remote support ba vulnerability scan reports
Post on 17-Apr-2022
5 Views
Preview:
TRANSCRIPT
Remote Support 21.1.BaVulnerability Scan Reports
©2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified in this document are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
TC:1/12/2021
21.1.1 Remote Support FISMACompliance Report
ThisreportincludesimportantsecurityinformationaboutFISMAcomplianceofBeyondtrustRemoteSupport21.1.1
[US] Federal Information Security Mgmt. Act (FISMA)Compliance ReportThisreportwascreatedbyIBMSecurityAppScanStandard9.0.3.13iFix001,Rules:19712Scanstarted:12/29/20209:37:28AM
Regulations
Federal Information Security Management Act (FISMA)
Summary
TheFederalInformationSecurityManagementAct(FISMA)waspassedbyCongressandsignedintolawbythePresidentaspartoftheElectronicGovernmentActof2002.Itprovidesaframeworktoensurecomprehensivemeasuresaretakentosecurefederalinformationandassets.Itrequireseachfederalagencytodevelop,document,andimplementanagency-wideprogramtoprovideinformationsecurityfortheinformationandinformationsystemsthatsupporttheoperationsandassetsoftheagency,includingthoseprovidedormanagedbyanotheragency,contractor,orothersource.
TheOfficeofManagementandBudget(OMB)requiresfederalagenciestopreparePlansofActionandMilestonesProcess(POAandMs)reportsforallprogramsandsystemswheretheyhavefoundanITsecurityweakness.CIOsandagencyprogramofficialsmustdevelop,implement,andmanagePOAandMsforallprogramsandsystemstheyoperateandcontrol.ProgramofficialsmustregularlyupdatetheagencyCIOontheirprogresssotheCIOcanmonitoragency-wideremediationeffortsandprovidetheagency’squarterlyupdatetoOMB.
AgenciesmustsubmitareporttotheOMBthatsummarizestheresultsofannualITsecurityreviewsofsystemsandprograms,andanyprogresstheagencyhasmadetowardsfulfillingtheirFISMAgoalsandmilestones.
OMBusesthereportstohelpevaluategovernment-widesecurityperformance,developitsannualsecurityreporttoCongress,assistinimprovingandmaintainingadequateagencysecurityperformance,andinformdevelopmentoftheE-GovernmentScorecardunderthePresident’sManagementAgenda.ThereportmustsummarizetheresultsofannualITsecurityreviewsofsystemsandprograms,andanyprogresstheagencyhasmadetowardsfulfillingtheirFISMAgoalsandmilestones.
FISMArequiresthatfederalagencyofficialsunderstandthecurrentstatusoftheirsecurityprogramsandthesecuritycontrolsplannedorinplacetoprotecttheirinformationandinformationsystemsinordertomakeinformedjudgmentsandinvestmentsthatappropriatelymitigaterisktoanacceptablelevel.Theultimateobjectiveistoconducttheday-to-dayoperationsoftheagencyandtoaccomplishtheagency'sstatedmissionswithadequatesecurity,orsecuritycommensuratewithrisk,includingthemagnitudeofharmresultingfromtheunauthorizedaccess,use,disclosure,disruption,modification,ordestructionofinformation.
FISMAImplementation
PhaseI:StandardsandGuidelinesDevelopment
ThefirstphaseoftheFISMAImplementationProjectfocusesonthedevelopmentandupdatingofthesecurity
12/31/2020 1
standardsandguidancerequiredtoeffectivelyimplementtheprovisionsofthelegislation.TheimplementationoftheNISTstandardsandguidancewillhelpagenciescreateandmaintainrobustinformationsecurityprogramsandeffectivelymanagerisktoagencyoperations,agencyassets,andindividuals.
PhaseII:ImplementationandAssessmentAids
ThesecondphaseoftheFISMAImplementationProjectisfocusedonprovidinginformationsystemimplementationandassessmentreferencematerialsforbuildingcommonunderstandinginapplyingtheNISTsuiteofpublicationssupportingtheRiskManagementFramework(RMF).
NISTImplementationDocuments
NISTdevelopsandissuesstandards,guidelinesandotherpublicationstoassistfederalagenciesinimplementingFISMA,includingminimumrequirements,forprovidingadequateinformationsecurityforallagencyoperationsandassetsbutsuchstandardsandguidelinesshallnotapplytonationalsecuritysystems.
FederalInformationProcessingStandards(FIPS)areapprovedbytheSecretaryofCommerceandissuedbyNISTinaccordancewithFISMA.FIPSarecompulsoryandbindingforfederalagencies.FISMArequiresthatfederalagenciescomplywiththesestandards,andtherefore,agenciesmaynotwaivetheiruse.FIPS200mandatestheuseofSpecialPublication800-53,asamended.
AppScanandFISMA
AppScan'sFISMAcompliancereportwillautomaticallydetectpossibleissuesinyourWebenvironmentthatmayberelevanttoyouroverallcompliancewiththeminimumsecuritycontrolsrecommendationsassetinthesecuritycatalogofNISTSpecialPublication80053.ThisreportwasconstructedaccordingtotheHIGH-IMPACTInformationSystemsbaseline.Organizationsthatuselowormoderatecontrolbaselinemayhavetoadjusttheresultsaccordingly.
CoveredEntities
AllFederalagenciesandorganizationswhichpossessoruseFederalinformation--orwhichoperate,use,orhaveaccesstoFederalinformationsystems--onbehalfofaFederalagency,includingcontractors,grantees,Stateandlocalgovernments,andindustrypartners.
EffectiveDate
December2002
ComplianceRequiredby
FederalagenciesmustsubmittheirannualITreviewreportstotheOMBbyOctoberofeachyear.
12/31/2020 2
Regulators/Auditors
TheOfficeofManagementandBudget(OMB).
Formoreinformationonsecuringwebapplications,pleasevisit:http://www-03.ibm.com/software/products/en/category/application-security
The information provided does not constitute legal advice. The results of a vulnerability assessment will demonstratepotential vulnerabilities in your application that should be corrected in order to reduce the likelihood that yourinformation will be compromised. As legal advice must be tailored to the specific application of each law, and lawsare constantly changing, nothing provided herein should be used as a substitute for the advice of competent counsel.IBM customers are responsible for ensuring their own compliance with legal requirements. It is the customer's soleresponsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevantlaws and regulatory requirements that may affect the customer's business and any actions the customer may need totake to comply with such laws.
Violated SectionIssuesdetectedacross0/23sectionsoftheregulation:
SectionsNumberofIssues
Sec.3544.(A),Sec.3547(1)-Theheadofeachagencyshallberesponsibleforprovidinginformationsecurityprotectionscommensuratewiththeriskandmagnitudeoftheharmresultingfromunauthorizedaccess,use,disclosure,disruption,modification,ordestructionof—(i)informationcollectedormaintainedbyoronbehalfoftheagency;and(ii)informationsystemsusedoroperatedbyanagencyorbyacontractorofanagencyorotherorganizationonbehalfofanagency;
0
Sec.3544.(B)-Theheadofeachagencyshallberesponsibleforcomplyingwiththerequirementsofthissubchapterandrelatedpolicies,procedures,standards,andguidelines,including—(i)informationsecuritystandardspromulgatedundersection11331oftitle40;and(ii)informationsecuritystandardsandguidelinesfornationalsecuritysystemsissuedinaccordancewithlawandasdirectedbythePresident;
0
NISTSP800_53,AC-3-Theinformationsystemenforcesapprovedauthorizationsforlogicalaccesstoinformationandsystemresourcesinaccordancewithapplicableaccesscontrolpolicies.
0
NISTSP800_53,AC-6-Theorganizationemploystheprincipleofleastprivilege,allowingonlyauthorizedaccessesforusers(orprocessesactingonbehalfofusers)whicharenecessarytoaccomplishassignedtasksinaccordancewithorganizationalmissionsandbusinessfunctions.
0
NISTSP800_53,AC-10-Theinformationsystemlimitsthenumberofconcurrentsessionsforeach[Assignment:organization-definedaccountand/oraccounttype]to[Assignment:organization-definednumber].
