetwork. 0

S.Rule-Part164,SubpartC,164.312(e)(2)(ii)-AddressableIssue-Implementamechanismtoencryptelectronicprivatehealthinformationwheneverdeemedappropriate 0

7/2/2020 6.0 - 40092:A33698 7

BeyondTrust Remote SupportAppliance 6.0 PCI CompatibilityReport


The Payment Card Industry Data Security Standard (PCI DSS)Compliance ReportThisreportwascreatedbyIBMSecurityAppScanStandard9.0.3.13iFix001,Rules:19712Scanstarted:6/30/20205:01:28PM

Regulations

The Payment Card Industry Data Security Standard (PCI)Version 3.2.1

Summary

ThePaymentCardIndustryDataSecurityStandard(PCIDSS)wasdevelopedtoencourageandenhancecardholderdatasecurityandfacilitatethebroadadoptionofconsistentdatasecuritymeasuresglobally.PCIDSSprovidesabaselineoftechnicalandoperationalrequirementsdesignedtoprotectaccountdata.

PCIDSScomprisesaminimumsetofrequirementsforprotectingcardholderdata,andmaybeenhancedbyadditionalcontrolsandpracticestofurthermitigaterisks,aswellaslocal,regionalandsectorlawsandregulations.Additionally,legislationorregulatoryrequirementsmayrequirespecificprotectionofpersonalinformationorotherdataelements(forexample,cardholdername).PCIDSSdoesnotsupersedelocalorregionallaws,governmentregulations,orotherlegalrequirements.

ThePCIDSSsecurityrequirementsapplytoallsystemcomponentsincludedinorconnectedtothecardholderdataenvironment.Thecardholderdataenvironment(CDE)iscomprisedofpeople,processesandtechnologiesthatstore,process,ortransmitcardholderdataorsensitiveauthenticationdata.

“Systemcomponents”includenetworkdevices,servers,computingdevices,andapplications.Examplesofsystemcomponentsincludebutarenotlimitedtothefollowing:Systemsthatprovidesecurityservices(forexample,authenticationservers),facilitatesegmentation(forexample,internalfirewalls),ormayimpactthesecurityof(forexample,nameresolutionorwebredirectionservers)theCDE.

Virtualizationcomponentssuchasvirtualmachines,virtualswitches/routers,virtualappliances,virtualapplications/desktops,andhypervisors.

Networkcomponentsincludingbutnotlimitedtofirewalls,switches,routers,wirelessaccesspoints,networkappliances,andothersecurityappliances.

Servertypesincludingbutnotlimitedtoweb,application,database,authentication,mail,proxy,NetworkTimeProtocol(NTP),andDomainNameSystem(DNS).

Applicationsincludingallpurchasedandcustomapplications,includinginternalandexternal(forexample,Internet)applications.AnyothercomponentordevicelocatedwithinorconnectedtotheCDE.

CoveredEntities

7/2/2020 6.0 - 40092:A33698 1

PCIDSSappliestoallentitiesinvolvedinpaymentcardprocessing—includingmerchants,processors,acquirers,issuers,andserviceproviders,aswellasallotherentitiesthatstore,processortransmitcardholderdata(CHD)and/orsensitiveauthenticationdata(SAD).

PCIDSSrequirementsapplytoorganizationsandenvironmentswhereaccountdata(cardholderdataand/orsensitiveauthenticationdata)isstored,processedortransmitted.SomePCIDSSrequirementsmayalsobeapplicabletoorganizationsthathaveoutsourcedtheirpaymentoperationsormanagementoftheirCDE1.Additionally,organizationsthatoutsourcetheirCDEorpaymentoperationstothirdpartiesareresponsibleforensuringthattheaccountdataisprotectedbythethirdpartypertheapplicablePCIDSSrequirements.

CompliancePenalties

Ifamerchantorserviceproviderdoesnotcomplywiththesecurityrequirementsorfailstorectifyasecurityissue,thecardcompaniesmayfinetheacquiringmember,orimposerestrictionsonthemerchantoritsagent.

