Remote Support 20.1Base 6.0
Vulnerability Scan Reports
©2003-2019 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company,or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
TC:11/15/2019
20.1.1 BeyondTrust Remote SupportFISMA Compatibility Report
ThisreportincludesimportantcomplianceinformationaboutBeyondTrustRemoteSupport20.1.1
[US] Federal Information Security Mgmt. Act (FISMA)Compliance ReportThisreportwascreatedbyIBMSecurityAppScanStandard9.0.3.13iFix001,Rules:19712Scanstarted:6/30/20208:31:25PM
Regulations
Federal Information Security Management Act (FISMA)
Summary
TheFederalInformationSecurityManagementAct(FISMA)waspassedbyCongressandsignedintolawbythePresidentaspartoftheElectronicGovernmentActof2002.Itprovidesaframeworktoensurecomprehensivemeasuresaretakentosecurefederalinformationandassets.Itrequireseachfederalagencytodevelop,document,andimplementanagency-wideprogramtoprovideinformationsecurityfortheinformationandinformationsystemsthatsupporttheoperationsandassetsoftheagency,includingthoseprovidedormanagedbyanotheragency,contractor,orothersource.
TheOfficeofManagementandBudget(OMB)requiresfederalagenciestopreparePlansofActionandMilestonesProcess(POAandMs)reportsforallprogramsandsystemswheretheyhavefoundanITsecurityweakness.CIOsandagencyprogramofficialsmustdevelop,implement,andmanagePOAandMsforallprogramsandsystemstheyoperateandcontrol.ProgramofficialsmustregularlyupdatetheagencyCIOontheirprogresssotheCIOcanmonitoragency-wideremediationeffortsandprovidetheagency’squarterlyupdatetoOMB.
AgenciesmustsubmitareporttotheOMBthatsummarizestheresultsofannualITsecurityreviewsofsystemsandprograms,andanyprogresstheagencyhasmadetowardsfulfillingtheirFISMAgoalsandmilestones.
OMBusesthereportstohelpevaluategovernment-widesecurityperformance,developitsannualsecurityreporttoCongress,assistinimprovingandmaintainingadequateagencysecurityperformance,andinformdevelopmentoftheE-GovernmentScorecardunderthePresident’sManagementAgenda.ThereportmustsummarizetheresultsofannualITsecurityreviewsofsystemsandprograms,andanyprogresstheagencyhasmadetowardsfulfillingtheirFISMAgoalsandmilestones.
FISMArequiresthatfederalagencyofficialsunderstandthecurrentstatusoftheirsecurityprogramsandthesecuritycontrolsplannedorinplacetoprotecttheirinformationandinformationsystemsinordertomakeinformedjudgmentsandinvestmentsthatappropriatelymitigaterisktoanacceptablelevel.Theultimateobjectiveistoconducttheday-to-dayoperationsoftheagencyandtoaccomplishtheagency'sstatedmissionswithadequatesecurity,orsecuritycommensuratewithrisk,includingthemagnitudeofharmresultingfromtheunauthorizedaccess,use,disclosure,disruption,modification,ordestructionofinformation.
FISMAImplementation
PhaseI:StandardsandGuidelinesDevelopment
ThefirstphaseoftheFISMAImplementationProjectfocusesonthedevelopmentandupdatingofthesecurity
7/2/2020 20.1.1 - 42276:8dfd57 1
standardsandguidancerequiredtoeffectivelyimplementtheprovisionsofthelegislation.TheimplementationoftheNISTstandardsandguidancewillhelpagenciescreateandmaintainrobustinformationsecurityprogramsandeffectivelymanagerisktoagencyoperations,agencyassets,andindividuals.
PhaseII:ImplementationandAssessmentAids
ThesecondphaseoftheFISMAImplementationProjectisfocusedonprovidinginformationsystemimplementationandassessmentreferencematerialsforbuildingcommonunderstandinginapplyingtheNISTsuiteofpublicationssupportingtheRiskManagementFramework(RMF).
NISTImplementationDocuments
NISTdevelopsandissuesstandards,guidelinesandotherpublicationstoassistfederalagenciesinimplementingFISMA,includingminimumrequirements,forprovidingadequateinformationsecurityforallagencyoperationsandassetsbutsuchstandardsandguidelinesshallnotapplytonationalsecuritysystems.
FederalInformationProcessingStandards(FIPS)areapprovedbytheSecretaryofCommerceandissuedbyNISTinaccordancewithFISMA.FIPSarecompulsoryandbindingforfederalagencies.FISMArequiresthatfederalagenciescomplywiththesestandards,andtherefore,agenciesmaynotwaivetheiruse.FIPS200mandatestheuseofSpecialPublication800-53,asamended.
AppScanandFISMA
AppScan'sFISMAcompliancereportwillautomaticallydetectpossibleissuesinyourWebenvironmentthatmayberelevanttoyouroverallcompliancewiththeminimumsecuritycontrolsrecommendationsassetinthesecuritycatalogofNISTSpecialPublication80053.ThisreportwasconstructedaccordingtotheHIGH-IMPACTInformationSystemsbaseline.Organizationsthatuselowormoderatecontrolbaselinemayhavetoadjusttheresultsaccordingly.
CoveredEntities
AllFederalagenciesandorganizationswhichpossessoruseFederalinformation--orwhichoperate,use,orhaveaccesstoFederalinformationsystems--onbehalfofaFederalagency,includingcontractors,grantees,Stateandlocalgovernments,andindustrypartners.
EffectiveDate
December2002
ComplianceRequiredby
FederalagenciesmustsubmittheirannualITreviewreportstotheOMBbyOctoberofeachyear.
7/2/2020 20.1.1 - 42276:8dfd57 2
Regulators/Auditors
TheOfficeofManagementandBudget(OMB).
Formoreinformationonsecuringwebapplications,pleasevisit:http://www-03.ibm.com/software/products/en/category/application-security
The information provided does not constitute legal advice. The results of a vulnerability assessment will demonstratepotential vulnerabilities in your application that should be corrected in order to reduce the likelihood that yourinformation will be compromised. As legal advice must be tailored to the specific application of each law, and lawsare constantly changing, nothing provided herein should be used as a substitute for the advice of competent counsel.IBM customers are responsible for ensuring their own compliance with legal requirements. It is the customer's soleresponsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevantlaws and regulatory requirements that may affect the customer's business and any actions the customer may need totake to comply with such laws.
Violated SectionIssuesdetectedacross0/23sectionsoftheregulation:
SectionsNumberofIssues
Sec.3544.(A),Sec.3547(1)-Theheadofeachagencyshallberesponsibleforprovidinginformationsecurityprotectionscommensuratewiththeriskandmagnitudeoftheharmresultingfromunauthorizedaccess,use,disclosure,disruption,modification,ordestructionof—(i)informationcollectedormaintainedbyoronbehalfoftheagency;and(ii)informationsystemsusedoroperatedbyanagencyorbyacontractorofanagencyorotherorganizationonbehalfofanagency;
0
Sec.3544.(B)-Theheadofeachagencyshallberesponsibleforcomplyingwiththerequirementsofthissubchapterandrelatedpolicies,procedures,standards,andguidelines,including—(i)informationsecuritystandardspromulgatedundersection11331oftitle40;and(ii)informationsecuritystandardsandguidelinesfornationalsecuritysystemsissuedinaccordancewithlawandasdirectedbythePresident;
0
NISTSP800_53,AC-3-Theinformationsystemenforcesapprovedauthorizationsforlogicalaccesstoinformationandsystemresourcesinaccordancewithapplicableaccesscontrolpolicies.
0
NISTSP800_53,AC-6-Theorganizationemploystheprincipleofleastprivilege,allowingonlyauthorizedaccessesforusers(orprocessesactingonbehalfofusers)whicharenecessarytoaccomplishassignedtasksinaccordancewithorganizationalmissionsandbusinessfunctions.
0
NISTSP800_53,AC-10-Theinformationsystemlimitsthenumberofconcurrentsessionsforeach[Assignment:organization-definedaccountand/oraccounttype]to[Assignment:organization-definednumber].
0
NISTSP800_53,AC-11-TheOrganizationpreventsfurtheraccesstothesystembyinitiatingasessionlockafter[Assignment:organization-definedtimeperiod]ofinactivityoruponreceivingarequestfromauser;andretainsthesessionlockuntiltheuserreestablishesaccessusingestablishedidentificationandauthenticationprocedures.
0
NISTSP800_53,AC-17-Theorganization:Establishesanddocumentsusagerestrictions,configuration/connectionrequirements,andimplementationguidanceforeachtypeofremoteaccessallowed;andAuthorizesremoteaccesstotheinformationsystempriortoallowingsuchconnections.
0
NISTSP800_53,CM-6-Theorganization:a.Establishesanddocumentsconfigurationsettingsforinformationtechnologyproductsemployedwithintheinformationsystemusing[Assignment:organization-definedsecurityconfigurationchecklists]thatreflectthemostrestrictivemodeconsistentwithoperationalrequirements;b.Implementstheconfigurationsettings;c.Identifies,documents,and
0
7/2/2020 20.1.1 - 42276:8dfd57 3
approvesanydeviationsfromestablishedconfigurationsettingsfor[Assignment:organization-definedinformationsystemcomponents]basedon[Assignment:organization-definedoperationalrequirements];andd.Monitorsandcontrolschangestotheconfigurationsettingsinaccordancewithorganizationalpoliciesandprocedures.NISTSP800_53,CM-7-Theorganization:a.Configurestheinformationsystemtoprovideonlyessentialcapabilities;andb.Prohibitsorrestrictstheuseofthefollowingfunctions,ports,protocols,and/orservices:[Assignment:organization-definedprohibitedorrestrictedfunctions,ports,protocols,and/orservices].
0
NISTSP800_53,IA-2-Theinformationsystemuniquelyidentifiesandauthenticatesorganizationalusers(orprocessesactingonbehalfoforganizationalusers).
0
NISTSP800_53,IA-4.D-Theorganizationmanagesinformationsystemidentifiersforusersanddevicesbypreventingreuseofuserordeviceidentifiersfor[Assignment:organization-definedtimeperiod].
0
NISTSP800_53,IA-4.E-Theorganizationmanagesinformationsystemidentifiersforusersanddevicesbydisablingtheuseridentifierafter[Assignment:organization-definedtimeperiodofinactivity].
0
NISTSP800_53,IA-5.C-Theorganizationmanagesinformationsystemauthenticatorsforusersanddevicesbyensuringthatauthenticatorshavesufficientstrengthofmechanismfortheirintendeduse.
0
NISTSP800_53,IA-5.E-Theorganizationmanagesinformationsystemauthenticatorsforusersanddevicesbychangingdefaultcontentofauthenticatorsuponinformationsysteminstallation.
0
NISTSP800_53,RA-5.A-Theorganization:a.Scansforvulnerabilitiesintheinformationsystemandhostedapplications[Assignment:organization-definedfrequencyand/orrandomlyinaccordancewithorganization-definedprocess]andwhennewvulnerabilitiespotentiallyaffectingthesystem/applicationsareidentifiedandreported.
0
NISTSP800_53,SC-5-Theinformationsystemprotectsagainstorlimitstheeffectsofthefollowingtypesofdenialofserviceattacks:[Assignment:organization-definedtypesofdenialofserviceattacksorreferencetosourceforsuchinformation]byemploying[Assignment:organization-definedsecuritysafeguards].
0
NISTSP800_53,SC-8-Theinformationsystemprotectsthe[Selection(oneormore):confidentiality;integrity]oftransmittedinformation.
0
NISTSP800_53,SC-13-Theinformationsystemimplements[Assignment:organization-definedcryptographicusesandtypeofcryptographyrequiredforeachuse]inaccordancewithapplicablefederallaws,ExecutiveOrders,directives,policies,regulations,andstandards.