0
NISTSP800_53,AC-11-TheOrganizationpreventsfurtheraccesstothesystembyinitiatingasessionlockafter[Assignment:organization-definedtimeperiod]ofinactivityoruponreceivingarequestfromauser;andretainsthesessionlockuntiltheuserreestablishesaccessusingestablishedidentificationandauthenticationprocedures.
0
NISTSP800_53,AC-17-Theorganization:Establishesanddocumentsusagerestrictions,configuration/connectionrequirements,andimplementationguidanceforeachtypeofremoteaccessallowed;andAuthorizesremoteaccesstotheinformationsystempriortoallowingsuchconnections.
0
NISTSP800_53,CM-6-Theorganization:a.Establishesanddocumentsconfigurationsettingsforinformationtechnologyproductsemployedwithintheinformationsystemusing[Assignment:organization-definedsecurityconfigurationchecklists]thatreflectthemostrestrictivemodeconsistentwithoperationalrequirements;b.Implementstheconfigurationsettings;c.Identifies,documents,and
0
12/31/2020 3
approvesanydeviationsfromestablishedconfigurationsettingsfor[Assignment:organization-definedinformationsystemcomponents]basedon[Assignment:organization-definedoperationalrequirements];andd.Monitorsandcontrolschangestotheconfigurationsettingsinaccordancewithorganizationalpoliciesandprocedures.NISTSP800_53,CM-7-Theorganization:a.Configurestheinformationsystemtoprovideonlyessentialcapabilities;andb.Prohibitsorrestrictstheuseofthefollowingfunctions,ports,protocols,and/orservices:[Assignment:organization-definedprohibitedorrestrictedfunctions,ports,protocols,and/orservices].
0
NISTSP800_53,IA-2-Theinformationsystemuniquelyidentifiesandauthenticatesorganizationalusers(orprocessesactingonbehalfoforganizationalusers).
0
NISTSP800_53,IA-4.D-Theorganizationmanagesinformationsystemidentifiersforusersanddevicesbypreventingreuseofuserordeviceidentifiersfor[Assignment:organization-definedtimeperiod].
0
NISTSP800_53,IA-4.E-Theorganizationmanagesinformationsystemidentifiersforusersanddevicesbydisablingtheuseridentifierafter[Assignment:organization-definedtimeperiodofinactivity].
0
NISTSP800_53,IA-5.C-Theorganizationmanagesinformationsystemauthenticatorsforusersanddevicesbyensuringthatauthenticatorshavesufficientstrengthofmechanismfortheirintendeduse.
0
NISTSP800_53,IA-5.E-Theorganizationmanagesinformationsystemauthenticatorsforusersanddevicesbychangingdefaultcontentofauthenticatorsuponinformationsysteminstallation.
0
NISTSP800_53,RA-5.A-Theorganization:a.Scansforvulnerabilitiesintheinformationsystemandhostedapplications[Assignment:organization-definedfrequencyand/orrandomlyinaccordancewithorganization-definedprocess]andwhennewvulnerabilitiespotentiallyaffectingthesystem/applicationsareidentifiedandreported.
0
NISTSP800_53,SC-5-Theinformationsystemprotectsagainstorlimitstheeffectsofthefollowingtypesofdenialofserviceattacks:[Assignment:organization-definedtypesofdenialofserviceattacksorreferencetosourceforsuchinformation]byemploying[Assignment:organization-definedsecuritysafeguards].
0
NISTSP800_53,SC-8-Theinformationsystemprotectsthe[Selection(oneormore):confidentiality;integrity]oftransmittedinformation.
0
NISTSP800_53,SC-13-Theinformationsystemimplements[Assignment:organization-definedcryptographicusesandtypeofcryptographyrequiredforeachuse]inaccordancewithapplicablefederallaws,ExecutiveOrders,directives,policies,regulations,andstandards.
0
NISTSP800_53,SC-23-Theinformationsystemprotectstheauthenticityofcommunicationssessions. 0NISTSP800_53,SI-3.A-Employsmaliciouscodeprotectionmechanismsatinformationsystementryandexitpointstodetectanderadicatemaliciouscode;
0
NISTSP800_53,SI-3.B-Theorganizationupdatesmaliciouscodeprotectionmechanismswhenevernewreleasesareavailableinaccordancewithorganizationalconfigurationmanagementpolicyandprocedures;
0
NISTSP800_53,SI-10-Theinformationsystemchecksthevalidityofinformationinputs. 0NISTSP800_53,SI-11.A-Generateserrormessagesthatprovideinformationnecessaryforcorrectiveactionswithoutrevealinginformationthatcouldbeexploitedbyadversaries;
0
Section Violation By Issue0Uniqueissuesdetectedacross0/23sectionsoftheregulation:
URL Entity Issue Type Sections
12/31/2020 4
Detailed Security Issues by Sections
Sec.3544.(A),Sec.3547(1)-Theheadofeachagencyshallberesponsibleforprovidinginformationsecurityprotectionscommensuratewiththeriskandmagnitudeoftheharmresultingfromunauthorizedaccess,use,disclosure,disruption,modification,ordestructionof—(i)informationcollectedormaintainedbyoronbehalfoftheagency;and(ii)informationsystemsusedoroperatedbyanagencyorbyacontractorofanagencyorotherorganizationonbehalfofanagency; 0
Sec.3544.(B)-Theheadofeachagencyshallberesponsibleforcomplyingwiththerequirementsofthissubchapterandrelatedpolicies,procedures,standards,andguidelines,including—(i)informationsecuritystandardspromulgatedundersection11331oftitle40;and(ii)informationsecuritystandardsandguidelinesfornationalsecuritysystemsissuedinaccordancewithlawandasdirectedbythePresident; 0
NISTSP800_53,AC-3-Theinformationsystemenforcesapprovedauthorizationsforlogicalaccesstoinformationandsystemresourcesinaccordancewithapplicableaccesscontrolpolicies. 0
NISTSP800_53,AC-6-Theorganizationemploystheprincipleofleastprivilege,allowingonlyauthorizedaccessesforusers(orprocessesactingonbehalfofusers)whicharenecessarytoaccomplishassignedtasksinaccordancewithorganizationalmissionsandbusinessfunctions. 0
NISTSP800_53,AC-10-Theinformationsystemlimitsthenumberofconcurrentsessionsforeach[Assignment:organization-definedaccountand/oraccounttype]to[Assignment:organization-definednumber]. 0
12/31/2020 5
NISTSP800_53,AC-11-TheOrganizationpreventsfurtheraccesstothesystembyinitiatingasessionlockafter[Assignment:organization-definedtimeperiod]ofinactivityoruponreceivingarequestfromauser;andretainsthesessionlockuntiltheuserreestablishesaccessusingestablishedidentificationandauthenticationprocedures. 0
NISTSP800_53,AC-17-Theorganization:Establishesanddocumentsusagerestrictions,configuration/connectionrequirements,andimplementationguidanceforeachtypeofremoteaccessallowed;andAuthorizesremoteaccesstotheinformationsystempriortoallowingsuchconnections. 0
NISTSP800_53,CM-6-Theorganization:a.Establishesanddocumentsconfigurationsettingsforinformationtechnologyproductsemployedwithintheinformationsystemusing[Assignment:organization-definedsecurityconfigurationchecklists]thatreflectthemostrestrictivemodeconsistentwithoperationalrequirements;b.Implementstheconfigurationsettings;c.Identifies,documents,andapprovesanydeviationsfromestablishedconfigurationsettingsfor[Assignment:organization-definedinformationsystemcomponents]basedon[Assignment:organization-definedoperationalrequirements];andd.Monitorsandcontrolschangestotheconfigurationsettingsinaccordancewithorganizationalpoliciesandprocedures. 0
NISTSP800_53,CM-7-Theorganization:a.Configurestheinformationsystemtoprovideonlyessentialcapabilities;andb.Prohibitsorrestrictstheuseofthefollowingfunctions,ports,protocols,and/orservices:[Assignment:organization-definedprohibitedorrestrictedfunctions,ports,protocols,and/orservices]. 0
12/31/2020 6
NISTSP800_53,IA-2-Theinformationsystemuniquelyidentifiesandauthenticatesorganizationalusers(orprocessesactingonbehalfoforganizationalusers). 0
NISTSP800_53,IA-4.D-Theorganizationmanagesinformationsystemidentifiersforusersanddevicesbypreventingreuseofuserordeviceidentifiersfor[Assignment:organization-definedtimeperiod]. 0
NISTSP800_53,IA-4.E-Theorganizationmanagesinformationsystemidentifiersforusersanddevicesbydisablingtheuseridentifierafter[Assignment:organization-definedtimeperiodofinactivity]. 0