ComplianceRequiredBy

PCIDSSversion3.2.1hasreplacedPCIDSSversion3.2andiseffectiveasofMay2018.ThePCIDSSversion3.2maynotbeusedforPCIDSScomplianceafterDecember31,2018.

Regulators

ThePCISecurityStandardsCouncil,anditsfoundingmembersincludingAmericanExpress,DiscoverFinancialServices,JCB,MasterCardWorldwideandVisaInternational.

FormoreinformationonthePCIDataSecurityStandard,pleasevisit:

https://www.pcisecuritystandards.org./index.htm

Formoreinformationonsecuringwebapplications,pleasevisithttp://www-01.ibm.com/software/rational/offerings/websecurity/

Copyright:ThePCIinformationcontainedinthisreportisproprietarytoPCISecurityStandardsCouncil,LLC.AnyuseofthismaterialissubjecttothePCISECURITYSTANDARDSCOUNCIL,LLCLICENSEAGREEMENTthatcanbefoundat:

https://www.pcisecuritystandards.org./tech/download_the_pci_dss.htm


7/2/2020 6.0 - 40092:A33698 2



Requirement2-Donotusevendor-supplieddefaultsforsystempasswordsandothersecurityparameters.

0

Requirement2.1-Alwayschangevendor-supplieddefaultsandremoveordisableunnecessarydefaultaccountsbeforeinstallingasystemonthenetwork.ThisappliestoALLdefaultpasswords,includingbutnotlimitedtothoseusedbyoperatingsystems,softwarethatprovidessecurityservices,applicationandsystemaccounts,point-of-sale(POS)terminals,paymentapplications,SimpleNetworkManagementProtocol(SNMP)communitystrings,etc.)

0

Requirement2.2.2-Enableonlynecessaryservices,protocols,daemons,etc.,asrequiredforthefunctionofthesystem.

0

Requirement2.2.4-Configuresystemsecurityparameterstopreventmisuse. 0Requirement2.2.5-Removeallunnecessaryfunctionality,suchasscripts,drivers,features,subsystems,filesystems.

0

Requirement2.3-Encryptallnon-consoleadministrativeaccessusingstrongcryptography. 0Requirement2.6-Thissectionappliestowebapplicationsthatareusedbyhostingprovidersforhostingpurposes–Hostingprovidersmustprotecteachentity’shostedenvironmentanddata.

0

Requirement4-Encrypttransmissionofcardholderdataacrossopen,publicnetworks. 0Requirement4.1-Usestrongcryptographyandsecurityprotocolstosafeguardsensitivecardholderdataduringtransmissionoveropen,publicnetworks,includingthefollowing:-Onlytrustedkeysandcertificatesareaccepted.-Theprotocolinuseonlysupportssecureversionsorconfigurations.-Theencryptionstrengthisappropriatefortheencryptionmethodologyinuse.

0

Requirement6-Developandmaintainsecuresystemsandapplications. 0Requirement6.1-Establishaprocesstoidentifysecurityvulnerabilities,usingreputableoutsidesourcesforsecurityvulnerabilityinformation,andassignariskranking(forexample,as“high,”“medium,”or“low”)tonewlydiscoveredsecurityvulnerabilities.

0

Requirement6.2-Ensurethatallsystemcomponentsandsoftwareareprotectedfromknownvulnerabilitiesbyinstallingapplicablevendor-suppliedsecuritypatches.Installcriticalsecuritypatcheswithinonemonthofrelease.CriticalsecuritypatchesshouldbeidentifiedaccordingtotheriskrankingprocessdefinedinRequirement6.1

0

Requirement6.3-Developinternalandexternalsoftwareapplications(includingweb-basedadministrativeaccesstoapplications)securely,asfollows:•InaccordancewithPCIDSS(forexample,secureauthenticationandlogging)•Basedonindustrystandardsand/orbestpractices.•Incorporatinginformationsecuritythroughoutthesoftware-developmentlifecycleNote:thisappliestoallsoftwaredevelopedinternallyaswellasbespokeorcustomsoftwaredevelopedbyathirdparty.