0
NISTSP800_53,SC-23-Theinformationsystemprotectstheauthenticityofcommunicationssessions. 0NISTSP800_53,SI-3.A-Employsmaliciouscodeprotectionmechanismsatinformationsystementryandexitpointstodetectanderadicatemaliciouscode;
0
NISTSP800_53,SI-3.B-Theorganizationupdatesmaliciouscodeprotectionmechanismswhenevernewreleasesareavailableinaccordancewithorganizationalconfigurationmanagementpolicyandprocedures;
0
NISTSP800_53,SI-10-Theinformationsystemchecksthevalidityofinformationinputs. 0NISTSP800_53,SI-11.A-Generateserrormessagesthatprovideinformationnecessaryforcorrectiveactionswithoutrevealinginformationthatcouldbeexploitedbyadversaries;
0
Section Violation By Issue0Uniqueissuesdetectedacross0/23sectionsoftheregulation:
URL Entity Issue Type Sections
7/2/2020 20.1.1 - 42276:8dfd57 4
Detailed Security Issues by Sections
Sec.3544.(A),Sec.3547(1)-Theheadofeachagencyshallberesponsibleforprovidinginformationsecurityprotectionscommensuratewiththeriskandmagnitudeoftheharmresultingfromunauthorizedaccess,use,disclosure,disruption,modification,ordestructionof—(i)informationcollectedormaintainedbyoronbehalfoftheagency;and(ii)informationsystemsusedoroperatedbyanagencyorbyacontractorofanagencyorotherorganizationonbehalfofanagency; 0
Sec.3544.(B)-Theheadofeachagencyshallberesponsibleforcomplyingwiththerequirementsofthissubchapterandrelatedpolicies,procedures,standards,andguidelines,including—(i)informationsecuritystandardspromulgatedundersection11331oftitle40;and(ii)informationsecuritystandardsandguidelinesfornationalsecuritysystemsissuedinaccordancewithlawandasdirectedbythePresident; 0
NISTSP800_53,AC-3-Theinformationsystemenforcesapprovedauthorizationsforlogicalaccesstoinformationandsystemresourcesinaccordancewithapplicableaccesscontrolpolicies. 0
NISTSP800_53,AC-6-Theorganizationemploystheprincipleofleastprivilege,allowingonlyauthorizedaccessesforusers(orprocessesactingonbehalfofusers)whicharenecessarytoaccomplishassignedtasksinaccordancewithorganizationalmissionsandbusinessfunctions. 0
NISTSP800_53,AC-10-Theinformationsystemlimitsthenumberofconcurrentsessionsforeach[Assignment:organization-definedaccountand/oraccounttype]to[Assignment:organization-definednumber]. 0
7/2/2020 20.1.1 - 42276:8dfd57 5
NISTSP800_53,AC-11-TheOrganizationpreventsfurtheraccesstothesystembyinitiatingasessionlockafter[Assignment:organization-definedtimeperiod]ofinactivityoruponreceivingarequestfromauser;andretainsthesessionlockuntiltheuserreestablishesaccessusingestablishedidentificationandauthenticationprocedures. 0
NISTSP800_53,AC-17-Theorganization:Establishesanddocumentsusagerestrictions,configuration/connectionrequirements,andimplementationguidanceforeachtypeofremoteaccessallowed;andAuthorizesremoteaccesstotheinformationsystempriortoallowingsuchconnections. 0
NISTSP800_53,CM-6-Theorganization:a.Establishesanddocumentsconfigurationsettingsforinformationtechnologyproductsemployedwithintheinformationsystemusing[Assignment:organization-definedsecurityconfigurationchecklists]thatreflectthemostrestrictivemodeconsistentwithoperationalrequirements;b.Implementstheconfigurationsettings;c.Identifies,documents,andapprovesanydeviationsfromestablishedconfigurationsettingsfor[Assignment:organization-definedinformationsystemcomponents]basedon[Assignment:organization-definedoperationalrequirements];andd.Monitorsandcontrolschangestotheconfigurationsettingsinaccordancewithorganizationalpoliciesandprocedures. 0
NISTSP800_53,CM-7-Theorganization:a.Configurestheinformationsystemtoprovideonlyessentialcapabilities;andb.Prohibitsorrestrictstheuseofthefollowingfunctions,ports,protocols,and/orservices:[Assignment:organization-definedprohibitedorrestrictedfunctions,ports,protocols,and/orservices]. 0
7/2/2020 20.1.1 - 42276:8dfd57 6
NISTSP800_53,IA-2-Theinformationsystemuniquelyidentifiesandauthenticatesorganizationalusers(orprocessesactingonbehalfoforganizationalusers). 0
NISTSP800_53,IA-4.D-Theorganizationmanagesinformationsystemidentifiersforusersanddevicesbypreventingreuseofuserordeviceidentifiersfor[Assignment:organization-definedtimeperiod]. 0
NISTSP800_53,IA-4.E-Theorganizationmanagesinformationsystemidentifiersforusersanddevicesbydisablingtheuseridentifierafter[Assignment:organization-definedtimeperiodofinactivity]. 0
NISTSP800_53,IA-5.C-Theorganizationmanagesinformationsystemauthenticatorsforusersanddevicesbyensuringthatauthenticatorshavesufficientstrengthofmechanismfortheirintendeduse. 0
NISTSP800_53,IA-5.E-Theorganizationmanagesinformationsystemauthenticatorsforusersanddevicesbychangingdefaultcontentofauthenticatorsuponinformationsysteminstallation. 0
NISTSP800_53,RA-5.A-Theorganization:a.Scansforvulnerabilitiesintheinformationsystemandhostedapplications[Assignment:organization-definedfrequencyand/orrandomlyinaccordancewithorganization-definedprocess]andwhennewvulnerabilitiespotentiallyaffectingthesystem/applicationsareidentifiedandreported. 0
7/2/2020 20.1.1 - 42276:8dfd57 7
NISTSP800_53,SC-5-Theinformationsystemprotectsagainstorlimitstheeffectsofthefollowingtypesofdenialofserviceattacks:[Assignment:organization-definedtypesofdenialofserviceattacksorreferencetosourceforsuchinformation]byemploying[Assignment:organization-definedsecuritysafeguards]. 0
NISTSP800_53,SC-8-Theinformationsystemprotectsthe[Selection(oneormore):confidentiality;integrity]oftransmittedinformation. 0
NISTSP800_53,SC-13-Theinformationsystemimplements[Assignment:organization-definedcryptographicusesandtypeofcryptographyrequiredforeachuse]inaccordancewithapplicablefederallaws,ExecutiveOrders,directives,policies,regulations,andstandards. 0
NISTSP800_53,SC-23-Theinformationsystemprotectstheauthenticityofcommunicationssessions. 0
NISTSP800_53,SI-3.A-Employsmaliciouscodeprotectionmechanismsatinformationsystementryandexitpointstodetectanderadicatemaliciouscode; 0
NISTSP800_53,SI-3.B-Theorganizationupdatesmaliciouscodeprotectionmechanismswhenevernewreleasesareavailableinaccordancewithorganizationalconfigurationmanagementpolicyandprocedures; 0
7/2/2020 20.1.1 - 42276:8dfd57 8
NISTSP800_53,SI-10-Theinformationsystemchecksthevalidityofinformationinputs. 0
NISTSP800_53,SI-11.A-Generateserrormessagesthatprovideinformationnecessaryforcorrectiveactionswithoutrevealinginformationthatcouldbeexploitedbyadversaries; 0
7/2/2020 20.1.1 - 42276:8dfd57 9
20.1.1 BeyondTrust Remote SupportGDPR Compatibility Report
ThisreportincludesimportantprivacyinformationaboutBeyondTrustRemoteSupport20.1.1
[EU] Regulation 2016/679 Of The European Parliament And OfThe Council (GDPR) Compliance ReportThisreportwascreatedbyIBMSecurityAppScanStandard9.0.3.13iFix001,Rules:19712Scanstarted:6/30/20208:31:25PM
Regulations
Regulation 2016/679 Of The European Parliament And Of TheCouncil - General Data Protection Regulation (GDPR)LearnmoreaboutIBMownGDPRreadinessjourneyandourGDPRcapabilitiesandofferingshere:https://ibm.com/gdpr
LearnmoreaboutGDPRontheEropeanUnion'sDataProtectionwebsitehere:https://ec.europa.eu/info/law/law-topic/data-protection_en
Please note that the table header 'Number of Issues' carries that naming due to technical reasons. It does notnecessarily indicate actual legal issues in the context GDPR, but rather points out areas of interest. A legally bindingassessment of applicability of any areas of interest shown in this report can and should only be made by a legalprofessional.
GDPR ArticlesIssuesdetectedacross0/4sectionsoftheregulation:
SectionsNumberofIssues
Article25(1)-Takingintoaccountthestateoftheart,thecostofimplementationandthenature,scope,contextandpurposesofprocessingaswellastherisksofvaryinglikelihoodandseverityforrightsandfreedomsofnaturalpersonsposedbytheprocessing,thecontrollershall,bothatthetimeofthedeterminationofthemeansforprocessingandatthetimeoftheprocessingitself,implementappropriatetechnicalandorganisationalmeasures,suchaspseudonymisation,whicharedesignedtoimplementdata-protectionprinciples,suchasdataminimisation,inaneffectivemannerandtointegratethenecessarysafeguardsintotheprocessinginordertomeettherequirementsofthisRegulationandprotecttherightsofdatasubjects.
0
Article32(1)(a)-Takingintoaccountthestateoftheart,thecostsofimplementationandthenature,scope,contextandpurposesofprocessingaswellastheriskofvaryinglikelihoodandseverityfortherightsandfreedomsofnaturalpersons,thecontrollerandtheprocessorshallimplementappropriatetechnicalandorganisationalmeasurestoensurealevelofsecurityappropriatetotherisk,includinginteraliaasappropriate:thepseudonymisationandencryptionofpersonaldata.
0
Article32(1)(b)-Takingintoaccountthestateoftheart,thecostsofimplementationandthenature,scope,contextandpurposesofprocessingaswellastheriskofvaryinglikelihoodandseverityfortherightsandfreedomsofnaturalpersons,thecontrollerandtheprocessorshallimplementappropriatetechnicalandorganisationalmeasurestoensurealevelofsecurityappropriatetotherisk,includinginteraliaasappropriate:theabilitytoensuretheongoingconfidentiality,integrity,availabilityandresilienceofprocessingsystemsandservices.
0
Article32(2)-Inassessingtheappropriatelevelofsecurityaccountshallbetakeninparticularofthe 0
7/2/2020 20.1.1 - 42276:8dfd57 1
risksthatarepresentedbyprocessing,inparticularfromaccidentalorunlawfuldestruction,loss,alteration,unauthoriseddisclosureof,oraccesstopersonaldatatransmitted,storedorotherwiseprocessed
Section Violation By Issue0Uniqueissuesdetectedacross0/4sectionsoftheregulation:
URL Entity Issue Type Sections
Detailed Security Issues by Sections
Article25(1)-Takingintoaccountthestateoftheart,thecostofimplementationandthenature,scope,contextandpurposesofprocessingaswellastherisksofvaryinglikelihoodandseverityforrightsandfreedomsofnaturalpersonsposedbytheprocessing,thecontrollershall,bothatthetimeofthedeterminationofthemeansforprocessingandatthetimeoftheprocessingitself,implementappropriatetechnicalandorganisationalmeasures,suchaspseudonymisation,whicharedesignedtoimplementdata-protectionprinciples,suchasdataminimisation,inaneffectivemannerandtointegratethenecessarysafeguardsintotheprocessinginordertomeettherequirementsofthisRegulationandprotecttherightsofdatasubjects. 0
Article32(1)(a)-Takingintoaccountthestateoftheart,thecostsofimplementationandthenature,scope,contextandpurposesofprocessingaswellastheriskofvaryinglikelihoodandseverityfortherightsandfreedomsofnaturalpersons,thecontrollerandtheprocessorshallimplementappropriatetechnicalandorganisationalmeasurestoensurealevelofsecurityappropriatetotherisk,includinginteraliaasappropriate:thepseudonymisationandencryptionofpersonaldata. 0
7/2/2020 20.1.1 - 42276:8dfd57 2
Article32(1)(b)-Takingintoaccountthestateoftheart,thecostsofimplementationandthenature,scope,contextandpurposesofprocessingaswellastheriskofvaryinglikelihoodandseverityfortherightsandfreedomsofnaturalpersons,thecontrollerandtheprocessorshallimplementappropriatetechnicalandorganisationalmeasurestoensurealevelofsecurityappropriatetotherisk,includinginteraliaasappropriate:theabilitytoensuretheongoingconfidentiality,integrity,availabilityandresilienceofprocessingsystemsandservices. 0
Article32(2)-Inassessingtheappropriatelevelofsecurityaccountshallbetakeninparticularoftherisksthatarepresentedbyprocessing,inparticularfromaccidentalorunlawfuldestruction,loss,alteration,unauthoriseddisclosureof,oraccesstopersonaldatatransmitted,storedorotherwiseprocessed 0
7/2/2020 20.1.1 - 42276:8dfd57 3
20.1.1 BeyondTrust Remote SupportHIPPA Compatibility Report
ThisreportincludesimportantcomplianceinformationaboutBeyondTrustRemoteSupport20.1.1
[US] Healthcare Services (HIPAA) Compliance ReportThisreportwascreatedbyIBMSecurityAppScanStandard9.0.3.13iFix001,Rules:19712Scanstarted:6/30/20208:31:25PM
Regulations
The Health Insurance Portability and Accountability Act(HIPAA) of 1996 - Security and Privacy Regulations
Summary
HIPAAprovidesfederalprotectionsforpersonalhealthinformationheldbycoveredentitiesandgivespatientsasetofrightswithrespecttothatinformation.However,HIPAAdoespermitthedisclosureofpersonalhealthinformationneededforpatientcareandotherimportantandnecessarypurposes.
TitleIofHIPAAprotectshealthinsurancecoverageforworkersandtheirfamilieswhentheychangeorlosetheirjobs.TitleIIofHIPAA,knownastheAdministrativeSimplificationprovisions,requirestheestablishmentofnationalstandardsforelectronichealthcaretransactionsandnationalidentifiersforproviders,healthinsuranceplans,andemployers.
TheAdministrationSimplificationprovisionsalsoaddressthesecurityandprivacyofhealthdata.Thestandardsaremeanttoimprovetheefficiencyandeffectivenessofthehealthcaresystem.
TheUnitedStatesDepartmentofHealthandHumanServices(HHS)hasissuedregulationsimplementingthoseprovisionsofHIPAAregulatingtheprivacyandsecurityofindividuals’medicalrecords.
CoveredInformation
TheRuleslimittheuseanddisclosureofpersonalhealthinformationbyCoveredEntities.Protectedhealthinformationisindividuallyidentifiablehealthinformationthatistransmittedormaintainedinanyformormedium,andwhichrelatestothepast,presentorfuturephysicalormentalheathorconditionofanindividual,theprovisionofheathcaretoanindividual,orthepast,presentorfuturepaymentfortheprovisionofhealthcare.Informationis“individuallyidentifiable”ifitactuallyidentifiesanindividualorcontainsinformationthatcouldreasonablybeusedtoidentifyandindividual.
HIPAArequiresmeasurestobetakentosecurethisinformationwhileinthecustodyofcoveredentitiesaswellasintransitbetweencoveredentitiesandfromcoveredentitiestoothers.
ThePrivacyRulerequiresthatcoveredentities,amongotherthings(i)obtainpriorwrittenauthorizationtouseordisclosecertainpersonalhealthinformationforanypurposeotherthanpayment,healthcaretreatmentorhealthcareoperations,(ii)givepatientsaccesstocertainpersonalhealthinformationuponrequest,(iii)instituteproceduralsafeguardstoprotectpersonalhealthinformation,and(iv)limittheuseanddisclosureofsuchinformationtotheminimumnecessarytoachievetheintendedpurposeforsuchinformation.
7/2/2020 20.1.1 - 42276:8dfd57 1
TheSecurityRulerequiresthatcoveredentities,amongotherthings,implementadministrative,technical,andphysicalsafeguardsto(i)ensuretheconfidentiality,integrityandavailabilityofallelectronicprotectedhealthinformationthecoveredentitycreates,receives,maintains,ortransmits;(ii)protectagainstanyreasonablyanticipatedthreatsorhazardstothesecurityorintegrityofsuchinformation;(iii)protectagainstanyreasonablyanticipatedusesordisclosuresofsuchinformationthatarenotpermittedorrequiredtheSecurityRule;and(iv)ensurecompliancewiththeSecurityRulebythecoveredentity'sworkforce.
InrecognitionofthesecuritythreatstoElectronicProtectedHealthInformation(EPHI),HHShaspublishedHIPAAPrivacyandSecurityRules`guidancedocumentstoimplementprivacyandsecurityframeworkforelectronicexchangeofindividuallyidentifiablehealthinformation.Theseguidancedocumentsdiscusshowtheprivacyandsecurityrulescanfacilitatethesafeandadequateexchangeofelectronichealthinformationandhowtodealwiththechallengesthattheuseandexchangeofelectronichealthinformationposses.
CoveredEntities
TheRulesapplytofourtypesofentities:healthcareproviders,healthplans,healthcareclearinghousesandprescriptiondrugcardsponsors(collectively"CoveredEntities").Thisgenerallymeansthoseprovidinghealthcare,thosepayingfor(insuring)healthcareanddataprocessorsthatassistinthepreceding.
CompliancePenalties
AfinemaybeimposedonanypersonorcoveredentitythatviolatesanyHIPAArequirement.Thecivilmonetarypenaltyforviolatingtransactionstandardsisupto$100perpersonperviolationandupto$25,000perpersonperviolationofasinglestandardpercalendaryear.