NISTSP800_53,IA-5.C-Theorganizationmanagesinformationsystemauthenticatorsforusersanddevicesbyensuringthatauthenticatorshavesufficientstrengthofmechanismfortheirintendeduse. 0
NISTSP800_53,IA-5.E-Theorganizationmanagesinformationsystemauthenticatorsforusersanddevicesbychangingdefaultcontentofauthenticatorsuponinformationsysteminstallation. 0
NISTSP800_53,RA-5.A-Theorganization:a.Scansforvulnerabilitiesintheinformationsystemandhostedapplications[Assignment:organization-definedfrequencyand/orrandomlyinaccordancewithorganization-definedprocess]andwhennewvulnerabilitiespotentiallyaffectingthesystem/applicationsareidentifiedandreported. 0
12/31/2020 7
NISTSP800_53,SC-5-Theinformationsystemprotectsagainstorlimitstheeffectsofthefollowingtypesofdenialofserviceattacks:[Assignment:organization-definedtypesofdenialofserviceattacksorreferencetosourceforsuchinformation]byemploying[Assignment:organization-definedsecuritysafeguards]. 0
NISTSP800_53,SC-8-Theinformationsystemprotectsthe[Selection(oneormore):confidentiality;integrity]oftransmittedinformation. 0
NISTSP800_53,SC-13-Theinformationsystemimplements[Assignment:organization-definedcryptographicusesandtypeofcryptographyrequiredforeachuse]inaccordancewithapplicablefederallaws,ExecutiveOrders,directives,policies,regulations,andstandards. 0
NISTSP800_53,SC-23-Theinformationsystemprotectstheauthenticityofcommunicationssessions. 0
NISTSP800_53,SI-3.A-Employsmaliciouscodeprotectionmechanismsatinformationsystementryandexitpointstodetectanderadicatemaliciouscode; 0
NISTSP800_53,SI-3.B-Theorganizationupdatesmaliciouscodeprotectionmechanismswhenevernewreleasesareavailableinaccordancewithorganizationalconfigurationmanagementpolicyandprocedures; 0
12/31/2020 8
NISTSP800_53,SI-10-Theinformationsystemchecksthevalidityofinformationinputs. 0
NISTSP800_53,SI-11.A-Generateserrormessagesthatprovideinformationnecessaryforcorrectiveactionswithoutrevealinginformationthatcouldbeexploitedbyadversaries; 0
12/31/2020 9
21.1.1 Remote Support GDPRCompliance Report
ThisreportincludesimportantsecurityinformationaboutGDPRcomplianceofBeyondtrustRemoteSupport21.1.1
[EU] Regulation 2016/679 Of The European Parliament And OfThe Council (GDPR) Compliance ReportThisreportwascreatedbyIBMSecurityAppScanStandard9.0.3.13iFix001,Rules:19712Scanstarted:12/29/20209:37:28AM
Regulations
Regulation 2016/679 Of The European Parliament And Of TheCouncil - General Data Protection Regulation (GDPR)LearnmoreaboutIBMownGDPRreadinessjourneyandourGDPRcapabilitiesandofferingshere:https://ibm.com/gdpr
LearnmoreaboutGDPRontheEropeanUnion'sDataProtectionwebsitehere:https://ec.europa.eu/info/law/law-topic/data-protection_en
Please note that the table header 'Number of Issues' carries that naming due to technical reasons. It does notnecessarily indicate actual legal issues in the context GDPR, but rather points out areas of interest. A legally bindingassessment of applicability of any areas of interest shown in this report can and should only be made by a legalprofessional.
GDPR ArticlesIssuesdetectedacross0/4sectionsoftheregulation:
SectionsNumberofIssues
Article25(1)-Takingintoaccountthestateoftheart,thecostofimplementationandthenature,scope,contextandpurposesofprocessingaswellastherisksofvaryinglikelihoodandseverityforrightsandfreedomsofnaturalpersonsposedbytheprocessing,thecontrollershall,bothatthetimeofthedeterminationofthemeansforprocessingandatthetimeoftheprocessingitself,implementappropriatetechnicalandorganisationalmeasures,suchaspseudonymisation,whicharedesignedtoimplementdata-protectionprinciples,suchasdataminimisation,inaneffectivemannerandtointegratethenecessarysafeguardsintotheprocessinginordertomeettherequirementsofthisRegulationandprotecttherightsofdatasubjects.
0
Article32(1)(a)-Takingintoaccountthestateoftheart,thecostsofimplementationandthenature,scope,contextandpurposesofprocessingaswellastheriskofvaryinglikelihoodandseverityfortherightsandfreedomsofnaturalpersons,thecontrollerandtheprocessorshallimplementappropriatetechnicalandorganisationalmeasurestoensurealevelofsecurityappropriatetotherisk,includinginteraliaasappropriate:thepseudonymisationandencryptionofpersonaldata.
0
Article32(1)(b)-Takingintoaccountthestateoftheart,thecostsofimplementationandthenature,scope,contextandpurposesofprocessingaswellastheriskofvaryinglikelihoodandseverityfortherightsandfreedomsofnaturalpersons,thecontrollerandtheprocessorshallimplementappropriatetechnicalandorganisationalmeasurestoensurealevelofsecurityappropriatetotherisk,includinginteraliaasappropriate:theabilitytoensuretheongoingconfidentiality,integrity,availabilityandresilienceofprocessingsystemsandservices.
0
Article32(2)-Inassessingtheappropriatelevelofsecurityaccountshallbetakeninparticularofthe 0
12/31/2020 1
risksthatarepresentedbyprocessing,inparticularfromaccidentalorunlawfuldestruction,loss,alteration,unauthoriseddisclosureof,oraccesstopersonaldatatransmitted,storedorotherwiseprocessed
Section Violation By Issue0Uniqueissuesdetectedacross0/4sectionsoftheregulation:
URL Entity Issue Type Sections
Detailed Security Issues by Sections
Article25(1)-Takingintoaccountthestateoftheart,thecostofimplementationandthenature,scope,contextandpurposesofprocessingaswellastherisksofvaryinglikelihoodandseverityforrightsandfreedomsofnaturalpersonsposedbytheprocessing,thecontrollershall,bothatthetimeofthedeterminationofthemeansforprocessingandatthetimeoftheprocessingitself,implementappropriatetechnicalandorganisationalmeasures,suchaspseudonymisation,whicharedesignedtoimplementdata-protectionprinciples,suchasdataminimisation,inaneffectivemannerandtointegratethenecessarysafeguardsintotheprocessinginordertomeettherequirementsofthisRegulationandprotecttherightsofdatasubjects. 0
Article32(1)(a)-Takingintoaccountthestateoftheart,thecostsofimplementationandthenature,scope,contextandpurposesofprocessingaswellastheriskofvaryinglikelihoodandseverityfortherightsandfreedomsofnaturalpersons,thecontrollerandtheprocessorshallimplementappropriatetechnicalandorganisationalmeasurestoensurealevelofsecurityappropriatetotherisk,includinginteraliaasappropriate:thepseudonymisationandencryptionofpersonaldata. 0
12/31/2020 2
Article32(1)(b)-Takingintoaccountthestateoftheart,thecostsofimplementationandthenature,scope,contextandpurposesofprocessingaswellastheriskofvaryinglikelihoodandseverityfortherightsandfreedomsofnaturalpersons,thecontrollerandtheprocessorshallimplementappropriatetechnicalandorganisationalmeasurestoensurealevelofsecurityappropriatetotherisk,includinginteraliaasappropriate:theabilitytoensuretheongoingconfidentiality,integrity,availabilityandresilienceofprocessingsystemsandservices. 0
Article32(2)-Inassessingtheappropriatelevelofsecurityaccountshallbetakeninparticularoftherisksthatarepresentedbyprocessing,inparticularfromaccidentalorunlawfuldestruction,loss,alteration,unauthoriseddisclosureof,oraccesstopersonaldatatransmitted,storedorotherwiseprocessed 0
12/31/2020 3
21.1.1 Remote Support HIPPACompliance Report
ThisreportincludesimportantsecurityinformationaboutHIPPAcomplianceofBeyondtrustRemoteSupport21.1.1
[US] Healthcare Services (HIPAA) Compliance ReportThisreportwascreatedbyIBMSecurityAppScanStandard9.0.3.13iFix001,Rules:19712Scanstarted:12/29/20209:37:28AM
Regulations
The Health Insurance Portability and Accountability Act(HIPAA) of 1996 - Security and Privacy Regulations
Summary
HIPAAprovidesfederalprotectionsforpersonalhealthinformationheldbycoveredentitiesandgivespatientsasetofrightswithrespecttothatinformation.However,HIPAAdoespermitthedisclosureofpersonalhealthinformationneededforpatientcareandotherimportantandnecessarypurposes.