0

Requirement6.3.1-Removedevelopment,testand/orcustomapplicationaccounts,userIDs,andpasswordsbeforeapplicationsbecomeactiveorarereleasedtocustomers.

0

Requirement6.4.4-Removaloftestdataandaccountsfromsystemcomponentsbeforethesystembecomesactive/goesintoproduction.

0

Requirement6.5-Addresscommoncodingvulnerabilitiesinsoftware-developmentprocessesasfollows:•Traindevelopersinsecurecodingtechniques,includinghowtoavoidcommoncodingvulnerabilities,andunderstandinghowsensitivedataishandledinmemory.•Developapplicationsbasedonsecurecodingguidelines.Note:Thevulnerabilitieslistedat6.5.1through6.5.10werecurrentwithindustrybestpracticeswhenthisversionofPCIDSSwaspublished.However,asindustrybestpracticesforvulnerabilitymanagementareupdated(forexample,theOWASPGuide,SANSCWETop25,CERTSecureCoding,etc.),thecurrentbestpracticesmustbeusedfortheserequirements.

0

Requirement6.5.1-Injectionflaws,particularlySQLinjection.AlsoconsiderOSCommandInjection,LDAPandXPathinjectionflawsaswellasotherinjectionflaws.

0


7/2/2020 6.0 - 40092:A33698 3

Requirement6.5.3-Insecurecryptographicstorage 0Requirement6.5.4-Insecurecommunications 0Requirement6.5.5-Impropererrorhandling 0Requirement6.5.7-Crosssitescripting(XSS) 0Requirement6.5.8-Improperaccesscontrol(suchasinsecuredirectobjectreferences,failuretorestrictURLaccess,directorytraversal,andfailuretorestrictuseraccesstofunctions).

0

Requirement6.5.9-Crosssiterequestforgery(CSRF) 0Requirement6.5.10-BrokenauthenticationandsessionmanagementNote:Requirement6.5.10isabestpracticeuntilJune30,2015,afterwhichitbecomesarequirement

0

Requirement6.6-Forpublic-facingwebapplications,addressnewthreatsandvulnerabilitiesonanongoingbasisandensuretheseapplicationsareprotectedagainstknownattacksbyeitherofthefollowingmethods:•Reviewingpublic-facingwebapplicationsviamanualorautomatedapplicationvulnerabilitysecurityassessmenttoolsormethods,atleastannuallyandafteranychangesNote:ThisassessmentisnotthesameasthevulnerabilityscansperformedforRequirement11.2.•Installinganautomatedtechnicalsolutionthatdetectsandpreventsweb-basedattacks(forexample,aweb-applicationfirewall)infrontofpublic-facingwebapplications,tocontinuallycheckalltraffic.

0

Requirement7-Restrictaccesstodatabybusinessneed-to-know 0Requirement7.1-Limitaccesstosystemcomponentsandcardholderdatatoonlythoseindividualswhosejobrequiressuchaccess.

0

Requirement7.1.2-RestrictaccesstoprivilegeduserIDstoleastprivilegesnecessarytoperformjobresponsibilities.

0

Requirement8.2-InadditiontoassigningauniqueID,ensureproperuser-authenticationmanagementfornon-consumerusersandadministratorsonallsystemcomponentsbyemployingatleastoneofthefollowingmethodstoauthenticateallusers:•Somethingyouknow,suchasapasswordorpassphrase•Somethingyouhave,suchasatokendeviceorsmartcard•Somethingyouare,suchasabiometric.

0

Requirement8.2.1-Usingstrongcryptography,renderallauthenticationcredentials(suchaspasswords/phrases)unreadableduringtransmissionandstorageonallsystemcomponents.