Thefinemaybereducedorwaivedentirelyiftheviolationwasnotduetowillfulneglectoftherequirements,andiftheentitycorrectsitwithin30daysofbecomingawareofit.
Federalcriminalpenaltiescanalsobeplaceduponhealthplans,providersandhealthcareclearinghousesthatknowinglyandimproperlydiscloseinformationorobtaininformationunderfalsepretenses.Penaltieswouldbehigherforactionsdesignedtogeneratemonetarygain.
Criminalpenaltiesareupto$50,000andoneyearinprisonforobtainingordisclosingprotectedhealthinformation;upto$100,000anduptofiveyearsinprisonforobtainingprotectedhealthinformationunder"falsepretenses";andupto$250,000anduptotenyearsinprisonforobtainingordisclosingprotectedhealthinformationwiththeintenttosell,transferoruseitforcommercialadvantage,personalgainormaliciousharm.
Effectivedate
April14,2001
SecurityRule–April21,2003
PrivacyRule–April14,2003
7/2/2020 20.1.1 - 42276:8dfd57 2
ComplianceRequiredby
Privacyprovisions-April14,2003
Securityprovisions-April20,2005
Administrativeprovisions–July1,2005
Regulators/Administrators
UnitedStatesDepartmentofHealthandHumanServices
OfficeforCivilRights
AppScan'sHIPAAComplianceReport
AppScan'sHIPAAcompliancereportwillautomaticallydetectpossibleissuesinyourWebenvironmentthatmayberelevanttoyouroverallcompliancewiththeHIPAASecurityRulerequirementsandrelatedrequiredactivitiesasdescribedintheNISTresourceguideforHIPAAsecurityruleimplementation.
Note
AddressableIssue-asappearsinthisreportmeansacoveredentitymust-
(i)Assesswhethereachimplementationspecificationisareasonableandappropriatesafeguardinitsenvironment,whenanalyzedwithreferencetothelikelycontributiontoprotectingtheentity'selectronicprotectedhealthinformation;and
(ii)Asapplicabletotheentity-
(A)Implementtheimplementationspecificationifreasonableandappropriate;or
(B)Ifimplementingtheimplementationspecificationisnotreasonableandappropriate-
(1)Documentwhyitwouldnotbereasonableandappropriatetoimplementtheimplementationspecification;and
(2)Implementanequivalentalternativemeasureifreasonableandappropriate.
PossibleIssue-asappearsinthisreportmeansthedetectedresultsmayimplythatarequiredimplementationspecificationisnotmet.
Formoreinformationonsecuringwebapplications,pleasevisithttp://www-03.ibm.com/software/products/en/category/application-security
The information provided does not constitute legal advice. The results of a vulnerability assessment will demonstratepotential vulnerabilities in your application that should be corrected in order to reduce the likelihood that yourinformation will be compromised. As legal advice must be tailored to the specific application of each law, and lawsare constantly changing, nothing provided herein should be used as a substitute for the advice of competent counsel.IBM customers are responsible for ensuring their own compliance with legal requirements. It is the customer's sole
7/2/2020 20.1.1 - 42276:8dfd57 3
responsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevantlaws and regulatory requirements that may affect the customer's business and any actions the customer may need totake to comply with such laws.
Violated SectionIssuesdetectedacross0/12sectionsoftheregulation:
SectionsNumberofIssues
S.Rule-Part164,SubpartC,164.308(a)(3)(i)-AddressableIssue-Implementpoliciesandprocedurestoensurethatallmembersofitsworkforcehaveappropriateaccesstoelectronicprotectedhealthinformation,asprovidedunder[theInformationAccessManagementstandard],andtopreventthoseworkforcememberswhodonothaveaccessunder[theInformationAccessManagementstandard]fromobtainingaccesstoelectronicprotectedhealthinformation.
0
S.Rule-Part164,SubpartC,164.308(a)(3)(ii)(A)-AddressableIssue-Implementproceduresfortheauthorizationand/orsupervisionofworkforcememberswhoworkwithelectronicprotectedhealthinformationorinlocationswhereitmightbeaccessed.
0
S.Rule-Part164,SubpartC,164.308(a)(4)(i)-PossibleIssue-ImplementpoliciesandproceduresforauthorizingaccesstoelectronicprotectedhealthinformationthatareconsistentwiththeapplicablerequirementsofsubpartEofthispartthePrivacyRule.
0
S.Rule-Part164,SubpartC,164.308(a)(4)(ii)(B)-PossibleIssue-Implementpoliciesandproceduresforgrantingaccesstoelectronicprotectedhealthinformation,forexample,throughaccesstoaworkstation,transaction,program,process,orothermechanism.
0
S.Rule-Part164,SubpartC,164.308(a)(5)(ii)(D)-AddressableIssue-Implementproceduresforcreating,changing,andsafeguardingpasswords
0
S.Rule-Part164,SubpartC,164.312(a)(1)-PossibleIssue-Implementtechnicalpoliciesandproceduresforelectronicinformationsystemsthatmaintainelectronicprotectedhealthinformationtoallowaccessonlytothosepersonsorsoftwareprogramsthathavebeengrantedaccessrightsasspecifiedinsection164.308(a)(4).
0
S.Rule-Part164,SubpartC,164.312(a)(2)(iv)-AddressableIssue-Implementamechanismtoencryptanddecryptelectronicprotectedhealthinformation.
0
NISTResourceGuide-Section4.14,Activity8-AddressableIssue-Implementelectronicproceduresthatterminateanelectronicsessionafterapredeterminedtimeofinactivity.
0
S.Rule-Part164,SubpartC,164.312(c)(1)-PossibleIssue-Implementpoliciesandprocedurestoprotectprivatehealthinformationfromimproperalterationordestruction
0
S.Rule-Part164,SubpartC,164.312(d)-PossibleIssue-Implementprocedurestoverifythatapersonorentityseekingaccesstoprivatehealthinformationistheoneclaimed
0
S.Rule-Part164,SubpartC,164.312(e)(1)-PossibleIssue-Implementtechnicalsecuritymeasurestoguardagainstunauthorizedaccesstoelectronicprotectedhealthinformationthatisbeingtransmittedoveranelectroniccommunicationsnetwork.
0
S.Rule-Part164,SubpartC,164.312(e)(2)(ii)-AddressableIssue-Implementamechanismtoencryptelectronicprivatehealthinformationwheneverdeemedappropriate
0
Section Violation By Issue0Uniqueissuesdetectedacross0/12sectionsoftheregulation:
7/2/2020 20.1.1 - 42276:8dfd57 4
URL Entity Issue Type Sections
Detailed Security Issues by Sections
S.Rule-Part164,SubpartC,164.308(a)(3)(i)-AddressableIssue-Implementpoliciesandprocedurestoensurethatallmembersofitsworkforcehaveappropriateaccesstoelectronicprotectedhealthinformation,asprovidedunder[theInformationAccessManagementstandard],andtopreventthoseworkforcememberswhodonothaveaccessunder[theInformationAccessManagementstandard]fromobtainingaccesstoelectronicprotectedhealthinformation. 0
S.Rule-Part164,SubpartC,164.308(a)(3)(ii)(A)-AddressableIssue-Implementproceduresfortheauthorizationand/orsupervisionofworkforcememberswhoworkwithelectronicprotectedhealthinformationorinlocationswhereitmightbeaccessed. 0
S.Rule-Part164,SubpartC,164.308(a)(4)(i)-PossibleIssue-ImplementpoliciesandproceduresforauthorizingaccesstoelectronicprotectedhealthinformationthatareconsistentwiththeapplicablerequirementsofsubpartEofthispartthePrivacyRule. 0
S.Rule-Part164,SubpartC,164.308(a)(4)(ii)(B)-PossibleIssue-Implementpoliciesandproceduresforgrantingaccesstoelectronicprotectedhealthinformation,forexample,throughaccesstoaworkstation,transaction,program,process,orothermechanism. 0
7/2/2020 20.1.1 - 42276:8dfd57 5
S.Rule-Part164,SubpartC,164.308(a)(5)(ii)(D)-AddressableIssue-Implementproceduresforcreating,changing,andsafeguardingpasswords0
S.Rule-Part164,SubpartC,164.312(a)(1)-PossibleIssue-Implementtechnicalpoliciesandproceduresforelectronicinformationsystemsthatmaintainelectronicprotectedhealthinformationtoallowaccessonlytothosepersonsorsoftwareprogramsthathavebeengrantedaccessrightsasspecifiedinsection164.308(a)(4). 0
S.Rule-Part164,SubpartC,164.312(a)(2)(iv)-AddressableIssue-Implementamechanismtoencryptanddecryptelectronicprotectedhealthinformation. 0
NISTResourceGuide-Section4.14,Activity8-AddressableIssue-Implementelectronicproceduresthatterminateanelectronicsessionafterapredeterminedtimeofinactivity. 0
S.Rule-Part164,SubpartC,164.312(c)(1)-PossibleIssue-Implementpoliciesandprocedurestoprotectprivatehealthinformationfromimproperalterationordestruction 0
S.Rule-Part164,SubpartC,164.312(d)-PossibleIssue-Implementprocedurestoverifythatapersonorentityseekingaccesstoprivatehealthinformationistheoneclaimed 0
7/2/2020 20.1.1 - 42276:8dfd57 6
S.Rule-Part164,SubpartC,164.312(e)(1)-PossibleIssue-Implementtechnicalsecuritymeasurestoguardagainstunauthorizedaccesstoelectronicprotectedhealthinformationthatisbeingtransmittedoveranelectroniccommunicationsnetwork. 0
S.Rule-Part164,SubpartC,164.312(e)(2)(ii)-AddressableIssue-Implementamechanismtoencryptelectronicprivatehealthinformationwheneverdeemedappropriate 0
7/2/2020 20.1.1 - 42276:8dfd57 7
20.1.1 BeyondTrust Remote SupportPCI Compatibility Report
ThisreportincludesimportantcomplianceinformationaboutBeyondTrustRemoteSupport20.1.1
The Payment Card Industry Data Security Standard (PCI DSS)Compliance ReportThisreportwascreatedbyIBMSecurityAppScanStandard9.0.3.13iFix001,Rules:19712Scanstarted:6/30/20208:31:25PM
Regulations
The Payment Card Industry Data Security Standard (PCI)Version 3.2.1
Summary
ThePaymentCardIndustryDataSecurityStandard(PCIDSS)wasdevelopedtoencourageandenhancecardholderdatasecurityandfacilitatethebroadadoptionofconsistentdatasecuritymeasuresglobally.PCIDSSprovidesabaselineoftechnicalandoperationalrequirementsdesignedtoprotectaccountdata.
PCIDSScomprisesaminimumsetofrequirementsforprotectingcardholderdata,andmaybeenhancedbyadditionalcontrolsandpracticestofurthermitigaterisks,aswellaslocal,regionalandsectorlawsandregulations.Additionally,legislationorregulatoryrequirementsmayrequirespecificprotectionofpersonalinformationorotherdataelements(forexample,cardholdername).PCIDSSdoesnotsupersedelocalorregionallaws,governmentregulations,orotherlegalrequirements.
ThePCIDSSsecurityrequirementsapplytoallsystemcomponentsincludedinorconnectedtothecardholderdataenvironment.Thecardholderdataenvironment(CDE)iscomprisedofpeople,processesandtechnologiesthatstore,process,ortransmitcardholderdataorsensitiveauthenticationdata.
“Systemcomponents”includenetworkdevices,servers,computingdevices,andapplications.Examplesofsystemcomponentsincludebutarenotlimitedtothefollowing:Systemsthatprovidesecurityservices(forexample,authenticationservers),facilitatesegmentation(forexample,internalfirewalls),ormayimpactthesecurityof(forexample,nameresolutionorwebredirectionservers)theCDE.
Virtualizationcomponentssuchasvirtualmachines,virtualswitches/routers,virtualappliances,virtualapplications/desktops,andhypervisors.
Networkcomponentsincludingbutnotlimitedtofirewalls,switches,routers,wirelessaccesspoints,networkappliances,andothersecurityappliances.
Servertypesincludingbutnotlimitedtoweb,application,database,authentication,mail,proxy,NetworkTimeProtocol(NTP),andDomainNameSystem(DNS).
Applicationsincludingallpurchasedandcustomapplications,includinginternalandexternal(forexample,Internet)applications.AnyothercomponentordevicelocatedwithinorconnectedtotheCDE.
CoveredEntities
7/2/2020 20.1.1 - 42276:8dfd57 1
PCIDSSappliestoallentitiesinvolvedinpaymentcardprocessing—includingmerchants,processors,acquirers,issuers,andserviceproviders,aswellasallotherentitiesthatstore,processortransmitcardholderdata(CHD)and/orsensitiveauthenticationdata(SAD).
PCIDSSrequirementsapplytoorganizationsandenvironmentswhereaccountdata(cardholderdataand/orsensitiveauthenticationdata)isstored,processedortransmitted.SomePCIDSSrequirementsmayalsobeapplicabletoorganizationsthathaveoutsourcedtheirpaymentoperationsormanagementoftheirCDE1.Additionally,organizationsthatoutsourcetheirCDEorpaymentoperationstothirdpartiesareresponsibleforensuringthattheaccountdataisprotectedbythethirdpartypertheapplicablePCIDSSrequirements.
CompliancePenalties
Ifamerchantorserviceproviderdoesnotcomplywiththesecurityrequirementsorfailstorectifyasecurityissue,thecardcompaniesmayfinetheacquiringmember,orimposerestrictionsonthemerchantoritsagent.
ComplianceRequiredBy
PCIDSSversion3.2.1hasreplacedPCIDSSversion3.2andiseffectiveasofMay2018.ThePCIDSSversion3.2maynotbeusedforPCIDSScomplianceafterDecember31,2018.
Regulators
ThePCISecurityStandardsCouncil,anditsfoundingmembersincludingAmericanExpress,DiscoverFinancialServices,JCB,MasterCardWorldwideandVisaInternational.
FormoreinformationonthePCIDataSecurityStandard,pleasevisit:
https://www.pcisecuritystandards.org./index.htm
Formoreinformationonsecuringwebapplications,pleasevisithttp://www-01.ibm.com/software/rational/offerings/websecurity/
Copyright:ThePCIinformationcontainedinthisreportisproprietarytoPCISecurityStandardsCouncil,LLC.AnyuseofthismaterialissubjecttothePCISECURITYSTANDARDSCOUNCIL,LLCLICENSEAGREEMENTthatcanbefoundat:
https://www.pcisecuritystandards.org./tech/download_the_pci_dss.htm
The information provided does not constitute legal advice. The results of a vulnerability assessment will demonstratepotential vulnerabilities in your application that should be corrected in order to reduce the likelihood that yourinformation will be compromised. As legal advice must be tailored to the specific application of each law, and lawsare constantly changing, nothing provided herein should be used as a substitute for the advice of competent counsel.IBM customers are responsible for ensuring their own compliance with legal requirements. It is the customer's soleresponsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevantlaws and regulatory requirements that may affect the customer's business and any actions the customer may need totake to comply with such laws.