TitleIofHIPAAprotectshealthinsurancecoverageforworkersandtheirfamilieswhentheychangeorlosetheirjobs.TitleIIofHIPAA,knownastheAdministrativeSimplificationprovisions,requirestheestablishmentofnationalstandardsforelectronichealthcaretransactionsandnationalidentifiersforproviders,healthinsuranceplans,andemployers.
TheAdministrationSimplificationprovisionsalsoaddressthesecurityandprivacyofhealthdata.Thestandardsaremeanttoimprovetheefficiencyandeffectivenessofthehealthcaresystem.
TheUnitedStatesDepartmentofHealthandHumanServices(HHS)hasissuedregulationsimplementingthoseprovisionsofHIPAAregulatingtheprivacyandsecurityofindividuals’medicalrecords.
CoveredInformation
TheRuleslimittheuseanddisclosureofpersonalhealthinformationbyCoveredEntities.Protectedhealthinformationisindividuallyidentifiablehealthinformationthatistransmittedormaintainedinanyformormedium,andwhichrelatestothepast,presentorfuturephysicalormentalheathorconditionofanindividual,theprovisionofheathcaretoanindividual,orthepast,presentorfuturepaymentfortheprovisionofhealthcare.Informationis“individuallyidentifiable”ifitactuallyidentifiesanindividualorcontainsinformationthatcouldreasonablybeusedtoidentifyandindividual.
HIPAArequiresmeasurestobetakentosecurethisinformationwhileinthecustodyofcoveredentitiesaswellasintransitbetweencoveredentitiesandfromcoveredentitiestoothers.
ThePrivacyRulerequiresthatcoveredentities,amongotherthings(i)obtainpriorwrittenauthorizationtouseordisclosecertainpersonalhealthinformationforanypurposeotherthanpayment,healthcaretreatmentorhealthcareoperations,(ii)givepatientsaccesstocertainpersonalhealthinformationuponrequest,(iii)instituteproceduralsafeguardstoprotectpersonalhealthinformation,and(iv)limittheuseanddisclosureofsuchinformationtotheminimumnecessarytoachievetheintendedpurposeforsuchinformation.
12/31/2020 1
TheSecurityRulerequiresthatcoveredentities,amongotherthings,implementadministrative,technical,andphysicalsafeguardsto(i)ensuretheconfidentiality,integrityandavailabilityofallelectronicprotectedhealthinformationthecoveredentitycreates,receives,maintains,ortransmits;(ii)protectagainstanyreasonablyanticipatedthreatsorhazardstothesecurityorintegrityofsuchinformation;(iii)protectagainstanyreasonablyanticipatedusesordisclosuresofsuchinformationthatarenotpermittedorrequiredtheSecurityRule;and(iv)ensurecompliancewiththeSecurityRulebythecoveredentity'sworkforce.
InrecognitionofthesecuritythreatstoElectronicProtectedHealthInformation(EPHI),HHShaspublishedHIPAAPrivacyandSecurityRules`guidancedocumentstoimplementprivacyandsecurityframeworkforelectronicexchangeofindividuallyidentifiablehealthinformation.Theseguidancedocumentsdiscusshowtheprivacyandsecurityrulescanfacilitatethesafeandadequateexchangeofelectronichealthinformationandhowtodealwiththechallengesthattheuseandexchangeofelectronichealthinformationposses.
CoveredEntities
TheRulesapplytofourtypesofentities:healthcareproviders,healthplans,healthcareclearinghousesandprescriptiondrugcardsponsors(collectively"CoveredEntities").Thisgenerallymeansthoseprovidinghealthcare,thosepayingfor(insuring)healthcareanddataprocessorsthatassistinthepreceding.
CompliancePenalties
AfinemaybeimposedonanypersonorcoveredentitythatviolatesanyHIPAArequirement.Thecivilmonetarypenaltyforviolatingtransactionstandardsisupto$100perpersonperviolationandupto$25,000perpersonperviolationofasinglestandardpercalendaryear.
Thefinemaybereducedorwaivedentirelyiftheviolationwasnotduetowillfulneglectoftherequirements,andiftheentitycorrectsitwithin30daysofbecomingawareofit.
Federalcriminalpenaltiescanalsobeplaceduponhealthplans,providersandhealthcareclearinghousesthatknowinglyandimproperlydiscloseinformationorobtaininformationunderfalsepretenses.Penaltieswouldbehigherforactionsdesignedtogeneratemonetarygain.
Criminalpenaltiesareupto$50,000andoneyearinprisonforobtainingordisclosingprotectedhealthinformation;upto$100,000anduptofiveyearsinprisonforobtainingprotectedhealthinformationunder"falsepretenses";andupto$250,000anduptotenyearsinprisonforobtainingordisclosingprotectedhealthinformationwiththeintenttosell,transferoruseitforcommercialadvantage,personalgainormaliciousharm.
Effectivedate
April14,2001
SecurityRule–April21,2003
PrivacyRule–April14,2003
12/31/2020 2
ComplianceRequiredby
Privacyprovisions-April14,2003
Securityprovisions-April20,2005
Administrativeprovisions–July1,2005
Regulators/Administrators
UnitedStatesDepartmentofHealthandHumanServices
OfficeforCivilRights
AppScan'sHIPAAComplianceReport
AppScan'sHIPAAcompliancereportwillautomaticallydetectpossibleissuesinyourWebenvironmentthatmayberelevanttoyouroverallcompliancewiththeHIPAASecurityRulerequirementsandrelatedrequiredactivitiesasdescribedintheNISTresourceguideforHIPAAsecurityruleimplementation.
Note
AddressableIssue-asappearsinthisreportmeansacoveredentitymust-
(i)Assesswhethereachimplementationspecificationisareasonableandappropriatesafeguardinitsenvironment,whenanalyzedwithreferencetothelikelycontributiontoprotectingtheentity'selectronicprotectedhealthinformation;and
(ii)Asapplicabletotheentity-
(A)Implementtheimplementationspecificationifreasonableandappropriate;or
(B)Ifimplementingtheimplementationspecificationisnotreasonableandappropriate-
(1)Documentwhyitwouldnotbereasonableandappropriatetoimplementtheimplementationspecification;and
(2)Implementanequivalentalternativemeasureifreasonableandappropriate.
PossibleIssue-asappearsinthisreportmeansthedetectedresultsmayimplythatarequiredimplementationspecificationisnotmet.
Formoreinformationonsecuringwebapplications,pleasevisithttp://www-03.ibm.com/software/products/en/category/application-security
The information provided does not constitute legal advice. The results of a vulnerability assessment will demonstratepotential vulnerabilities in your application that should be corrected in order to reduce the likelihood that yourinformation will be compromised. As legal advice must be tailored to the specific application of each law, and lawsare constantly changing, nothing provided herein should be used as a substitute for the advice of competent counsel.IBM customers are responsible for ensuring their own compliance with legal requirements. It is the customer's sole
12/31/2020 3
responsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevantlaws and regulatory requirements that may affect the customer's business and any actions the customer may need totake to comply with such laws.