0

Requirement8.7-Allaccesstoanydatabasecontainingcardholderdata(includingaccessbyapplications,administrators,andallotherusers)isrestrictedasfollows:•Alluseraccessto,userqueriesof,anduseractionsondatabasesarethroughprogrammaticmethods.•Onlydatabaseadministratorshavetheabilitytodirectlyaccessorquerydatabases.•ApplicationIDsfordatabaseapplicationscanonlybeusedbytheapplications(andnotbyindividualusersorothernon-applicationprocesses).

0




7/2/2020 6.0 - 40092:A33698 4

Requirement2-Donotusevendor-supplieddefaultsforsystempasswordsandothersecurityparameters. 0

Requirement2.1-Alwayschangevendor-supplieddefaultsandremoveordisableunnecessarydefaultaccountsbeforeinstallingasystemonthenetwork.ThisappliestoALLdefaultpasswords,includingbutnotlimitedtothoseusedbyoperatingsystems,softwarethatprovidessecurityservices,applicationandsystemaccounts,point-of-sale(POS)terminals,paymentapplications,SimpleNetworkManagementProtocol(SNMP)communitystrings,etc.) 0

Requirement2.2.2-Enableonlynecessaryservices,protocols,daemons,etc.,asrequiredforthefunctionofthesystem. 0

Requirement2.2.4-Configuresystemsecurityparameterstopreventmisuse. 0

Requirement2.2.5-Removeallunnecessaryfunctionality,suchasscripts,drivers,features,subsystems,filesystems. 0

Requirement2.3-Encryptallnon-consoleadministrativeaccessusingstrongcryptography. 0

7/2/2020 6.0 - 40092:A33698 5

Requirement2.6-Thissectionappliestowebapplicationsthatareusedbyhostingprovidersforhostingpurposes–Hostingprovidersmustprotecteachentity’shostedenvironmentanddata. 0

Requirement4-Encrypttransmissionofcardholderdataacrossopen,publicnetworks. 0

Requirement4.1-Usestrongcryptographyandsecurityprotocolstosafeguardsensitivecardholderdataduringtransmissionoveropen,publicnetworks,includingthefollowing:-Onlytrustedkeysandcertificatesareaccepted.-Theprotocolinuseonlysupportssecureversionsorconfigurations.-Theencryptionstrengthisappropriatefortheencryptionmethodologyinuse. 0

Requirement6-Developandmaintainsecuresystemsandapplications. 0

Requirement6.1-Establishaprocesstoidentifysecurityvulnerabilities,usingreputableoutsidesourcesforsecurityvulnerabilityinformation,andassignariskranking(forexample,as“high,”“medium,”or“low”)tonewlydiscoveredsecurityvulnerabilities. 0

Requirement6.2-Ensurethatallsystemcomponentsandsoftwareareprotectedfromknownvulnerabilitiesbyinstallingapplicablevendor-suppliedsecuritypatches.Installcriticalsecuritypatcheswithinonemonthofrelease.CriticalsecuritypatchesshouldbeidentifiedaccordingtotheriskrankingprocessdefinedinRequirement6.1 0

7/2/2020 6.0 - 40092:A33698 6

Requirement6.3-Developinternalandexternalsoftwareapplications(includingweb-basedadministrativeaccesstoapplications)securely,asfollows:•InaccordancewithPCIDSS(forexample,secureauthenticationandlogging)•Basedonindustrystandardsand/orbestpractices.•Incorporatinginformationsecuritythroughoutthesoftware-developmentlifecycleNote:thisappliestoallsoftwaredevelopedinternallyaswellasbespokeorcustomsoftwaredevelopedbyathirdparty. 0

Requirement6.3.1-Removedevelopment,testand/orcustomapplicationaccounts,userIDs,andpasswordsbeforeapplicationsbecomeactiveorarereleasedtocustomers. 0

Requirement6.4.4-Removaloftestdataandaccountsfromsystemcomponentsbeforethesystembecomesactive/goesintoproduction. 0