7/2/2020 20.1.1 - 42276:8dfd57 2
Violated SectionIssuesdetectedacross0/32sectionsoftheregulation:
SectionsNumberofIssues
Requirement2-Donotusevendor-supplieddefaultsforsystempasswordsandothersecurityparameters.
0
Requirement2.1-Alwayschangevendor-supplieddefaultsandremoveordisableunnecessarydefaultaccountsbeforeinstallingasystemonthenetwork.ThisappliestoALLdefaultpasswords,includingbutnotlimitedtothoseusedbyoperatingsystems,softwarethatprovidessecurityservices,applicationandsystemaccounts,point-of-sale(POS)terminals,paymentapplications,SimpleNetworkManagementProtocol(SNMP)communitystrings,etc.)
0
Requirement2.2.2-Enableonlynecessaryservices,protocols,daemons,etc.,asrequiredforthefunctionofthesystem.
0
Requirement2.2.4-Configuresystemsecurityparameterstopreventmisuse. 0Requirement2.2.5-Removeallunnecessaryfunctionality,suchasscripts,drivers,features,subsystems,filesystems.
0
Requirement2.3-Encryptallnon-consoleadministrativeaccessusingstrongcryptography. 0Requirement2.6-Thissectionappliestowebapplicationsthatareusedbyhostingprovidersforhostingpurposes–Hostingprovidersmustprotecteachentity’shostedenvironmentanddata.
0
Requirement4-Encrypttransmissionofcardholderdataacrossopen,publicnetworks. 0Requirement4.1-Usestrongcryptographyandsecurityprotocolstosafeguardsensitivecardholderdataduringtransmissionoveropen,publicnetworks,includingthefollowing:-Onlytrustedkeysandcertificatesareaccepted.-Theprotocolinuseonlysupportssecureversionsorconfigurations.-Theencryptionstrengthisappropriatefortheencryptionmethodologyinuse.
0
Requirement6-Developandmaintainsecuresystemsandapplications. 0Requirement6.1-Establishaprocesstoidentifysecurityvulnerabilities,usingreputableoutsidesourcesforsecurityvulnerabilityinformation,andassignariskranking(forexample,as“high,”“medium,”or“low”)tonewlydiscoveredsecurityvulnerabilities.
0
Requirement6.2-Ensurethatallsystemcomponentsandsoftwareareprotectedfromknownvulnerabilitiesbyinstallingapplicablevendor-suppliedsecuritypatches.Installcriticalsecuritypatcheswithinonemonthofrelease.CriticalsecuritypatchesshouldbeidentifiedaccordingtotheriskrankingprocessdefinedinRequirement6.1
0
Requirement6.3-Developinternalandexternalsoftwareapplications(includingweb-basedadministrativeaccesstoapplications)securely,asfollows:•InaccordancewithPCIDSS(forexample,secureauthenticationandlogging)•Basedonindustrystandardsand/orbestpractices.•Incorporatinginformationsecuritythroughoutthesoftware-developmentlifecycleNote:thisappliestoallsoftwaredevelopedinternallyaswellasbespokeorcustomsoftwaredevelopedbyathirdparty.
0
Requirement6.3.1-Removedevelopment,testand/orcustomapplicationaccounts,userIDs,andpasswordsbeforeapplicationsbecomeactiveorarereleasedtocustomers.
0
Requirement6.4.4-Removaloftestdataandaccountsfromsystemcomponentsbeforethesystembecomesactive/goesintoproduction.
0
Requirement6.5-Addresscommoncodingvulnerabilitiesinsoftware-developmentprocessesasfollows:•Traindevelopersinsecurecodingtechniques,includinghowtoavoidcommoncodingvulnerabilities,andunderstandinghowsensitivedataishandledinmemory.•Developapplicationsbasedonsecurecodingguidelines.Note:Thevulnerabilitieslistedat6.5.1through6.5.10werecurrentwithindustrybestpracticeswhenthisversionofPCIDSSwaspublished.However,asindustrybestpracticesforvulnerabilitymanagementareupdated(forexample,theOWASPGuide,SANSCWETop25,CERTSecureCoding,etc.),thecurrentbestpracticesmustbeusedfortheserequirements.
0
Requirement6.5.1-Injectionflaws,particularlySQLinjection.AlsoconsiderOSCommandInjection,LDAPandXPathinjectionflawsaswellasotherinjectionflaws.
0
Requirement6.5.2-Bufferoverflow 0
7/2/2020 20.1.1 - 42276:8dfd57 3
Requirement6.5.3-Insecurecryptographicstorage 0Requirement6.5.4-Insecurecommunications 0Requirement6.5.5-Impropererrorhandling 0Requirement6.5.7-Crosssitescripting(XSS) 0Requirement6.5.8-Improperaccesscontrol(suchasinsecuredirectobjectreferences,failuretorestrictURLaccess,directorytraversal,andfailuretorestrictuseraccesstofunctions).
0
Requirement6.5.9-Crosssiterequestforgery(CSRF) 0Requirement6.5.10-BrokenauthenticationandsessionmanagementNote:Requirement6.5.10isabestpracticeuntilJune30,2015,afterwhichitbecomesarequirement
0
Requirement6.6-Forpublic-facingwebapplications,addressnewthreatsandvulnerabilitiesonanongoingbasisandensuretheseapplicationsareprotectedagainstknownattacksbyeitherofthefollowingmethods:•Reviewingpublic-facingwebapplicationsviamanualorautomatedapplicationvulnerabilitysecurityassessmenttoolsormethods,atleastannuallyandafteranychangesNote:ThisassessmentisnotthesameasthevulnerabilityscansperformedforRequirement11.2.•Installinganautomatedtechnicalsolutionthatdetectsandpreventsweb-basedattacks(forexample,aweb-applicationfirewall)infrontofpublic-facingwebapplications,tocontinuallycheckalltraffic.
0
Requirement7-Restrictaccesstodatabybusinessneed-to-know 0Requirement7.1-Limitaccesstosystemcomponentsandcardholderdatatoonlythoseindividualswhosejobrequiressuchaccess.
0
Requirement7.1.2-RestrictaccesstoprivilegeduserIDstoleastprivilegesnecessarytoperformjobresponsibilities.
0
Requirement8.2-InadditiontoassigningauniqueID,ensureproperuser-authenticationmanagementfornon-consumerusersandadministratorsonallsystemcomponentsbyemployingatleastoneofthefollowingmethodstoauthenticateallusers:•Somethingyouknow,suchasapasswordorpassphrase•Somethingyouhave,suchasatokendeviceorsmartcard•Somethingyouare,suchasabiometric.
0
Requirement8.2.1-Usingstrongcryptography,renderallauthenticationcredentials(suchaspasswords/phrases)unreadableduringtransmissionandstorageonallsystemcomponents.
0
Requirement8.7-Allaccesstoanydatabasecontainingcardholderdata(includingaccessbyapplications,administrators,andallotherusers)isrestrictedasfollows:•Alluseraccessto,userqueriesof,anduseractionsondatabasesarethroughprogrammaticmethods.•Onlydatabaseadministratorshavetheabilitytodirectlyaccessorquerydatabases.•ApplicationIDsfordatabaseapplicationscanonlybeusedbytheapplications(andnotbyindividualusersorothernon-applicationprocesses).
0
Section Violation By Issue0Uniqueissuesdetectedacross0/32sectionsoftheregulation:
URL Entity Issue Type Sections
Detailed Security Issues by Sections
7/2/2020 20.1.1 - 42276:8dfd57 4
Requirement2-Donotusevendor-supplieddefaultsforsystempasswordsandothersecurityparameters. 0
Requirement2.1-Alwayschangevendor-supplieddefaultsandremoveordisableunnecessarydefaultaccountsbeforeinstallingasystemonthenetwork.ThisappliestoALLdefaultpasswords,includingbutnotlimitedtothoseusedbyoperatingsystems,softwarethatprovidessecurityservices,applicationandsystemaccounts,point-of-sale(POS)terminals,paymentapplications,SimpleNetworkManagementProtocol(SNMP)communitystrings,etc.) 0
Requirement2.2.2-Enableonlynecessaryservices,protocols,daemons,etc.,asrequiredforthefunctionofthesystem. 0
Requirement2.2.4-Configuresystemsecurityparameterstopreventmisuse. 0
Requirement2.2.5-Removeallunnecessaryfunctionality,suchasscripts,drivers,features,subsystems,filesystems. 0
Requirement2.3-Encryptallnon-consoleadministrativeaccessusingstrongcryptography. 0
7/2/2020 20.1.1 - 42276:8dfd57 5
Requirement2.6-Thissectionappliestowebapplicationsthatareusedbyhostingprovidersforhostingpurposes–Hostingprovidersmustprotecteachentity’shostedenvironmentanddata. 0
Requirement4-Encrypttransmissionofcardholderdataacrossopen,publicnetworks. 0
Requirement4.1-Usestrongcryptographyandsecurityprotocolstosafeguardsensitivecardholderdataduringtransmissionoveropen,publicnetworks,includingthefollowing:-Onlytrustedkeysandcertificatesareaccepted.-Theprotocolinuseonlysupportssecureversionsorconfigurations.-Theencryptionstrengthisappropriatefortheencryptionmethodologyinuse. 0
Requirement6-Developandmaintainsecuresystemsandapplications. 0
Requirement6.1-Establishaprocesstoidentifysecurityvulnerabilities,usingreputableoutsidesourcesforsecurityvulnerabilityinformation,andassignariskranking(forexample,as“high,”“medium,”or“low”)tonewlydiscoveredsecurityvulnerabilities. 0
Requirement6.2-Ensurethatallsystemcomponentsandsoftwareareprotectedfromknownvulnerabilitiesbyinstallingapplicablevendor-suppliedsecuritypatches.Installcriticalsecuritypatcheswithinonemonthofrelease.CriticalsecuritypatchesshouldbeidentifiedaccordingtotheriskrankingprocessdefinedinRequirement6.1 0
7/2/2020 20.1.1 - 42276:8dfd57 6
Requirement6.3-Developinternalandexternalsoftwareapplications(includingweb-basedadministrativeaccesstoapplications)securely,asfollows:•InaccordancewithPCIDSS(forexample,secureauthenticationandlogging)•Basedonindustrystandardsand/orbestpractices.•Incorporatinginformationsecuritythroughoutthesoftware-developmentlifecycleNote:thisappliestoallsoftwaredevelopedinternallyaswellasbespokeorcustomsoftwaredevelopedbyathirdparty. 0
Requirement6.3.1-Removedevelopment,testand/orcustomapplicationaccounts,userIDs,andpasswordsbeforeapplicationsbecomeactiveorarereleasedtocustomers. 0
Requirement6.4.4-Removaloftestdataandaccountsfromsystemcomponentsbeforethesystembecomesactive/goesintoproduction. 0
Requirement6.5-Addresscommoncodingvulnerabilitiesinsoftware-developmentprocessesasfollows:•Traindevelopersinsecurecodingtechniques,includinghowtoavoidcommoncodingvulnerabilities,andunderstandinghowsensitivedataishandledinmemory.•Developapplicationsbasedonsecurecodingguidelines.Note:Thevulnerabilitieslistedat6.5.1through6.5.10werecurrentwithindustrybestpracticeswhenthisversionofPCIDSSwaspublished.However,asindustrybestpracticesforvulnerabilitymanagementareupdated(forexample,theOWASPGuide,SANSCWETop25,CERTSecureCoding,etc.),thecurrentbestpracticesmustbeusedfortheserequirements. 0
Requirement6.5.1-Injectionflaws,particularlySQLinjection.AlsoconsiderOSCommandInjection,LDAPandXPathinjectionflawsaswellasotherinjectionflaws. 0
7/2/2020 20.1.1 - 42276:8dfd57 7
Requirement6.5.2-Bufferoverflow 0
Requirement6.5.3-Insecurecryptographicstorage 0
Requirement6.5.4-Insecurecommunications 0
Requirement6.5.5-Impropererrorhandling 0
Requirement6.5.7-Crosssitescripting(XSS) 0
Requirement6.5.8-Improperaccesscontrol(suchasinsecuredirectobjectreferences,failuretorestrictURLaccess,directorytraversal,andfailuretorestrictuseraccesstofunctions). 0
Requirement6.5.9-Crosssiterequestforgery(CSRF) 0
Requirement6.5.10-BrokenauthenticationandsessionmanagementNote:Requirement6.5.10isabestpracticeuntilJune30,2015,afterwhichitbecomesarequirement 0
7/2/2020 20.1.1 - 42276:8dfd57 8
Requirement6.6-Forpublic-facingwebapplications,addressnewthreatsandvulnerabilitiesonanongoingbasisandensuretheseapplicationsareprotectedagainstknownattacksbyeitherofthefollowingmethods:•Reviewingpublic-facingwebapplicationsviamanualorautomatedapplicationvulnerabilitysecurityassessmenttoolsormethods,atleastannuallyandafteranychangesNote:ThisassessmentisnotthesameasthevulnerabilityscansperformedforRequirement11.2.•Installinganautomatedtechnicalsolutionthatdetectsandpreventsweb-basedattacks(forexample,aweb-applicationfirewall)infrontofpublic-facingwebapplications,tocontinuallycheckalltraffic. 0
Requirement7-Restrictaccesstodatabybusinessneed-to-know 0
Requirement7.1-Limitaccesstosystemcomponentsandcardholderdatatoonlythoseindividualswhosejobrequiressuchaccess. 0
Requirement7.1.2-RestrictaccesstoprivilegeduserIDstoleastprivilegesnecessarytoperformjobresponsibilities. 0
Requirement8.2-InadditiontoassigningauniqueID,ensureproperuser-authenticationmanagementfornon-consumerusersandadministratorsonallsystemcomponentsbyemployingatleastoneofthefollowingmethodstoauthenticateallusers:•Somethingyouknow,suchasapasswordorpassphrase•Somethingyouhave,suchasatokendeviceorsmartcard•Somethingyouare,suchasabiometric. 0
7/2/2020 20.1.1 - 42276:8dfd57 9
Requirement8.2.1-Usingstrongcryptography,renderallauthenticationcredentials(suchaspasswords/phrases)unreadableduringtransmissionandstorageonallsystemcomponents. 0
Requirement8.7-Allaccesstoanydatabasecontainingcardholderdata(includingaccessbyapplications,administrators,andallotherusers)isrestrictedasfollows:•Alluseraccessto,userqueriesof,anduseractionsondatabasesarethroughprogrammaticmethods.•Onlydatabaseadministratorshavetheabilitytodirectlyaccessorquerydatabases.•ApplicationIDsfordatabaseapplicationscanonlybeusedbytheapplications(andnotbyindividualusersorothernon-applicationprocesses). 0
7/2/2020 20.1.1 - 42276:8dfd57 10
BeyondTrust Remote SupportAppliance 6.0 FISMA CompatibilityReport
ThisreportincludesimportantcomplianceinformationabouttheBeyondTrustRemoteSupportAppliance
[US] Federal Information Security Mgmt. Act (FISMA)Compliance ReportThisreportwascreatedbyIBMSecurityAppScanStandard9.0.3.13iFix001,Rules:19712Scanstarted:6/30/20205:01:28PM
Regulations
Federal Information Security Management Act (FISMA)
Summary
TheFederalInformationSecurityManagementAct(FISMA)waspassedbyCongressandsignedintolawbythePresidentaspartoftheElectronicGovernmentActof2002.Itprovidesaframeworktoensurecomprehensivemeasuresaretakentosecurefederalinformationandassets.Itrequireseachfederalagencytodevelop,document,andimplementanagency-wideprogramtoprovideinformationsecurityfortheinformationandinformationsystemsthatsupporttheoperationsandassetsoftheagency,includingthoseprovidedormanagedbyanotheragency,contractor,orothersource.