Violated SectionIssuesdetectedacross0/12sectionsoftheregulation:
SectionsNumberofIssues
S.Rule-Part164,SubpartC,164.308(a)(3)(i)-AddressableIssue-Implementpoliciesandprocedurestoensurethatallmembersofitsworkforcehaveappropriateaccesstoelectronicprotectedhealthinformation,asprovidedunder[theInformationAccessManagementstandard],andtopreventthoseworkforcememberswhodonothaveaccessunder[theInformationAccessManagementstandard]fromobtainingaccesstoelectronicprotectedhealthinformation.
0
S.Rule-Part164,SubpartC,164.308(a)(3)(ii)(A)-AddressableIssue-Implementproceduresfortheauthorizationand/orsupervisionofworkforcememberswhoworkwithelectronicprotectedhealthinformationorinlocationswhereitmightbeaccessed.
0
S.Rule-Part164,SubpartC,164.308(a)(4)(i)-PossibleIssue-ImplementpoliciesandproceduresforauthorizingaccesstoelectronicprotectedhealthinformationthatareconsistentwiththeapplicablerequirementsofsubpartEofthispartthePrivacyRule.
0
S.Rule-Part164,SubpartC,164.308(a)(4)(ii)(B)-PossibleIssue-Implementpoliciesandproceduresforgrantingaccesstoelectronicprotectedhealthinformation,forexample,throughaccesstoaworkstation,transaction,program,process,orothermechanism.
0
S.Rule-Part164,SubpartC,164.308(a)(5)(ii)(D)-AddressableIssue-Implementproceduresforcreating,changing,andsafeguardingpasswords
0
S.Rule-Part164,SubpartC,164.312(a)(1)-PossibleIssue-Implementtechnicalpoliciesandproceduresforelectronicinformationsystemsthatmaintainelectronicprotectedhealthinformationtoallowaccessonlytothosepersonsorsoftwareprogramsthathavebeengrantedaccessrightsasspecifiedinsection164.308(a)(4).
0
S.Rule-Part164,SubpartC,164.312(a)(2)(iv)-AddressableIssue-Implementamechanismtoencryptanddecryptelectronicprotectedhealthinformation.
0
NISTResourceGuide-Section4.14,Activity8-AddressableIssue-Implementelectronicproceduresthatterminateanelectronicsessionafterapredeterminedtimeofinactivity.
0
S.Rule-Part164,SubpartC,164.312(c)(1)-PossibleIssue-Implementpoliciesandprocedurestoprotectprivatehealthinformationfromimproperalterationordestruction
0
S.Rule-Part164,SubpartC,164.312(d)-PossibleIssue-Implementprocedurestoverifythatapersonorentityseekingaccesstoprivatehealthinformationistheoneclaimed
0
S.Rule-Part164,SubpartC,164.312(e)(1)-PossibleIssue-Implementtechnicalsecuritymeasurestoguardagainstunauthorizedaccesstoelectronicprotectedhealthinformationthatisbeingtransmittedoveranelectroniccommunicationsnetwork.
0
S.Rule-Part164,SubpartC,164.312(e)(2)(ii)-AddressableIssue-Implementamechanismtoencryptelectronicprivatehealthinformationwheneverdeemedappropriate
0
Section Violation By Issue0Uniqueissuesdetectedacross0/12sectionsoftheregulation:
12/31/2020 4
URL Entity Issue Type Sections
Detailed Security Issues by Sections
S.Rule-Part164,SubpartC,164.308(a)(3)(i)-AddressableIssue-Implementpoliciesandprocedurestoensurethatallmembersofitsworkforcehaveappropriateaccesstoelectronicprotectedhealthinformation,asprovidedunder[theInformationAccessManagementstandard],andtopreventthoseworkforcememberswhodonothaveaccessunder[theInformationAccessManagementstandard]fromobtainingaccesstoelectronicprotectedhealthinformation. 0
S.Rule-Part164,SubpartC,164.308(a)(3)(ii)(A)-AddressableIssue-Implementproceduresfortheauthorizationand/orsupervisionofworkforcememberswhoworkwithelectronicprotectedhealthinformationorinlocationswhereitmightbeaccessed. 0
S.Rule-Part164,SubpartC,164.308(a)(4)(i)-PossibleIssue-ImplementpoliciesandproceduresforauthorizingaccesstoelectronicprotectedhealthinformationthatareconsistentwiththeapplicablerequirementsofsubpartEofthispartthePrivacyRule. 0
S.Rule-Part164,SubpartC,164.308(a)(4)(ii)(B)-PossibleIssue-Implementpoliciesandproceduresforgrantingaccesstoelectronicprotectedhealthinformation,forexample,throughaccesstoaworkstation,transaction,program,process,orothermechanism. 0
12/31/2020 5
S.Rule-Part164,SubpartC,164.308(a)(5)(ii)(D)-AddressableIssue-Implementproceduresforcreating,changing,andsafeguardingpasswords0
S.Rule-Part164,SubpartC,164.312(a)(1)-PossibleIssue-Implementtechnicalpoliciesandproceduresforelectronicinformationsystemsthatmaintainelectronicprotectedhealthinformationtoallowaccessonlytothosepersonsorsoftwareprogramsthathavebeengrantedaccessrightsasspecifiedinsection164.308(a)(4). 0
S.Rule-Part164,SubpartC,164.312(a)(2)(iv)-AddressableIssue-Implementamechanismtoencryptanddecryptelectronicprotectedhealthinformation. 0
NISTResourceGuide-Section4.14,Activity8-AddressableIssue-Implementelectronicproceduresthatterminateanelectronicsessionafterapredeterminedtimeofinactivity. 0
S.Rule-Part164,SubpartC,164.312(c)(1)-PossibleIssue-Implementpoliciesandprocedurestoprotectprivatehealthinformationfromimproperalterationordestruction 0
S.Rule-Part164,SubpartC,164.312(d)-PossibleIssue-Implementprocedurestoverifythatapersonorentityseekingaccesstoprivatehealthinformationistheoneclaimed 0
12/31/2020 6
S.Rule-Part164,SubpartC,164.312(e)(1)-PossibleIssue-Implementtechnicalsecuritymeasurestoguardagainstunauthorizedaccesstoelectronicprotectedhealthinformationthatisbeingtransmittedoveranelectroniccommunicationsnetwork. 0
S.Rule-Part164,SubpartC,164.312(e)(2)(ii)-AddressableIssue-Implementamechanismtoencryptelectronicprivatehealthinformationwheneverdeemedappropriate 0
12/31/2020 7
21.1.1 Remote Support OWASP Top10 Report
ThisreportincludesimportantsecurityinformationabouttestcoverageoftheOWASPtop10weaknessesbyBeyondtrustRemoteSupport21.1.1
OWASP Top 10 2017 ReportThisreportwascreatedbyIBMSecurityAppScanStandard9.0.3.13iFix001,Rules:19712Scanstarted:12/29/20209:37:28AM
Regulations
OWASP Top Ten 2017 – The Ten Most Critical WebApplication Security Risks
SummaryDescription
ThegoaloftheTop10projectistoraiseawarenessaboutapplicationsecuritybyidentifyingsomeofthemostcriticalrisksfacingorganizations.Developmentprojectsshouldaddressthesepotentialrisksintheirrequirementsdocumentsanddesign,buildandtesttheirapplicationstoensurethattheyhavetakenthenecessarymeasurestoreducetheseriskstotheminimum.Projectmanagersshouldincludetimeandbudgetforapplicationsecurityactivitiesincludingdevelopertraining,applicationsecuritypolicydevelopment,securitymechanismdesignanddevelopment,penetrationtesting,andsecuritycodereviewaspartovertheoverallefforttoaddresstherisks.
TheprimaryaimoftheOWASPTop10istoeducatedevelopers,designers,architects,managers,andorganizationsabouttheconsequencesofthemostimportantwebapplicationsecurityrisks.TheTop10providesbasicguidanceonhowtoaddressagainsttheserisksandwheretogotolearnmoreonhowtoaddressthem.