Requirement6.5-Addresscommoncodingvulnerabilitiesinsoftware-developmentprocessesasfollows:•Traindevelopersinsecurecodingtechniques,includinghowtoavoidcommoncodingvulnerabilities,andunderstandinghowsensitivedataishandledinmemory.•Developapplicationsbasedonsecurecodingguidelines.Note:Thevulnerabilitieslistedat6.5.1through6.5.10werecurrentwithindustrybestpracticeswhenthisversionofPCIDSSwaspublished.However,asindustrybestpracticesforvulnerabilitymanagementareupdated(forexample,theOWASPGuide,SANSCWETop25,CERTSecureCoding,etc.),thecurrentbestpracticesmustbeusedfortheserequirements. 0

Requirement6.5.1-Injectionflaws,particularlySQLinjection.AlsoconsiderOSCommandInjection,LDAPandXPathinjectionflawsaswellasotherinjectionflaws. 0

7/2/2020 6.0 - 40092:A33698 7


Requirement6.5.3-Insecurecryptographicstorage 0

Requirement6.5.4-Insecurecommunications 0

Requirement6.5.5-Impropererrorhandling 0

Requirement6.5.7-Crosssitescripting(XSS) 0

Requirement6.5.8-Improperaccesscontrol(suchasinsecuredirectobjectreferences,failuretorestrictURLaccess,directorytraversal,andfailuretorestrictuseraccesstofunctions). 0

Requirement6.5.9-Crosssiterequestforgery(CSRF) 0

Requirement6.5.10-BrokenauthenticationandsessionmanagementNote:Requirement6.5.10isabestpracticeuntilJune30,2015,afterwhichitbecomesarequirement 0

7/2/2020 6.0 - 40092:A33698 8

Requirement6.6-Forpublic-facingwebapplications,addressnewthreatsandvulnerabilitiesonanongoingbasisandensuretheseapplicationsareprotectedagainstknownattacksbyeitherofthefollowingmethods:•Reviewingpublic-facingwebapplicationsviamanualorautomatedapplicationvulnerabilitysecurityassessmenttoolsormethods,atleastannuallyandafteranychangesNote:ThisassessmentisnotthesameasthevulnerabilityscansperformedforRequirement11.2.•Installinganautomatedtechnicalsolutionthatdetectsandpreventsweb-basedattacks(forexample,aweb-applicationfirewall)infrontofpublic-facingwebapplications,tocontinuallycheckalltraffic. 0

Requirement7-Restrictaccesstodatabybusinessneed-to-know 0

Requirement7.1-Limitaccesstosystemcomponentsandcardholderdatatoonlythoseindividualswhosejobrequiressuchaccess. 0

Requirement7.1.2-RestrictaccesstoprivilegeduserIDstoleastprivilegesnecessarytoperformjobresponsibilities. 0

Requirement8.2-InadditiontoassigningauniqueID,ensureproperuser-authenticationmanagementfornon-consumerusersandadministratorsonallsystemcomponentsbyemployingatleastoneofthefollowingmethodstoauthenticateallusers:•Somethingyouknow,suchasapasswordorpassphrase•Somethingyouhave,suchasatokendeviceorsmartcard•Somethingyouare,suchasabiometric. 0

7/2/2020 6.0 - 40092:A33698 9

Requirement8.2.1-Usingstrongcryptography,renderallauthenticationcredentials(suchaspasswords/phrases)unreadableduringtransmissionandstorageonallsystemcomponents. 0

Requirement8.7-Allaccesstoanydatabasecontainingcardholderdata(includingaccessbyapplications,administrators,andallotherusers)isrestrictedasfollows:•Alluseraccessto,userqueriesof,anduseractionsondatabasesarethroughprogrammaticmethods.•Onlydatabaseadministratorshavetheabilitytodirectlyaccessorquerydatabases.•ApplicationIDsfordatabaseapplicationscanonlybeusedbytheapplications(andnotbyindividualusersorothernon-applicationprocesses). 0

7/2/2020 6.0 - 40092:A33698 10