TheOfficeofManagementandBudget(OMB)requiresfederalagenciestopreparePlansofActionandMilestonesProcess(POAandMs)reportsforallprogramsandsystemswheretheyhavefoundanITsecurityweakness.CIOsandagencyprogramofficialsmustdevelop,implement,andmanagePOAandMsforallprogramsandsystemstheyoperateandcontrol.ProgramofficialsmustregularlyupdatetheagencyCIOontheirprogresssotheCIOcanmonitoragency-wideremediationeffortsandprovidetheagency’squarterlyupdatetoOMB.
AgenciesmustsubmitareporttotheOMBthatsummarizestheresultsofannualITsecurityreviewsofsystemsandprograms,andanyprogresstheagencyhasmadetowardsfulfillingtheirFISMAgoalsandmilestones.
OMBusesthereportstohelpevaluategovernment-widesecurityperformance,developitsannualsecurityreporttoCongress,assistinimprovingandmaintainingadequateagencysecurityperformance,andinformdevelopmentoftheE-GovernmentScorecardunderthePresident’sManagementAgenda.ThereportmustsummarizetheresultsofannualITsecurityreviewsofsystemsandprograms,andanyprogresstheagencyhasmadetowardsfulfillingtheirFISMAgoalsandmilestones.
FISMArequiresthatfederalagencyofficialsunderstandthecurrentstatusoftheirsecurityprogramsandthesecuritycontrolsplannedorinplacetoprotecttheirinformationandinformationsystemsinordertomakeinformedjudgmentsandinvestmentsthatappropriatelymitigaterisktoanacceptablelevel.Theultimateobjectiveistoconducttheday-to-dayoperationsoftheagencyandtoaccomplishtheagency'sstatedmissionswithadequatesecurity,orsecuritycommensuratewithrisk,includingthemagnitudeofharmresultingfromtheunauthorizedaccess,use,disclosure,disruption,modification,ordestructionofinformation.
FISMAImplementation
PhaseI:StandardsandGuidelinesDevelopment
ThefirstphaseoftheFISMAImplementationProjectfocusesonthedevelopmentandupdatingofthesecurity
7/2/2020 6.0 - 40092:A33698 1
standardsandguidancerequiredtoeffectivelyimplementtheprovisionsofthelegislation.TheimplementationoftheNISTstandardsandguidancewillhelpagenciescreateandmaintainrobustinformationsecurityprogramsandeffectivelymanagerisktoagencyoperations,agencyassets,andindividuals.
PhaseII:ImplementationandAssessmentAids
ThesecondphaseoftheFISMAImplementationProjectisfocusedonprovidinginformationsystemimplementationandassessmentreferencematerialsforbuildingcommonunderstandinginapplyingtheNISTsuiteofpublicationssupportingtheRiskManagementFramework(RMF).
NISTImplementationDocuments
NISTdevelopsandissuesstandards,guidelinesandotherpublicationstoassistfederalagenciesinimplementingFISMA,includingminimumrequirements,forprovidingadequateinformationsecurityforallagencyoperationsandassetsbutsuchstandardsandguidelinesshallnotapplytonationalsecuritysystems.
FederalInformationProcessingStandards(FIPS)areapprovedbytheSecretaryofCommerceandissuedbyNISTinaccordancewithFISMA.FIPSarecompulsoryandbindingforfederalagencies.FISMArequiresthatfederalagenciescomplywiththesestandards,andtherefore,agenciesmaynotwaivetheiruse.FIPS200mandatestheuseofSpecialPublication800-53,asamended.
AppScanandFISMA
AppScan'sFISMAcompliancereportwillautomaticallydetectpossibleissuesinyourWebenvironmentthatmayberelevanttoyouroverallcompliancewiththeminimumsecuritycontrolsrecommendationsassetinthesecuritycatalogofNISTSpecialPublication80053.ThisreportwasconstructedaccordingtotheHIGH-IMPACTInformationSystemsbaseline.Organizationsthatuselowormoderatecontrolbaselinemayhavetoadjusttheresultsaccordingly.
CoveredEntities
AllFederalagenciesandorganizationswhichpossessoruseFederalinformation--orwhichoperate,use,orhaveaccesstoFederalinformationsystems--onbehalfofaFederalagency,includingcontractors,grantees,Stateandlocalgovernments,andindustrypartners.
EffectiveDate
December2002
ComplianceRequiredby
FederalagenciesmustsubmittheirannualITreviewreportstotheOMBbyOctoberofeachyear.
7/2/2020 6.0 - 40092:A33698 2
Regulators/Auditors
TheOfficeofManagementandBudget(OMB).
Formoreinformationonsecuringwebapplications,pleasevisit:http://www-03.ibm.com/software/products/en/category/application-security
The information provided does not constitute legal advice. The results of a vulnerability assessment will demonstratepotential vulnerabilities in your application that should be corrected in order to reduce the likelihood that yourinformation will be compromised. As legal advice must be tailored to the specific application of each law, and lawsare constantly changing, nothing provided herein should be used as a substitute for the advice of competent counsel.IBM customers are responsible for ensuring their own compliance with legal requirements. It is the customer's soleresponsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevantlaws and regulatory requirements that may affect the customer's business and any actions the customer may need totake to comply with such laws.
Violated SectionIssuesdetectedacross0/23sectionsoftheregulation:
SectionsNumberofIssues
Sec.3544.(A),Sec.3547(1)-Theheadofeachagencyshallberesponsibleforprovidinginformationsecurityprotectionscommensuratewiththeriskandmagnitudeoftheharmresultingfromunauthorizedaccess,use,disclosure,disruption,modification,ordestructionof—(i)informationcollectedormaintainedbyoronbehalfoftheagency;and(ii)informationsystemsusedoroperatedbyanagencyorbyacontractorofanagencyorotherorganizationonbehalfofanagency;
0
Sec.3544.(B)-Theheadofeachagencyshallberesponsibleforcomplyingwiththerequirementsofthissubchapterandrelatedpolicies,procedures,standards,andguidelines,including—(i)informationsecuritystandardspromulgatedundersection11331oftitle40;and(ii)informationsecuritystandardsandguidelinesfornationalsecuritysystemsissuedinaccordancewithlawandasdirectedbythePresident;
0
NISTSP800_53,AC-3-Theinformationsystemenforcesapprovedauthorizationsforlogicalaccesstoinformationandsystemresourcesinaccordancewithapplicableaccesscontrolpolicies.
0
NISTSP800_53,AC-6-Theorganizationemploystheprincipleofleastprivilege,allowingonlyauthorizedaccessesforusers(orprocessesactingonbehalfofusers)whicharenecessarytoaccomplishassignedtasksinaccordancewithorganizationalmissionsandbusinessfunctions.
0
NISTSP800_53,AC-10-Theinformationsystemlimitsthenumberofconcurrentsessionsforeach[Assignment:organization-definedaccountand/oraccounttype]to[Assignment:organization-definednumber].
0
NISTSP800_53,AC-11-TheOrganizationpreventsfurtheraccesstothesystembyinitiatingasessionlockafter[Assignment:organization-definedtimeperiod]ofinactivityoruponreceivingarequestfromauser;andretainsthesessionlockuntiltheuserreestablishesaccessusingestablishedidentificationandauthenticationprocedures.
0
NISTSP800_53,AC-17-Theorganization:Establishesanddocumentsusagerestrictions,configuration/connectionrequirements,andimplementationguidanceforeachtypeofremoteaccessallowed;andAuthorizesremoteaccesstotheinformationsystempriortoallowingsuchconnections.
0
NISTSP800_53,CM-6-Theorganization:a.Establishesanddocumentsconfigurationsettingsforinformationtechnologyproductsemployedwithintheinformationsystemusing[Assignment:organization-definedsecurityconfigurationchecklists]thatreflectthemostrestrictivemodeconsistentwithoperationalrequirements;b.Implementstheconfigurationsettings;c.Identifies,documents,and
0
7/2/2020 6.0 - 40092:A33698 3
approvesanydeviationsfromestablishedconfigurationsettingsfor[Assignment:organization-definedinformationsystemcomponents]basedon[Assignment:organization-definedoperationalrequirements];andd.Monitorsandcontrolschangestotheconfigurationsettingsinaccordancewithorganizationalpoliciesandprocedures.NISTSP800_53,CM-7-Theorganization:a.Configurestheinformationsystemtoprovideonlyessentialcapabilities;andb.Prohibitsorrestrictstheuseofthefollowingfunctions,ports,protocols,and/orservices:[Assignment:organization-definedprohibitedorrestrictedfunctions,ports,protocols,and/orservices].
0
NISTSP800_53,IA-2-Theinformationsystemuniquelyidentifiesandauthenticatesorganizationalusers(orprocessesactingonbehalfoforganizationalusers).
0
NISTSP800_53,IA-4.D-Theorganizationmanagesinformationsystemidentifiersforusersanddevicesbypreventingreuseofuserordeviceidentifiersfor[Assignment:organization-definedtimeperiod].
0
NISTSP800_53,IA-4.E-Theorganizationmanagesinformationsystemidentifiersforusersanddevicesbydisablingtheuseridentifierafter[Assignment:organization-definedtimeperiodofinactivity].
0
NISTSP800_53,IA-5.C-Theorganizationmanagesinformationsystemauthenticatorsforusersanddevicesbyensuringthatauthenticatorshavesufficientstrengthofmechanismfortheirintendeduse.
0
NISTSP800_53,IA-5.E-Theorganizationmanagesinformationsystemauthenticatorsforusersanddevicesbychangingdefaultcontentofauthenticatorsuponinformationsysteminstallation.
0
NISTSP800_53,RA-5.A-Theorganization:a.Scansforvulnerabilitiesintheinformationsystemandhostedapplications[Assignment:organization-definedfrequencyand/orrandomlyinaccordancewithorganization-definedprocess]andwhennewvulnerabilitiespotentiallyaffectingthesystem/applicationsareidentifiedandreported.
0
NISTSP800_53,SC-5-Theinformationsystemprotectsagainstorlimitstheeffectsofthefollowingtypesofdenialofserviceattacks:[Assignment:organization-definedtypesofdenialofserviceattacksorreferencetosourceforsuchinformation]byemploying[Assignment:organization-definedsecuritysafeguards].
0
NISTSP800_53,SC-8-Theinformationsystemprotectsthe[Selection(oneormore):confidentiality;integrity]oftransmittedinformation.
0
NISTSP800_53,SC-13-Theinformationsystemimplements[Assignment:organization-definedcryptographicusesandtypeofcryptographyrequiredforeachuse]inaccordancewithapplicablefederallaws,ExecutiveOrders,directives,policies,regulations,andstandards.