Althoughsetoutasaneducationpiece,ratherthanastandardoraregulation,itisimportanttonotethatseveralprominentindustryandgovernmentregulatorsarereferencingtheOWASPtopten.ThesebodiesincludeamongothersVISAUSA,MasterCardInternationalandtheAmericanFederalTradeCommission(FTC).
However,accordingtotheOWASPteamtheOWASPtoptenfirstandforemostaneducationpiece,notastandard.TheOWASPteamsuggeststhatanyorganizationabouttoadopttheTopTenpaperasapolicyorstandardtoconsultwiththeOWASPteamfirst.
WhatChangedFrom2013to2017?
ThethreatlandscapeforapplicationsandAPIsconstantlychanges.Keyfactorsinthisevolutionaretherapidadoptionofnewtechnologies(includingcloud,containers,andAPIs),theaccelerationandautomationofsoftwaredevelopmentprocesseslikeAgileandDevOps,theexplosionofthird-partylibrariesandframeworks,andadvancesmadebyattackers.ThesefactorsfrequentlymakeapplicationsandAPIsmoredifficulttoanalyze,andcansignificantlychangethethreatlandscape.Tokeeppace,theOWASPorganizationperiodicallyupdatetheOWASPTop10.Inthis2017release,followingchangesweremade:
Merged2013-A4:"InsecureDirectObjectReferences"and2013-A7:"MissingFunctionLevelAccessControl"into2017-A5:"BrokenAccessControl".
Dropped2013-A8:"Cross-SiteRequestForgery(CSRF)"asmanyframeworksincludeCSRFdefenses,itwasfoundinonly5%ofapplications.
12/31/2020 1
Dropped2013-A10:"UnvalidatedRedirectsandForwards",whilefoundinapproximatelyin8%ofapplications,itwasedgedoutoverallbyXXE.
Added2017-A4:"XMLExternalEntities(XXE)".
Added2017-A8:"InsecureDeserialization".
Added2017-A10:"InsufficientLoggingandMonitoring".
CoveredEntities
Allcompaniesandotherentitiesthatdevelopanykindofwebapplicationcodeareencouragedtoaddressthetoptenlistaspartoftheiroverallsecurityriskmanagement.AdoptingtheOWASPTopTenisaneffectivefirststeptowardschangingthesoftwaredevelopmentculturewithintheorganizationintoonethatproducessecurecode.
FormoreinformationonOWASPTopTen,pleasereviewthe-OWASPTopTen2017–TheTenMostCriticalWebApplicationSecurityRisks,athttp://www.owasp.org
Formoreinformationonsecuringwebapplications,pleasevisithttp://www-03.ibm.com/software/products/en/category/application-security
The information provided does not constitute legal advice. The results of a vulnerability assessment will demonstratepotential vulnerabilities in your application that should be corrected in order to reduce the likelihood that yourinformation will be compromised. As legal advice must be tailored to the specific application of each law, and lawsare constantly changing, nothing provided herein should be used as a substitute for the advice of competent counsel.IBM customers are responsible for ensuring their own compliance with legal requirements. It is the customer's soleresponsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevantlaws and regulatory requirements that may affect the customer's business and any actions the customer may need totake to comply with such laws.
Violated SectionIssuesdetectedacross0/10sectionsoftheregulation:
Sections Number of Issues
A1-Injection 0A2-Brokenauthentication 0A3-SensitiveDataExposure 0A4-XMLExternalEntities(XXE) 0A5-BrokenAccessControl 0A6-SecurityMisconfiguration 0A7-Crosssitescripting(XSS) 0A8-InsecureDeserialization 0A9-UsingComponentswithKnownVulnerabilities 0A10-InsufficientLoggingandMonitoring 0
12/31/2020 2
Section Violation By Issue0Uniqueissuesdetectedacross0/10sectionsoftheregulation:
URL Entity Issue Type Sections
Detailed Security Issues by Sections
A1-Injection 0
A2-Brokenauthentication 0
A3-SensitiveDataExposure 0
A4-XMLExternalEntities(XXE) 0
A5-BrokenAccessControl 0
A6-SecurityMisconfiguration 0
12/31/2020 3
A7-Crosssitescripting(XSS) 0
A8-InsecureDeserialization 0
A9-UsingComponentswithKnownVulnerabilities 0
A10-InsufficientLoggingandMonitoring 0
12/31/2020 4
21.1.1 Remote Support PCICompliance Report
ThisreportincludesimportantsecurityinformationaboutPCIcomplianceofBeyondtrustRemoteSupport21.1.1
The Payment Card Industry Data Security Standard (PCI DSS)Compliance ReportThisreportwascreatedbyIBMSecurityAppScanStandard9.0.3.13iFix001,Rules:19712Scanstarted:12/29/20209:37:28AM
Regulations
The Payment Card Industry Data Security Standard (PCI)Version 3.2.1
Summary
ThePaymentCardIndustryDataSecurityStandard(PCIDSS)wasdevelopedtoencourageandenhancecardholderdatasecurityandfacilitatethebroadadoptionofconsistentdatasecuritymeasuresglobally.PCIDSSprovidesabaselineoftechnicalandoperationalrequirementsdesignedtoprotectaccountdata.
PCIDSScomprisesaminimumsetofrequirementsforprotectingcardholderdata,andmaybeenhancedbyadditionalcontrolsandpracticestofurthermitigaterisks,aswellaslocal,regionalandsectorlawsandregulations.Additionally,legislationorregulatoryrequirementsmayrequirespecificprotectionofpersonalinformationorotherdataelements(forexample,cardholdername).PCIDSSdoesnotsupersedelocalorregionallaws,governmentregulations,orotherlegalrequirements.
ThePCIDSSsecurityrequirementsapplytoallsystemcomponentsincludedinorconnectedtothecardholderdataenvironment.Thecardholderdataenvironment(CDE)iscomprisedofpeople,processesandtechnologiesthatstore,process,ortransmitcardholderdataorsensitiveauthenticationdata.
“Systemcomponents”includenetworkdevices,servers,computingdevices,andapplications.Examplesofsystemcomponentsincludebutarenotlimitedtothefollowing:Systemsthatprovidesecurityservices(forexample,authenticationservers),facilitatesegmentation(forexample,internalfirewalls),ormayimpactthesecurityof(forexample,nameresolutionorwebredirectionservers)theCDE.
Virtualizationcomponentssuchasvirtualmachines,virtualswitches/routers,virtualappliances,virtualapplications/desktops,andhypervisors.
Networkcomponentsincludingbutnotlimitedtofirewalls,switches,routers,wirelessaccesspoints,networkappliances,andothersecurityappliances.
Servertypesincludingbutnotlimitedtoweb,application,database,authentication,mail,proxy,NetworkTimeProtocol(NTP),andDomainNameSystem(DNS).
Applicationsincludingallpurchasedandcustomapplications,includinginternalandexternal(forexample,Internet)applications.AnyothercomponentordevicelocatedwithinorconnectedtotheCDE.
CoveredEntities
12/31/2020 1
PCIDSSappliestoallentitiesinvolvedinpaymentcardprocessing—includingmerchants,processors,acquirers,issuers,andserviceproviders,aswellasallotherentitiesthatstore,processortransmitcardholderdata(CHD)and/orsensitiveauthenticationdata(SAD).
PCIDSSrequirementsapplytoorganizationsandenvironmentswhereaccountdata(cardholderdataand/orsensitiveauthenticationdata)isstored,processedortransmitted.SomePCIDSSrequirementsmayalsobeapplicabletoorganizationsthathaveoutsourcedtheirpaymentoperationsormanagementoftheirCDE1.Additionally,organizationsthatoutsourcetheirCDEorpaymentoperationstothirdpartiesareresponsibleforensuringthattheaccountdataisprotectedbythethirdpartypertheapplicablePCIDSSrequirements.
CompliancePenalties
Ifamerchantorserviceproviderdoesnotcomplywiththesecurityrequirementsorfailstorectifyasecurityissue,thecardcompaniesmayfinetheacquiringmember,orimposerestrictionsonthemerchantoritsagent.