0
NISTSP800_53,SC-23-Theinformationsystemprotectstheauthenticityofcommunicationssessions. 0NISTSP800_53,SI-3.A-Employsmaliciouscodeprotectionmechanismsatinformationsystementryandexitpointstodetectanderadicatemaliciouscode;
0
NISTSP800_53,SI-3.B-Theorganizationupdatesmaliciouscodeprotectionmechanismswhenevernewreleasesareavailableinaccordancewithorganizationalconfigurationmanagementpolicyandprocedures;
0
NISTSP800_53,SI-10-Theinformationsystemchecksthevalidityofinformationinputs. 0NISTSP800_53,SI-11.A-Generateserrormessagesthatprovideinformationnecessaryforcorrectiveactionswithoutrevealinginformationthatcouldbeexploitedbyadversaries;
0
Section Violation By Issue0Uniqueissuesdetectedacross0/23sectionsoftheregulation:
URL Entity Issue Type Sections
7/2/2020 6.0 - 40092:A33698 4
Detailed Security Issues by Sections
Sec.3544.(A),Sec.3547(1)-Theheadofeachagencyshallberesponsibleforprovidinginformationsecurityprotectionscommensuratewiththeriskandmagnitudeoftheharmresultingfromunauthorizedaccess,use,disclosure,disruption,modification,ordestructionof—(i)informationcollectedormaintainedbyoronbehalfoftheagency;and(ii)informationsystemsusedoroperatedbyanagencyorbyacontractorofanagencyorotherorganizationonbehalfofanagency; 0
Sec.3544.(B)-Theheadofeachagencyshallberesponsibleforcomplyingwiththerequirementsofthissubchapterandrelatedpolicies,procedures,standards,andguidelines,including—(i)informationsecuritystandardspromulgatedundersection11331oftitle40;and(ii)informationsecuritystandardsandguidelinesfornationalsecuritysystemsissuedinaccordancewithlawandasdirectedbythePresident; 0
NISTSP800_53,AC-3-Theinformationsystemenforcesapprovedauthorizationsforlogicalaccesstoinformationandsystemresourcesinaccordancewithapplicableaccesscontrolpolicies. 0
NISTSP800_53,AC-6-Theorganizationemploystheprincipleofleastprivilege,allowingonlyauthorizedaccessesforusers(orprocessesactingonbehalfofusers)whicharenecessarytoaccomplishassignedtasksinaccordancewithorganizationalmissionsandbusinessfunctions. 0
NISTSP800_53,AC-10-Theinformationsystemlimitsthenumberofconcurrentsessionsforeach[Assignment:organization-definedaccountand/oraccounttype]to[Assignment:organization-definednumber]. 0
7/2/2020 6.0 - 40092:A33698 5
NISTSP800_53,AC-11-TheOrganizationpreventsfurtheraccesstothesystembyinitiatingasessionlockafter[Assignment:organization-definedtimeperiod]ofinactivityoruponreceivingarequestfromauser;andretainsthesessionlockuntiltheuserreestablishesaccessusingestablishedidentificationandauthenticationprocedures. 0
NISTSP800_53,AC-17-Theorganization:Establishesanddocumentsusagerestrictions,configuration/connectionrequirements,andimplementationguidanceforeachtypeofremoteaccessallowed;andAuthorizesremoteaccesstotheinformationsystempriortoallowingsuchconnections. 0
NISTSP800_53,CM-6-Theorganization:a.Establishesanddocumentsconfigurationsettingsforinformationtechnologyproductsemployedwithintheinformationsystemusing[Assignment:organization-definedsecurityconfigurationchecklists]thatreflectthemostrestrictivemodeconsistentwithoperationalrequirements;b.Implementstheconfigurationsettings;c.Identifies,documents,andapprovesanydeviationsfromestablishedconfigurationsettingsfor[Assignment:organization-definedinformationsystemcomponents]basedon[Assignment:organization-definedoperationalrequirements];andd.Monitorsandcontrolschangestotheconfigurationsettingsinaccordancewithorganizationalpoliciesandprocedures. 0
NISTSP800_53,CM-7-Theorganization:a.Configurestheinformationsystemtoprovideonlyessentialcapabilities;andb.Prohibitsorrestrictstheuseofthefollowingfunctions,ports,protocols,and/orservices:[Assignment:organization-definedprohibitedorrestrictedfunctions,ports,protocols,and/orservices]. 0
7/2/2020 6.0 - 40092:A33698 6
NISTSP800_53,IA-2-Theinformationsystemuniquelyidentifiesandauthenticatesorganizationalusers(orprocessesactingonbehalfoforganizationalusers). 0
NISTSP800_53,IA-4.D-Theorganizationmanagesinformationsystemidentifiersforusersanddevicesbypreventingreuseofuserordeviceidentifiersfor[Assignment:organization-definedtimeperiod]. 0
NISTSP800_53,IA-4.E-Theorganizationmanagesinformationsystemidentifiersforusersanddevicesbydisablingtheuseridentifierafter[Assignment:organization-definedtimeperiodofinactivity]. 0
NISTSP800_53,IA-5.C-Theorganizationmanagesinformationsystemauthenticatorsforusersanddevicesbyensuringthatauthenticatorshavesufficientstrengthofmechanismfortheirintendeduse. 0
NISTSP800_53,IA-5.E-Theorganizationmanagesinformationsystemauthenticatorsforusersanddevicesbychangingdefaultcontentofauthenticatorsuponinformationsysteminstallation. 0
NISTSP800_53,RA-5.A-Theorganization:a.Scansforvulnerabilitiesintheinformationsystemandhostedapplications[Assignment:organization-definedfrequencyand/orrandomlyinaccordancewithorganization-definedprocess]andwhennewvulnerabilitiespotentiallyaffectingthesystem/applicationsareidentifiedandreported. 0
7/2/2020 6.0 - 40092:A33698 7
NISTSP800_53,SC-5-Theinformationsystemprotectsagainstorlimitstheeffectsofthefollowingtypesofdenialofserviceattacks:[Assignment:organization-definedtypesofdenialofserviceattacksorreferencetosourceforsuchinformation]byemploying[Assignment:organization-definedsecuritysafeguards]. 0
NISTSP800_53,SC-8-Theinformationsystemprotectsthe[Selection(oneormore):confidentiality;integrity]oftransmittedinformation. 0
NISTSP800_53,SC-13-Theinformationsystemimplements[Assignment:organization-definedcryptographicusesandtypeofcryptographyrequiredforeachuse]inaccordancewithapplicablefederallaws,ExecutiveOrders,directives,policies,regulations,andstandards. 0
NISTSP800_53,SC-23-Theinformationsystemprotectstheauthenticityofcommunicationssessions. 0
NISTSP800_53,SI-3.A-Employsmaliciouscodeprotectionmechanismsatinformationsystementryandexitpointstodetectanderadicatemaliciouscode; 0
NISTSP800_53,SI-3.B-Theorganizationupdatesmaliciouscodeprotectionmechanismswhenevernewreleasesareavailableinaccordancewithorganizationalconfigurationmanagementpolicyandprocedures; 0
7/2/2020 6.0 - 40092:A33698 8
NISTSP800_53,SI-10-Theinformationsystemchecksthevalidityofinformationinputs. 0
NISTSP800_53,SI-11.A-Generateserrormessagesthatprovideinformationnecessaryforcorrectiveactionswithoutrevealinginformationthatcouldbeexploitedbyadversaries; 0
7/2/2020 6.0 - 40092:A33698 9
BeyondTrust Remote SupportAppliance 6.0 GDPR CompatibilityReport
ThisreportincludesimportantcomplianceinformationabouttheBeyondTrustRemoteSupportAppliance
[EU] Regulation 2016/679 Of The European Parliament And OfThe Council (GDPR) Compliance ReportThisreportwascreatedbyIBMSecurityAppScanStandard9.0.3.13iFix001,Rules:19712Scanstarted:6/30/20205:01:28PM
Regulations
Regulation 2016/679 Of The European Parliament And Of TheCouncil - General Data Protection Regulation (GDPR)LearnmoreaboutIBMownGDPRreadinessjourneyandourGDPRcapabilitiesandofferingshere:https://ibm.com/gdpr
LearnmoreaboutGDPRontheEropeanUnion'sDataProtectionwebsitehere:https://ec.europa.eu/info/law/law-topic/data-protection_en
Please note that the table header 'Number of Issues' carries that naming due to technical reasons. It does notnecessarily indicate actual legal issues in the context GDPR, but rather points out areas of interest. A legally bindingassessment of applicability of any areas of interest shown in this report can and should only be made by a legalprofessional.
GDPR ArticlesIssuesdetectedacross0/4sectionsoftheregulation:
SectionsNumberofIssues
Article25(1)-Takingintoaccountthestateoftheart,thecostofimplementationandthenature,scope,contextandpurposesofprocessingaswellastherisksofvaryinglikelihoodandseverityforrightsandfreedomsofnaturalpersonsposedbytheprocessing,thecontrollershall,bothatthetimeofthedeterminationofthemeansforprocessingandatthetimeoftheprocessingitself,implementappropriatetechnicalandorganisationalmeasures,suchaspseudonymisation,whicharedesignedtoimplementdata-protectionprinciples,suchasdataminimisation,inaneffectivemannerandtointegratethenecessarysafeguardsintotheprocessinginordertomeettherequirementsofthisRegulationandprotecttherightsofdatasubjects.
0
Article32(1)(a)-Takingintoaccountthestateoftheart,thecostsofimplementationandthenature,scope,contextandpurposesofprocessingaswellastheriskofvaryinglikelihoodandseverityfortherightsandfreedomsofnaturalpersons,thecontrollerandtheprocessorshallimplementappropriatetechnicalandorganisationalmeasurestoensurealevelofsecurityappropriatetotherisk,includinginteraliaasappropriate:thepseudonymisationandencryptionofpersonaldata.
0
Article32(1)(b)-Takingintoaccountthestateoftheart,thecostsofimplementationandthenature,scope,contextandpurposesofprocessingaswellastheriskofvaryinglikelihoodandseverityfortherightsandfreedomsofnaturalpersons,thecontrollerandtheprocessorshallimplementappropriatetechnicalandorganisationalmeasurestoensurealevelofsecurityappropriatetotherisk,includinginteraliaasappropriate:theabilitytoensuretheongoingconfidentiality,integrity,availabilityandresilienceofprocessingsystemsandservices.
0
Article32(2)-Inassessingtheappropriatelevelofsecurityaccountshallbetakeninparticularofthe 0
7/2/2020 6.0 - 40092:A33698 1
risksthatarepresentedbyprocessing,inparticularfromaccidentalorunlawfuldestruction,loss,alteration,unauthoriseddisclosureof,oraccesstopersonaldatatransmitted,storedorotherwiseprocessed
Section Violation By Issue0Uniqueissuesdetectedacross0/4sectionsoftheregulation:
URL Entity Issue Type Sections
Detailed Security Issues by Sections
Article25(1)-Takingintoaccountthestateoftheart,thecostofimplementationandthenature,scope,contextandpurposesofprocessingaswellastherisksofvaryinglikelihoodandseverityforrightsandfreedomsofnaturalpersonsposedbytheprocessing,thecontrollershall,bothatthetimeofthedeterminationofthemeansforprocessingandatthetimeoftheprocessingitself,implementappropriatetechnicalandorganisationalmeasures,suchaspseudonymisation,whicharedesignedtoimplementdata-protectionprinciples,suchasdataminimisation,inaneffectivemannerandtointegratethenecessarysafeguardsintotheprocessinginordertomeettherequirementsofthisRegulationandprotecttherightsofdatasubjects. 0
Article32(1)(a)-Takingintoaccountthestateoftheart,thecostsofimplementationandthenature,scope,contextandpurposesofprocessingaswellastheriskofvaryinglikelihoodandseverityfortherightsandfreedomsofnaturalpersons,thecontrollerandtheprocessorshallimplementappropriatetechnicalandorganisationalmeasurestoensurealevelofsecurityappropriatetotherisk,includinginteraliaasappropriate:thepseudonymisationandencryptionofpersonaldata. 0
7/2/2020 6.0 - 40092:A33698 2
Article32(1)(b)-Takingintoaccountthestateoftheart,thecostsofimplementationandthenature,scope,contextandpurposesofprocessingaswellastheriskofvaryinglikelihoodandseverityfortherightsandfreedomsofnaturalpersons,thecontrollerandtheprocessorshallimplementappropriatetechnicalandorganisationalmeasurestoensurealevelofsecurityappropriatetotherisk,includinginteraliaasappropriate:theabilitytoensuretheongoingconfidentiality,integrity,availabilityandresilienceofprocessingsystemsandservices. 0
Article32(2)-Inassessingtheappropriatelevelofsecurityaccountshallbetakeninparticularoftherisksthatarepresentedbyprocessing,inparticularfromaccidentalorunlawfuldestruction,loss,alteration,unauthoriseddisclosureof,oraccesstopersonaldatatransmitted,storedorotherwiseprocessed 0
7/2/2020 6.0 - 40092:A33698 3
BeyondTrust Remote SupportAppliance 6.0 HIPPA CompatibilityReport
ThisreportincludesimportantcomplianceinformationabouttheBeyondTrustRemoteSupportAppliance
[US] Healthcare Services (HIPAA) Compliance ReportThisreportwascreatedbyIBMSecurityAppScanStandard9.0.3.13iFix001,Rules:19712Scanstarted:6/30/20205:01:28PM
Regulations
The Health Insurance Portability and Accountability Act(HIPAA) of 1996 - Security and Privacy Regulations
Summary
HIPAAprovidesfederalprotectionsforpersonalhealthinformationheldbycoveredentitiesandgivespatientsasetofrightswithrespecttothatinformation.However,HIPAAdoespermitthedisclosureofpersonalhealthinformationneededforpatientcareandotherimportantandnecessarypurposes.
TitleIofHIPAAprotectshealthinsurancecoverageforworkersandtheirfamilieswhentheychangeorlosetheirjobs.TitleIIofHIPAA,knownastheAdministrativeSimplificationprovisions,requirestheestablishmentofnationalstandardsforelectronichealthcaretransactionsandnationalidentifiersforproviders,healthinsuranceplans,andemployers.
TheAdministrationSimplificationprovisionsalsoaddressthesecurityandprivacyofhealthdata.Thestandardsaremeanttoimprovetheefficiencyandeffectivenessofthehealthcaresystem.
TheUnitedStatesDepartmentofHealthandHumanServices(HHS)hasissuedregulationsimplementingthoseprovisionsofHIPAAregulatingtheprivacyandsecurityofindividuals’medicalrecords.
CoveredInformation
TheRuleslimittheuseanddisclosureofpersonalhealthinformationbyCoveredEntities.Protectedhealthinformationisindividuallyidentifiablehealthinformationthatistransmittedormaintainedinanyformormedium,andwhichrelatestothepast,presentorfuturephysicalormentalheathorconditionofanindividual,theprovisionofheathcaretoanindividual,orthepast,presentorfuturepaymentfortheprovisionofhealthcare.Informationis“individuallyidentifiable”ifitactuallyidentifiesanindividualorcontainsinformationthatcouldreasonablybeusedtoidentifyandindividual.
HIPAArequiresmeasurestobetakentosecurethisinformationwhileinthecustodyofcoveredentitiesaswellasintransitbetweencoveredentitiesandfromcoveredentitiestoothers.
ThePrivacyRulerequiresthatcoveredentities,amongotherthings(i)obtainpriorwrittenauthorizationtouseordisclosecertainpersonalhealthinformationforanypurposeotherthanpayment,healthcaretreatmentorhealthcareoperations,(ii)givepatientsaccesstocertainpersonalhealthinformationuponrequest,(iii)instituteproceduralsafeguardstoprotectpersonalhealthinformation,and(iv)limittheuseanddisclosureofsuchinformationtotheminimumnecessarytoachievetheintendedpurposeforsuchinformation.
7/2/2020 6.0 - 40092:A33698 1
TheSecurityRulerequiresthatcoveredentities,amongotherthings,implementadministrative,technical,andphysicalsafeguardsto(i)ensuretheconfidentiality,integrityandavailabilityofallelectronicprotectedhealthinformationthecoveredentitycreates,receives,maintains,ortransmits;(ii)protectagainstanyreasonablyanticipatedthreatsorhazardstothesecurityorintegrityofsuchinformation;(iii)protectagainstanyreasonablyanticipatedusesordisclosuresofsuchinformationthatarenotpermittedorrequiredtheSecurityRule;and(iv)ensurecompliancewiththeSecurityRulebythecoveredentity'sworkforce.
InrecognitionofthesecuritythreatstoElectronicProtectedHealthInformation(EPHI),HHShaspublishedHIPAAPrivacyandSecurityRules`guidancedocumentstoimplementprivacyandsecurityframeworkforelectronicexchangeofindividuallyidentifiablehealthinformation.Theseguidancedocumentsdiscusshowtheprivacyandsecurityrulescanfacilitatethesafeandadequateexchangeofelectronichealthinformationandhowtodealwiththechallengesthattheuseandexchangeofelectronichealthinformationposses.
CoveredEntities
TheRulesapplytofourtypesofentities:healthcareproviders,healthplans,healthcareclearinghousesandprescriptiondrugcardsponsors(collectively"CoveredEntities").Thisgenerallymeansthoseprovidinghealthcare,thosepayingfor(insuring)healthcareanddataprocessorsthatassistinthepreceding.
CompliancePenalties
AfinemaybeimposedonanypersonorcoveredentitythatviolatesanyHIPAArequirement.Thecivilmonetarypenaltyforviolatingtransactionstandardsisupto$100perpersonperviolationandupto$25,000perpersonperviolationofasinglestandardpercalendaryear.
Thefinemaybereducedorwaivedentirelyiftheviolationwasnotduetowillfulneglectoftherequirements,andiftheentitycorrectsitwithin30daysofbecomingawareofit.
Federalcriminalpenaltiescanalsobeplaceduponhealthplans,providersandhealthcareclearinghousesthatknowinglyandimproperlydiscloseinformationorobtaininformationunderfalsepretenses.Penaltieswouldbehigherforactionsdesignedtogeneratemonetarygain.
Criminalpenaltiesareupto$50,000andoneyearinprisonforobtainingordisclosingprotectedhealthinformation;upto$100,000anduptofiveyearsinprisonforobtainingprotectedhealthinformationunder"falsepretenses";andupto$250,000anduptotenyearsinprisonforobtainingordisclosingprotectedhealthinformationwiththeintenttosell,transferoruseitforcommercialadvantage,personalgainormaliciousharm.
Effectivedate
April14,2001
SecurityRule–April21,2003
PrivacyRule–April14,2003
7/2/2020 6.0 - 40092:A33698 2
ComplianceRequiredby
Privacyprovisions-April14,2003
Securityprovisions-April20,2005
Administrativeprovisions–July1,2005
Regulators/Administrators
UnitedStatesDepartmentofHealthandHumanServices
OfficeforCivilRights
AppScan'sHIPAAComplianceReport
AppScan'sHIPAAcompliancereportwillautomaticallydetectpossibleissuesinyourWebenvironmentthatmayberelevanttoyouroverallcompliancewiththeHIPAASecurityRulerequirementsandrelatedrequiredactivitiesasdescribedintheNISTresourceguideforHIPAAsecurityruleimplementation.
Note
AddressableIssue-asappearsinthisreportmeansacoveredentitymust-
(i)Assesswhethereachimplementationspecificationisareasonableandappropriatesafeguardinitsenvironment,whenanalyzedwithreferencetothelikelycontributiontoprotectingtheentity'selectronicprotectedhealthinformation;and
(ii)Asapplicabletotheentity-
(A)Implementtheimplementationspecificationifreasonableandappropriate;or
(B)Ifimplementingtheimplementationspecificationisnotreasonableandappropriate-
(1)Documentwhyitwouldnotbereasonableandappropriatetoimplementtheimplementationspecification;and
(2)Implementanequivalentalternativemeasureifreasonableandappropriate.
PossibleIssue-asappearsinthisreportmeansthedetectedresultsmayimplythatarequiredimplementationspecificationisnotmet.
Formoreinformationonsecuringwebapplications,pleasevisithttp://www-03.ibm.com/software/products/en/category/application-security
The information provided does not constitute legal advice. The results of a vulnerability assessment will demonstratepotential vulnerabilities in your application that should be corrected in order to reduce the likelihood that yourinformation will be compromised. As legal advice must be tailored to the specific application of each law, and lawsare constantly changing, nothing provided herein should be used as a substitute for the advice of competent counsel.IBM customers are responsible for ensuring their own compliance with legal requirements. It is the customer's sole
7/2/2020 6.0 - 40092:A33698 3
responsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevantlaws and regulatory requirements that may affect the customer's business and any actions the customer may need totake to comply with such laws.
Violated SectionIssuesdetectedacross0/12sectionsoftheregulation:
SectionsNumberofIssues
S.Rule-Part164,SubpartC,164.308(a)(3)(i)-AddressableIssue-Implementpoliciesandprocedurestoensurethatallmembersofitsworkforcehaveappropriateaccesstoelectronicprotectedhealthinformation,asprovidedunder[theInformationAccessManagementstandard],andtopreventthoseworkforcememberswhodonothaveaccessunder[theInformationAccessManagementstandard]fromobtainingaccesstoelectronicprotectedhealthinformation.
0
S.Rule-Part164,SubpartC,164.308(a)(3)(ii)(A)-AddressableIssue-Implementproceduresfortheauthorizationand/orsupervisionofworkforcememberswhoworkwithelectronicprotectedhealthinformationorinlocationswhereitmightbeaccessed.
0
S.Rule-Part164,SubpartC,164.308(a)(4)(i)-PossibleIssue-ImplementpoliciesandproceduresforauthorizingaccesstoelectronicprotectedhealthinformationthatareconsistentwiththeapplicablerequirementsofsubpartEofthispartthePrivacyRule.
0
S.Rule-Part164,SubpartC,164.308(a)(4)(ii)(B)-PossibleIssue-Implementpoliciesandproceduresforgrantingaccesstoelectronicprotectedhealthinformation,forexample,throughaccesstoaworkstation,transaction,program,process,orothermechanism.
0
S.Rule-Part164,SubpartC,164.308(a)(5)(ii)(D)-AddressableIssue-Implementproceduresforcreating,changing,andsafeguardingpasswords
0
S.Rule-Part164,SubpartC,164.312(a)(1)-PossibleIssue-Implementtechnicalpoliciesandproceduresforelectronicinformationsystemsthatmaintainelectronicprotectedhealthinformationtoallowaccessonlytothosepersonsorsoftwareprogramsthathavebeengrantedaccessrightsasspecifiedinsection164.308(a)(4).
0
S.Rule-Part164,SubpartC,164.312(a)(2)(iv)-AddressableIssue-Implementamechanismtoencryptanddecryptelectronicprotectedhealthinformation.
0
NISTResourceGuide-Section4.14,Activity8-AddressableIssue-Implementelectronicproceduresthatterminateanelectronicsessionafterapredeterminedtimeofinactivity.
0
S.Rule-Part164,SubpartC,164.312(c)(1)-PossibleIssue-Implementpoliciesandprocedurestoprotectprivatehealthinformationfromimproperalterationordestruction
0
S.Rule-Part164,SubpartC,164.312(d)-PossibleIssue-Implementprocedurestoverifythatapersonorentityseekingaccesstoprivatehealthinformationistheoneclaimed
0
S.Rule-Part164,SubpartC,164.312(e)(1)-PossibleIssue-Implementtechnicalsecuritymeasurestoguardagainstunauthorizedaccesstoelectronicprotectedhealthinformationthatisbeingtransmittedoveranelectroniccommunicationsnetwork.
0
S.Rule-Part164,SubpartC,164.312(e)(2)(ii)-AddressableIssue-Implementamechanismtoencryptelectronicprivatehealthinformationwheneverdeemedappropriate
0
Section Violation By Issue0Uniqueissuesdetectedacross0/12sectionsoftheregulation:
7/2/2020 6.0 - 40092:A33698 4
URL Entity Issue Type Sections
Detailed Security Issues by Sections
S.Rule-Part164,SubpartC,164.308(a)(3)(i)-AddressableIssue-Implementpoliciesandprocedurestoensurethatallmembersofitsworkforcehaveappropriateaccesstoelectronicprotectedhealthinformation,asprovidedunder[theInformationAccessManagementstandard],andtopreventthoseworkforcememberswhodonothaveaccessunder[theInformationAccessManagementstandard]fromobtainingaccesstoelectronicprotectedhealthinformation. 0
S.Rule-Part164,SubpartC,164.308(a)(3)(ii)(A)-AddressableIssue-Implementproceduresfortheauthorizationand/orsupervisionofworkforcememberswhoworkwithelectronicprotectedhealthinformationorinlocationswhereitmightbeaccessed. 0
S.Rule-Part164,SubpartC,164.308(a)(4)(i)-PossibleIssue-ImplementpoliciesandproceduresforauthorizingaccesstoelectronicprotectedhealthinformationthatareconsistentwiththeapplicablerequirementsofsubpartEofthispartthePrivacyRule. 0
S.Rule-Part164,SubpartC,164.308(a)(4)(ii)(B)-PossibleIssue-Implementpoliciesandproceduresforgrantingaccesstoelectronicprotectedhealthinformation,forexample,throughaccesstoaworkstation,transaction,program,process,orothermechanism. 0
7/2/2020 6.0 - 40092:A33698 5
S.Rule-Part164,SubpartC,164.308(a)(5)(ii)(D)-AddressableIssue-Implementproceduresforcreating,changing,andsafeguardingpasswords0
S.Rule-Part164,SubpartC,164.312(a)(1)-PossibleIssue-Implementtechnicalpoliciesandproceduresforelectronicinformationsystemsthatmaintainelectronicprotectedhealthinformationtoallowaccessonlytothosepersonsorsoftwareprogramsthathavebeengrantedaccessrightsasspecifiedinsection164.308(a)(4). 0
S.Rule-Part164,SubpartC,164.312(a)(2)(iv)-AddressableIssue-Implementamechanismtoencryptanddecryptelectronicprotectedhealthinformation. 0
NISTResourceGuide-Section4.14,Activity8-AddressableIssue-Implementelectronicproceduresthatterminateanelectronicsessionafterapredeterminedtimeofinactivity. 0
S.Rule-Part164,SubpartC,164.312(c)(1)-PossibleIssue-Implementpoliciesandprocedurestoprotectprivatehealthinformationfromimproperalterationordestruction 0
S.Rule-Part164,SubpartC,164.312(d)-PossibleIssue-Implementprocedurestoverifythatapersonorentityseekingaccesstoprivatehealthinformationistheoneclaimed 0
7/2/2020 6.0 - 40092:A33698 6
S.Rule-Part164,SubpartC,164.312(e)(1)-PossibleIssue-Implementtechnicalsecuritymeasurestoguardagainstunauthorizedaccesstoelectronicprotectedhealthinformationthatisbeingtransmittedoveranelectroniccommunicationsnetwork. 0
S.Rule-Part164,SubpartC,164.312(e)(2)(ii)-AddressableIssue-Implementamechanismtoencryptelectronicprivatehealthinformationwheneverdeemedappropriate 0
7/2/2020 6.0 - 40092:A33698 7
BeyondTrust Remote SupportAppliance 6.0 PCI CompatibilityReport
ThisreportincludesimportantcomplianceinformationabouttheBeyondTrustRemoteSupportAppliance
The Payment Card Industry Data Security Standard (PCI DSS)Compliance ReportThisreportwascreatedbyIBMSecurityAppScanStandard9.0.3.13iFix001,Rules:19712Scanstarted:6/30/20205:01:28PM
Regulations
The Payment Card Industry Data Security Standard (PCI)Version 3.2.1
Summary
ThePaymentCardIndustryDataSecurityStandard(PCIDSS)wasdevelopedtoencourageandenhancecardholderdatasecurityandfacilitatethebroadadoptionofconsistentdatasecuritymeasuresglobally.PCIDSSprovidesabaselineoftechnicalandoperationalrequirementsdesignedtoprotectaccountdata.
PCIDSScomprisesaminimumsetofrequirementsforprotectingcardholderdata,andmaybeenhancedbyadditionalcontrolsandpracticestofurthermitigaterisks,aswellaslocal,regionalandsectorlawsandregulations.Additionally,legislationorregulatoryrequirementsmayrequirespecificprotectionofpersonalinformationorotherdataelements(forexample,cardholdername).PCIDSSdoesnotsupersedelocalorregionallaws,governmentregulations,orotherlegalrequirements.
ThePCIDSSsecurityrequirementsapplytoallsystemcomponentsincludedinorconnectedtothecardholderdataenvironment.Thecardholderdataenvironment(CDE)iscomprisedofpeople,processesandtechnologiesthatstore,process,ortransmitcardholderdataorsensitiveauthenticationdata.
“Systemcomponents”includenetworkdevices,servers,computingdevices,andapplications.Examplesofsystemcomponentsincludebutarenotlimitedtothefollowing:Systemsthatprovidesecurityservices(forexample,authenticationservers),facilitatesegmentation(forexample,internalfirewalls),ormayimpactthesecurityof(forexample,nameresolutionorwebredirectionservers)theCDE.
Virtualizationcomponentssuchasvirtualmachines,virtualswitches/routers,virtualappliances,virtualapplications/desktops,andhypervisors.
Networkcomponentsincludingbutnotlimitedtofirewalls,switches,routers,wirelessaccesspoints,networkappliances,andothersecurityappliances.
Servertypesincludingbutnotlimitedtoweb,application,database,authentication,mail,proxy,NetworkTimeProtocol(NTP),andDomainNameSystem(DNS).
Applicationsincludingallpurchasedandcustomapplications,includinginternalandexternal(forexample,Internet)applications.AnyothercomponentordevicelocatedwithinorconnectedtotheCDE.
CoveredEntities
7/2/2020 6.0 - 40092:A33698 1
PCIDSSappliestoallentitiesinvolvedinpaymentcardprocessing—includingmerchants,processors,acquirers,issuers,andserviceproviders,aswellasallotherentitiesthatstore,processortransmitcardholderdata(CHD)and/orsensitiveauthenticationdata(SAD).
PCIDSSrequirementsapplytoorganizationsandenvironmentswhereaccountdata(cardholderdataand/orsensitiveauthenticationdata)isstored,processedortransmitted.SomePCIDSSrequirementsmayalsobeapplicabletoorganizationsthathaveoutsourcedtheirpaymentoperationsormanagementoftheirCDE1.Additionally,organizationsthatoutsourcetheirCDEorpaymentoperationstothirdpartiesareresponsibleforensuringthattheaccountdataisprotectedbythethirdpartypertheapplicablePCIDSSrequirements.
CompliancePenalties
Ifamerchantorserviceproviderdoesnotcomplywiththesecurityrequirementsorfailstorectifyasecurityissue,thecardcompaniesmayfinetheacquiringmember,orimposerestrictionsonthemerchantoritsagent.
ComplianceRequiredBy
PCIDSSversion3.2.1hasreplacedPCIDSSversion3.2andiseffectiveasofMay2018.ThePCIDSSversion3.2maynotbeusedforPCIDSScomplianceafterDecember31,2018.
Regulators
ThePCISecurityStandardsCouncil,anditsfoundingmembersincludingAmericanExpress,DiscoverFinancialServices,JCB,MasterCardWorldwideandVisaInternational.
FormoreinformationonthePCIDataSecurityStandard,pleasevisit:
https://www.pcisecuritystandards.org./index.htm
Formoreinformationonsecuringwebapplications,pleasevisithttp://www-01.ibm.com/software/rational/offerings/websecurity/
Copyright:ThePCIinformationcontainedinthisreportisproprietarytoPCISecurityStandardsCouncil,LLC.AnyuseofthismaterialissubjecttothePCISECURITYSTANDARDSCOUNCIL,LLCLICENSEAGREEMENTthatcanbefoundat:
https://www.pcisecuritystandards.org./tech/download_the_pci_dss.htm
The information provided does not constitute legal advice. The results of a vulnerability assessment will demonstratepotential vulnerabilities in your application that should be corrected in order to reduce the likelihood that yourinformation will be compromised. As legal advice must be tailored to the specific application of each law, and lawsare constantly changing, nothing provided herein should be used as a substitute for the advice of competent counsel.IBM customers are responsible for ensuring their own compliance with legal requirements. It is the customer's soleresponsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevantlaws and regulatory requirements that may affect the customer's business and any actions the customer may need totake to comply with such laws.