ComplianceRequiredBy
PCIDSSversion3.2.1hasreplacedPCIDSSversion3.2andiseffectiveasofMay2018.ThePCIDSSversion3.2maynotbeusedforPCIDSScomplianceafterDecember31,2018.
Regulators
ThePCISecurityStandardsCouncil,anditsfoundingmembersincludingAmericanExpress,DiscoverFinancialServices,JCB,MasterCardWorldwideandVisaInternational.
FormoreinformationonthePCIDataSecurityStandard,pleasevisit:
https://www.pcisecuritystandards.org./index.htm
Formoreinformationonsecuringwebapplications,pleasevisithttp://www-01.ibm.com/software/rational/offerings/websecurity/
Copyright:ThePCIinformationcontainedinthisreportisproprietarytoPCISecurityStandardsCouncil,LLC.AnyuseofthismaterialissubjecttothePCISECURITYSTANDARDSCOUNCIL,LLCLICENSEAGREEMENTthatcanbefoundat:
https://www.pcisecuritystandards.org./tech/download_the_pci_dss.htm
The information provided does not constitute legal advice. The results of a vulnerability assessment will demonstratepotential vulnerabilities in your application that should be corrected in order to reduce the likelihood that yourinformation will be compromised. As legal advice must be tailored to the specific application of each law, and lawsare constantly changing, nothing provided herein should be used as a substitute for the advice of competent counsel.IBM customers are responsible for ensuring their own compliance with legal requirements. It is the customer's soleresponsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevantlaws and regulatory requirements that may affect the customer's business and any actions the customer may need totake to comply with such laws.
12/31/2020 2
Violated SectionIssuesdetectedacross0/32sectionsoftheregulation:
SectionsNumberofIssues
Requirement2-Donotusevendor-supplieddefaultsforsystempasswordsandothersecurityparameters.
0
Requirement2.1-Alwayschangevendor-supplieddefaultsandremoveordisableunnecessarydefaultaccountsbeforeinstallingasystemonthenetwork.ThisappliestoALLdefaultpasswords,includingbutnotlimitedtothoseusedbyoperatingsystems,softwarethatprovidessecurityservices,applicationandsystemaccounts,point-of-sale(POS)terminals,paymentapplications,SimpleNetworkManagementProtocol(SNMP)communitystrings,etc.)
0
Requirement2.2.2-Enableonlynecessaryservices,protocols,daemons,etc.,asrequiredforthefunctionofthesystem.
0
Requirement2.2.4-Configuresystemsecurityparameterstopreventmisuse. 0Requirement2.2.5-Removeallunnecessaryfunctionality,suchasscripts,drivers,features,subsystems,filesystems.
0
Requirement2.3-Encryptallnon-consoleadministrativeaccessusingstrongcryptography. 0Requirement2.6-Thissectionappliestowebapplicationsthatareusedbyhostingprovidersforhostingpurposes–Hostingprovidersmustprotecteachentity’shostedenvironmentanddata.
0
Requirement4-Encrypttransmissionofcardholderdataacrossopen,publicnetworks. 0Requirement4.1-Usestrongcryptographyandsecurityprotocolstosafeguardsensitivecardholderdataduringtransmissionoveropen,publicnetworks,includingthefollowing:-Onlytrustedkeysandcertificatesareaccepted.-Theprotocolinuseonlysupportssecureversionsorconfigurations.-Theencryptionstrengthisappropriatefortheencryptionmethodologyinuse.
0
Requirement6-Developandmaintainsecuresystemsandapplications. 0Requirement6.1-Establishaprocesstoidentifysecurityvulnerabilities,usingreputableoutsidesourcesforsecurityvulnerabilityinformation,andassignariskranking(forexample,as“high,”“medium,”or“low”)tonewlydiscoveredsecurityvulnerabilities.
0
Requirement6.2-Ensurethatallsystemcomponentsandsoftwareareprotectedfromknownvulnerabilitiesbyinstallingapplicablevendor-suppliedsecuritypatches.Installcriticalsecuritypatcheswithinonemonthofrelease.CriticalsecuritypatchesshouldbeidentifiedaccordingtotheriskrankingprocessdefinedinRequirement6.1
0
Requirement6.3-Developinternalandexternalsoftwareapplications(includingweb-basedadministrativeaccesstoapplications)securely,asfollows:•InaccordancewithPCIDSS(forexample,secureauthenticationandlogging)•Basedonindustrystandardsand/orbestpractices.•Incorporatinginformationsecuritythroughoutthesoftware-developmentlifecycleNote:thisappliestoallsoftwaredevelopedinternallyaswellasbespokeorcustomsoftwaredevelopedbyathirdparty.
0
Requirement6.3.1-Removedevelopment,testand/orcustomapplicationaccounts,userIDs,andpasswordsbeforeapplicationsbecomeactiveorarereleasedtocustomers.
0
Requirement6.4.4-Removaloftestdataandaccountsfromsystemcomponentsbeforethesystembecomesactive/goesintoproduction.
0
Requirement6.5-Addresscommoncodingvulnerabilitiesinsoftware-developmentprocessesasfollows:•Traindevelopersinsecurecodingtechniques,includinghowtoavoidcommoncodingvulnerabilities,andunderstandinghowsensitivedataishandledinmemory.•Developapplicationsbasedonsecurecodingguidelines.Note:Thevulnerabilitieslistedat6.5.1through6.5.10werecurrentwithindustrybestpracticeswhenthisversionofPCIDSSwaspublished.However,asindustrybestpracticesforvulnerabilitymanagementareupdated(forexample,theOWASPGuide,SANSCWETop25,CERTSecureCoding,etc.),thecurrentbestpracticesmustbeusedfortheserequirements.
0
Requirement6.5.1-Injectionflaws,particularlySQLinjection.AlsoconsiderOSCommandInjection,LDAPandXPathinjectionflawsaswellasotherinjectionflaws.
0
Requirement6.5.2-Bufferoverflow 0
12/31/2020 3
Requirement6.5.3-Insecurecryptographicstorage 0Requirement6.5.4-Insecurecommunications 0Requirement6.5.5-Impropererrorhandling 0Requirement6.5.7-Crosssitescripting(XSS) 0Requirement6.5.8-Improperaccesscontrol(suchasinsecuredirectobjectreferences,failuretorestrictURLaccess,directorytraversal,andfailuretorestrictuseraccesstofunctions).
0
Requirement6.5.9-Crosssiterequestforgery(CSRF) 0Requirement6.5.10-BrokenauthenticationandsessionmanagementNote:Requirement6.5.10isabestpracticeuntilJune30,2015,afterwhichitbecomesarequirement
0
Requirement6.6-Forpublic-facingwebapplications,addressnewthreatsandvulnerabilitiesonanongoingbasisandensuretheseapplicationsareprotectedagainstknownattacksbyeitherofthefollowingmethods:•Reviewingpublic-facingwebapplicationsviamanualorautomatedapplicationvulnerabilitysecurityassessmenttoolsormethods,atleastannuallyandafteranychangesNote:ThisassessmentisnotthesameasthevulnerabilityscansperformedforRequirement11.2.•Installinganautomatedtechnicalsolutionthatdetectsandpreventsweb-basedattacks(forexample,aweb-applicationfirewall)infrontofpublic-facingwebapplications,tocontinuallycheckalltraffic.
0
Requirement7-Restrictaccesstodatabybusinessneed-to-know 0Requirement7.1-Limitaccesstosystemcomponentsandcardholderdatatoonlythoseindividualswhosejobrequiressuchaccess.
0
Requirement7.1.2-RestrictaccesstoprivilegeduserIDstoleastprivilegesnecessarytoperformjobresponsibilities.
0
Requirement8.2-InadditiontoassigningauniqueID,ensureproperuser-authenticationmanagementfornon-consumerusersandadministratorsonallsystemcomponentsbyemployingatleastoneofthefollowingmethodstoauthenticateallusers:•Somethingyouknow,suchasapasswordorpassphrase•Somethingyouhave,suchasatokendeviceorsmartcard•Somethingyouare,suchasabiometric.