7/2/2020 6.0 - 40092:A33698 2
Violated SectionIssuesdetectedacross0/32sectionsoftheregulation:
SectionsNumberofIssues
Requirement2-Donotusevendor-supplieddefaultsforsystempasswordsandothersecurityparameters.
0
Requirement2.1-Alwayschangevendor-supplieddefaultsandremoveordisableunnecessarydefaultaccountsbeforeinstallingasystemonthenetwork.ThisappliestoALLdefaultpasswords,includingbutnotlimitedtothoseusedbyoperatingsystems,softwarethatprovidessecurityservices,applicationandsystemaccounts,point-of-sale(POS)terminals,paymentapplications,SimpleNetworkManagementProtocol(SNMP)communitystrings,etc.)
0
Requirement2.2.2-Enableonlynecessaryservices,protocols,daemons,etc.,asrequiredforthefunctionofthesystem.
0
Requirement2.2.4-Configuresystemsecurityparameterstopreventmisuse. 0Requirement2.2.5-Removeallunnecessaryfunctionality,suchasscripts,drivers,features,subsystems,filesystems.
0
Requirement2.3-Encryptallnon-consoleadministrativeaccessusingstrongcryptography. 0Requirement2.6-Thissectionappliestowebapplicationsthatareusedbyhostingprovidersforhostingpurposes–Hostingprovidersmustprotecteachentity’shostedenvironmentanddata.
0
Requirement4-Encrypttransmissionofcardholderdataacrossopen,publicnetworks. 0Requirement4.1-Usestrongcryptographyandsecurityprotocolstosafeguardsensitivecardholderdataduringtransmissionoveropen,publicnetworks,includingthefollowing:-Onlytrustedkeysandcertificatesareaccepted.-Theprotocolinuseonlysupportssecureversionsorconfigurations.-Theencryptionstrengthisappropriatefortheencryptionmethodologyinuse.
0
Requirement6-Developandmaintainsecuresystemsandapplications. 0Requirement6.1-Establishaprocesstoidentifysecurityvulnerabilities,usingreputableoutsidesourcesforsecurityvulnerabilityinformation,andassignariskranking(forexample,as“high,”“medium,”or“low”)tonewlydiscoveredsecurityvulnerabilities.
0
Requirement6.2-Ensurethatallsystemcomponentsandsoftwareareprotectedfromknownvulnerabilitiesbyinstallingapplicablevendor-suppliedsecuritypatches.Installcriticalsecuritypatcheswithinonemonthofrelease.CriticalsecuritypatchesshouldbeidentifiedaccordingtotheriskrankingprocessdefinedinRequirement6.1
0
Requirement6.3-Developinternalandexternalsoftwareapplications(includingweb-basedadministrativeaccesstoapplications)securely,asfollows:•InaccordancewithPCIDSS(forexample,secureauthenticationandlogging)•Basedonindustrystandardsand/orbestpractices.•Incorporatinginformationsecuritythroughoutthesoftware-developmentlifecycleNote:thisappliestoallsoftwaredevelopedinternallyaswellasbespokeorcustomsoftwaredevelopedbyathirdparty.
0
Requirement6.3.1-Removedevelopment,testand/orcustomapplicationaccounts,userIDs,andpasswordsbeforeapplicationsbecomeactiveorarereleasedtocustomers.
0
Requirement6.4.4-Removaloftestdataandaccountsfromsystemcomponentsbeforethesystembecomesactive/goesintoproduction.
0
Requirement6.5-Addresscommoncodingvulnerabilitiesinsoftware-developmentprocessesasfollows:•Traindevelopersinsecurecodingtechniques,includinghowtoavoidcommoncodingvulnerabilities,andunderstandinghowsensitivedataishandledinmemory.•Developapplicationsbasedonsecurecodingguidelines.Note:Thevulnerabilitieslistedat6.5.1through6.5.10werecurrentwithindustrybestpracticeswhenthisversionofPCIDSSwaspublished.However,asindustrybestpracticesforvulnerabilitymanagementareupdated(forexample,theOWASPGuide,SANSCWETop25,CERTSecureCoding,etc.),thecurrentbestpracticesmustbeusedfortheserequirements.
0
Requirement6.5.1-Injectionflaws,particularlySQLinjection.AlsoconsiderOSCommandInjection,LDAPandXPathinjectionflawsaswellasotherinjectionflaws.
0
Requirement6.5.2-Bufferoverflow 0
7/2/2020 6.0 - 40092:A33698 3
Requirement6.5.3-Insecurecryptographicstorage 0Requirement6.5.4-Insecurecommunications 0Requirement6.5.5-Impropererrorhandling 0Requirement6.5.7-Crosssitescripting(XSS) 0Requirement6.5.8-Improperaccesscontrol(suchasinsecuredirectobjectreferences,failuretorestrictURLaccess,directorytraversal,andfailuretorestrictuseraccesstofunctions).
0
Requirement6.5.9-Crosssiterequestforgery(CSRF) 0Requirement6.5.10-BrokenauthenticationandsessionmanagementNote:Requirement6.5.10isabestpracticeuntilJune30,2015,afterwhichitbecomesarequirement
0
Requirement6.6-Forpublic-facingwebapplications,addressnewthreatsandvulnerabilitiesonanongoingbasisandensuretheseapplicationsareprotectedagainstknownattacksbyeitherofthefollowingmethods:•Reviewingpublic-facingwebapplicationsviamanualorautomatedapplicationvulnerabilitysecurityassessmenttoolsormethods,atleastannuallyandafteranychangesNote:ThisassessmentisnotthesameasthevulnerabilityscansperformedforRequirement11.2.•Installinganautomatedtechnicalsolutionthatdetectsandpreventsweb-basedattacks(forexample,aweb-applicationfirewall)infrontofpublic-facingwebapplications,tocontinuallycheckalltraffic.
0
Requirement7-Restrictaccesstodatabybusinessneed-to-know 0Requirement7.1-Limitaccesstosystemcomponentsandcardholderdatatoonlythoseindividualswhosejobrequiressuchaccess.
0
Requirement7.1.2-RestrictaccesstoprivilegeduserIDstoleastprivilegesnecessarytoperformjobresponsibilities.
0
Requirement8.2-InadditiontoassigningauniqueID,ensureproperuser-authenticationmanagementfornon-consumerusersandadministratorsonallsystemcomponentsbyemployingatleastoneofthefollowingmethodstoauthenticateallusers:•Somethingyouknow,suchasapasswordorpassphrase•Somethingyouhave,suchasatokendeviceorsmartcard•Somethingyouare,suchasabiometric.
0
Requirement8.2.1-Usingstrongcryptography,renderallauthenticationcredentials(suchaspasswords/phrases)unreadableduringtransmissionandstorageonallsystemcomponents.
0
Requirement8.7-Allaccesstoanydatabasecontainingcardholderdata(includingaccessbyapplications,administrators,andallotherusers)isrestrictedasfollows:•Alluseraccessto,userqueriesof,anduseractionsondatabasesarethroughprogrammaticmethods.•Onlydatabaseadministratorshavetheabilitytodirectlyaccessorquerydatabases.•ApplicationIDsfordatabaseapplicationscanonlybeusedbytheapplications(andnotbyindividualusersorothernon-applicationprocesses).
0
Section Violation By Issue0Uniqueissuesdetectedacross0/32sectionsoftheregulation:
URL Entity Issue Type Sections
Detailed Security Issues by Sections
7/2/2020 6.0 - 40092:A33698 4
Requirement2-Donotusevendor-supplieddefaultsforsystempasswordsandothersecurityparameters. 0
Requirement2.1-Alwayschangevendor-supplieddefaultsandremoveordisableunnecessarydefaultaccountsbeforeinstallingasystemonthenetwork.ThisappliestoALLdefaultpasswords,includingbutnotlimitedtothoseusedbyoperatingsystems,softwarethatprovidessecurityservices,applicationandsystemaccounts,point-of-sale(POS)terminals,paymentapplications,SimpleNetworkManagementProtocol(SNMP)communitystrings,etc.) 0
Requirement2.2.2-Enableonlynecessaryservices,protocols,daemons,etc.,asrequiredforthefunctionofthesystem. 0
Requirement2.2.4-Configuresystemsecurityparameterstopreventmisuse. 0
Requirement2.2.5-Removeallunnecessaryfunctionality,suchasscripts,drivers,features,subsystems,filesystems. 0
Requirement2.3-Encryptallnon-consoleadministrativeaccessusingstrongcryptography. 0
7/2/2020 6.0 - 40092:A33698 5
Requirement2.6-Thissectionappliestowebapplicationsthatareusedbyhostingprovidersforhostingpurposes–Hostingprovidersmustprotecteachentity’shostedenvironmentanddata. 0
Requirement4-Encrypttransmissionofcardholderdataacrossopen,publicnetworks. 0
Requirement4.1-Usestrongcryptographyandsecurityprotocolstosafeguardsensitivecardholderdataduringtransmissionoveropen,publicnetworks,includingthefollowing:-Onlytrustedkeysandcertificatesareaccepted.-Theprotocolinuseonlysupportssecureversionsorconfigurations.-Theencryptionstrengthisappropriatefortheencryptionmethodologyinuse. 0
Requirement6-Developandmaintainsecuresystemsandapplications. 0
Requirement6.1-Establishaprocesstoidentifysecurityvulnerabilities,usingreputableoutsidesourcesforsecurityvulnerabilityinformation,andassignariskranking(forexample,as“high,”“medium,”or“low”)tonewlydiscoveredsecurityvulnerabilities. 0
Requirement6.2-Ensurethatallsystemcomponentsandsoftwareareprotectedfromknownvulnerabilitiesbyinstallingapplicablevendor-suppliedsecuritypatches.Installcriticalsecuritypatcheswithinonemonthofrelease.CriticalsecuritypatchesshouldbeidentifiedaccordingtotheriskrankingprocessdefinedinRequirement6.1 0
7/2/2020 6.0 - 40092:A33698 6
Requirement6.3-Developinternalandexternalsoftwareapplications(includingweb-basedadministrativeaccesstoapplications)securely,asfollows:•InaccordancewithPCIDSS(forexample,secureauthenticationandlogging)•Basedonindustrystandardsand/orbestpractices.•Incorporatinginformationsecuritythroughoutthesoftware-developmentlifecycleNote:thisappliestoallsoftwaredevelopedinternallyaswellasbespokeorcustomsoftwaredevelopedbyathirdparty. 0
Requirement6.3.1-Removedevelopment,testand/orcustomapplicationaccounts,userIDs,andpasswordsbeforeapplicationsbecomeactiveorarereleasedtocustomers. 0
Requirement6.4.4-Removaloftestdataandaccountsfromsystemcomponentsbeforethesystembecomesactive/goesintoproduction. 0
Requirement6.5-Addresscommoncodingvulnerabilitiesinsoftware-developmentprocessesasfollows:•Traindevelopersinsecurecodingtechniques,includinghowtoavoidcommoncodingvulnerabilities,andunderstandinghowsensitivedataishandledinmemory.•Developapplicationsbasedonsecurecodingguidelines.Note:Thevulnerabilitieslistedat6.5.1through6.5.10werecurrentwithindustrybestpracticeswhenthisversionofPCIDSSwaspublished.However,asindustrybestpracticesforvulnerabilitymanagementareupdated(forexample,theOWASPGuide,SANSCWETop25,CERTSecureCoding,etc.),thecurrentbestpracticesmustbeusedfortheserequirements. 0
Requirement6.5.1-Injectionflaws,particularlySQLinjection.AlsoconsiderOSCommandInjection,LDAPandXPathinjectionflawsaswellasotherinjectionflaws. 0
7/2/2020 6.0 - 40092:A33698 7
Requirement6.5.2-Bufferoverflow 0
Requirement6.5.3-Insecurecryptographicstorage 0
Requirement6.5.4-Insecurecommunications 0
Requirement6.5.5-Impropererrorhandling 0
Requirement6.5.7-Crosssitescripting(XSS) 0
Requirement6.5.8-Improperaccesscontrol(suchasinsecuredirectobjectreferences,failuretorestrictURLaccess,directorytraversal,andfailuretorestrictuseraccesstofunctions). 0
Requirement6.5.9-Crosssiterequestforgery(CSRF) 0
Requirement6.5.10-BrokenauthenticationandsessionmanagementNote:Requirement6.5.10isabestpracticeuntilJune30,2015,afterwhichitbecomesarequirement 0
7/2/2020 6.0 - 40092:A33698 8
Requirement6.6-Forpublic-facingwebapplications,addressnewthreatsandvulnerabilitiesonanongoingbasisandensuretheseapplicationsareprotectedagainstknownattacksbyeitherofthefollowingmethods:•Reviewingpublic-facingwebapplicationsviamanualorautomatedapplicationvulnerabilitysecurityassessmenttoolsormethods,atleastannuallyandafteranychangesNote:ThisassessmentisnotthesameasthevulnerabilityscansperformedforRequirement11.2.•Installinganautomatedtechnicalsolutionthatdetectsandpreventsweb-basedattacks(forexample,aweb-applicationfirewall)infrontofpublic-facingwebapplications,tocontinuallycheckalltraffic. 0
Requirement7-Restrictaccesstodatabybusinessneed-to-know 0
Requirement7.1-Limitaccesstosystemcomponentsandcardholderdatatoonlythoseindividualswhosejobrequiressuchaccess. 0
Requirement7.1.2-RestrictaccesstoprivilegeduserIDstoleastprivilegesnecessarytoperformjobresponsibilities. 0
Requirement8.2-InadditiontoassigningauniqueID,ensureproperuser-authenticationmanagementfornon-consumerusersandadministratorsonallsystemcomponentsbyemployingatleastoneofthefollowingmethodstoauthenticateallusers:•Somethingyouknow,suchasapasswordorpassphrase•Somethingyouhave,suchasatokendeviceorsmartcard•Somethingyouare,suchasabiometric. 0
7/2/2020 6.0 - 40092:A33698 9
Requirement8.2.1-Usingstrongcryptography,renderallauthenticationcredentials(suchaspasswords/phrases)unreadableduringtransmissionandstorageonallsystemcomponents. 0
Requirement8.7-Allaccesstoanydatabasecontainingcardholderdata(includingaccessbyapplications,administrators,andallotherusers)isrestrictedasfollows:•Alluseraccessto,userqueriesof,anduseractionsondatabasesarethroughprogrammaticmethods.•Onlydatabaseadministratorshavetheabilitytodirectlyaccessorquerydatabases.•ApplicationIDsfordatabaseapplicationscanonlybeusedbytheapplications(andnotbyindividualusersorothernon-applicationprocesses). 0
7/2/2020 6.0 - 40092:A33698 10