0
Requirement8.2.1-Usingstrongcryptography,renderallauthenticationcredentials(suchaspasswords/phrases)unreadableduringtransmissionandstorageonallsystemcomponents.
0
Requirement8.7-Allaccesstoanydatabasecontainingcardholderdata(includingaccessbyapplications,administrators,andallotherusers)isrestrictedasfollows:•Alluseraccessto,userqueriesof,anduseractionsondatabasesarethroughprogrammaticmethods.•Onlydatabaseadministratorshavetheabilitytodirectlyaccessorquerydatabases.•ApplicationIDsfordatabaseapplicationscanonlybeusedbytheapplications(andnotbyindividualusersorothernon-applicationprocesses).
0
Section Violation By Issue0Uniqueissuesdetectedacross0/32sectionsoftheregulation:
URL Entity Issue Type Sections
Detailed Security Issues by Sections
12/31/2020 4
Requirement2-Donotusevendor-supplieddefaultsforsystempasswordsandothersecurityparameters. 0
Requirement2.1-Alwayschangevendor-supplieddefaultsandremoveordisableunnecessarydefaultaccountsbeforeinstallingasystemonthenetwork.ThisappliestoALLdefaultpasswords,includingbutnotlimitedtothoseusedbyoperatingsystems,softwarethatprovidessecurityservices,applicationandsystemaccounts,point-of-sale(POS)terminals,paymentapplications,SimpleNetworkManagementProtocol(SNMP)communitystrings,etc.) 0
Requirement2.2.2-Enableonlynecessaryservices,protocols,daemons,etc.,asrequiredforthefunctionofthesystem. 0
Requirement2.2.4-Configuresystemsecurityparameterstopreventmisuse. 0
Requirement2.2.5-Removeallunnecessaryfunctionality,suchasscripts,drivers,features,subsystems,filesystems. 0
Requirement2.3-Encryptallnon-consoleadministrativeaccessusingstrongcryptography. 0
12/31/2020 5
Requirement2.6-Thissectionappliestowebapplicationsthatareusedbyhostingprovidersforhostingpurposes–Hostingprovidersmustprotecteachentity’shostedenvironmentanddata. 0
Requirement4-Encrypttransmissionofcardholderdataacrossopen,publicnetworks. 0
Requirement4.1-Usestrongcryptographyandsecurityprotocolstosafeguardsensitivecardholderdataduringtransmissionoveropen,publicnetworks,includingthefollowing:-Onlytrustedkeysandcertificatesareaccepted.-Theprotocolinuseonlysupportssecureversionsorconfigurations.-Theencryptionstrengthisappropriatefortheencryptionmethodologyinuse. 0
Requirement6-Developandmaintainsecuresystemsandapplications. 0
Requirement6.1-Establishaprocesstoidentifysecurityvulnerabilities,usingreputableoutsidesourcesforsecurityvulnerabilityinformation,andassignariskranking(forexample,as“high,”“medium,”or“low”)tonewlydiscoveredsecurityvulnerabilities. 0
Requirement6.2-Ensurethatallsystemcomponentsandsoftwareareprotectedfromknownvulnerabilitiesbyinstallingapplicablevendor-suppliedsecuritypatches.Installcriticalsecuritypatcheswithinonemonthofrelease.CriticalsecuritypatchesshouldbeidentifiedaccordingtotheriskrankingprocessdefinedinRequirement6.1 0
12/31/2020 6
Requirement6.3-Developinternalandexternalsoftwareapplications(includingweb-basedadministrativeaccesstoapplications)securely,asfollows:•InaccordancewithPCIDSS(forexample,secureauthenticationandlogging)•Basedonindustrystandardsand/orbestpractices.•Incorporatinginformationsecuritythroughoutthesoftware-developmentlifecycleNote:thisappliestoallsoftwaredevelopedinternallyaswellasbespokeorcustomsoftwaredevelopedbyathirdparty. 0
Requirement6.3.1-Removedevelopment,testand/orcustomapplicationaccounts,userIDs,andpasswordsbeforeapplicationsbecomeactiveorarereleasedtocustomers. 0
Requirement6.4.4-Removaloftestdataandaccountsfromsystemcomponentsbeforethesystembecomesactive/goesintoproduction. 0
Requirement6.5-Addresscommoncodingvulnerabilitiesinsoftware-developmentprocessesasfollows:•Traindevelopersinsecurecodingtechniques,includinghowtoavoidcommoncodingvulnerabilities,andunderstandinghowsensitivedataishandledinmemory.•Developapplicationsbasedonsecurecodingguidelines.Note:Thevulnerabilitieslistedat6.5.1through6.5.10werecurrentwithindustrybestpracticeswhenthisversionofPCIDSSwaspublished.However,asindustrybestpracticesforvulnerabilitymanagementareupdated(forexample,theOWASPGuide,SANSCWETop25,CERTSecureCoding,etc.),thecurrentbestpracticesmustbeusedfortheserequirements. 0
Requirement6.5.1-Injectionflaws,particularlySQLinjection.AlsoconsiderOSCommandInjection,LDAPandXPathinjectionflawsaswellasotherinjectionflaws. 0
12/31/2020 7
Requirement6.5.2-Bufferoverflow 0
Requirement6.5.3-Insecurecryptographicstorage 0
Requirement6.5.4-Insecurecommunications 0
Requirement6.5.5-Impropererrorhandling 0
Requirement6.5.7-Crosssitescripting(XSS) 0
Requirement6.5.8-Improperaccesscontrol(suchasinsecuredirectobjectreferences,failuretorestrictURLaccess,directorytraversal,andfailuretorestrictuseraccesstofunctions). 0
Requirement6.5.9-Crosssiterequestforgery(CSRF) 0
Requirement6.5.10-BrokenauthenticationandsessionmanagementNote:Requirement6.5.10isabestpracticeuntilJune30,2015,afterwhichitbecomesarequirement 0
12/31/2020 8
Requirement6.6-Forpublic-facingwebapplications,addressnewthreatsandvulnerabilitiesonanongoingbasisandensuretheseapplicationsareprotectedagainstknownattacksbyeitherofthefollowingmethods:•Reviewingpublic-facingwebapplicationsviamanualorautomatedapplicationvulnerabilitysecurityassessmenttoolsormethods,atleastannuallyandafteranychangesNote:ThisassessmentisnotthesameasthevulnerabilityscansperformedforRequirement11.2.•Installinganautomatedtechnicalsolutionthatdetectsandpreventsweb-basedattacks(forexample,aweb-applicationfirewall)infrontofpublic-facingwebapplications,tocontinuallycheckalltraffic. 0
Requirement7-Restrictaccesstodatabybusinessneed-to-know 0
Requirement7.1-Limitaccesstosystemcomponentsandcardholderdatatoonlythoseindividualswhosejobrequiressuchaccess. 0
Requirement7.1.2-RestrictaccesstoprivilegeduserIDstoleastprivilegesnecessarytoperformjobresponsibilities. 0
Requirement8.2-InadditiontoassigningauniqueID,ensureproperuser-authenticationmanagementfornon-consumerusersandadministratorsonallsystemcomponentsbyemployingatleastoneofthefollowingmethodstoauthenticateallusers:•Somethingyouknow,suchasapasswordorpassphrase•Somethingyouhave,suchasatokendeviceorsmartcard•Somethingyouare,suchasabiometric. 0
12/31/2020 9
Requirement8.2.1-Usingstrongcryptography,renderallauthenticationcredentials(suchaspasswords/phrases)unreadableduringtransmissionandstorageonallsystemcomponents. 0
Requirement8.7-Allaccesstoanydatabasecontainingcardholderdata(includingaccessbyapplications,administrators,andallotherusers)isrestrictedasfollows:•Alluseraccessto,userqueriesof,anduseractionsondatabasesarethroughprogrammaticmethods.•Onlydatabaseadministratorshavetheabilitytodirectlyaccessorquerydatabases.•ApplicationIDsfordatabaseapplicationscanonlybeusedbytheapplications(andnotbyindividualusersorothernon-applicationprocesses). 0
12/31/2020 10
top related