IBM BigFix Compliance PCI Add-on: Updated PCI DSS Checklists for MS IIS 7, MS SQL 2008, MS SQL 2012, and Windows Embedded POSReady 2009 published 2016-07-13

Release Announcements PCI Add-on (Release Announcements)
1

Product:
IBM BigFix Compliance PCI Add-on

Title:
Updated Security Configuration Management (SCM) PCI DSS Checklists for MS IIS 7, MS SQL 2008, MS SQL 2012, and Windows Embedded POSReady 2009 to comply with PCI DSS v3.2

Category:
Updated SCM checklist

Published Benchmark:
Payment Card Industry Data Security Standard v3.2

Details:
The IBM BigFix Compliance PCI Add-on team has updated the content for the Payment Card Industry Data Security Standard (PCI DSS) checklists for MS IIS 7, MS SQL 2008, MS SQL 2012, and Windows Embedded POSReady 2009 to comply with PCI DSS v 3.2, as well as to include other enhancements. Details are as follows.

For MS IIS 7:

  • PCI DSS Requirements and Security Assessment Procedures v3.2 is supported in the identified checklists.
  • Existing checks are updated to contain PCI DSS v3.2 as the security standard source in the description.
  • The check named “Use only Strong Encryption Protocols - IIS7” (pcidss-4.1.e.7) is updated to disable SSL 3.0, TLS 1.0, and TLS 1.1, and to enable TLS 1.2 as a mandatory requirement.
  • The checks named “Set Deployment Method to Retail - IIS7” (pcidss-6.3.b.1) and “Ensure ‘passwordFormat’ Credentials Element not set to Clear - IIS7” (pcidss-8.2.1.a.7) are updated to correct the manual remediation steps in the description.

For MS SQL 2008 and MS SQL 2012:

  • PCI DSS Requirements and Security Assessment Procedures v3.2 is supported in the identified checklists.
  • Existing checks are updated to contain PCI DSS v3.2 as the security standard source in the description.
  • The measured values for “Verify that “Account Lockout Duration” is set to '30 minutes or more’” (pcidss-8.1.7), which can be viewed in the BigFix console, analyses, and SCA reports are formatted for enhanced readability. The results now clearly present the desired system configuration setting, as specified by a check, against the actual setting on the endpoint.
  • Some titles and descriptions are updated with the standardized format and extensions.
  • Several checks are updated to improve the presentation of system exceptions and parameter handling.

For Windows Embedded POSReady 2009:

  • PCI DSS Requirements and Security Assessment Procedures v3.2 is supported in the identified checklists.
  • Existing checks are updated to contain PCI DSS v3.2 as the security standard source in the description.
  • Some titles and descriptions are updated with the standardized format and extensions.

Published Sites:
PCI DSS Checklist for MS IIS, version 6
PCI DSS Checklist for MS SQL 2008, version 7
PCI DSS Checklist for MS SQL 2012, version 8
PCI DSS Checklist for Windows Embedded POSReady 2009, version 4
*The site version is provided for air-gap customers.

Actions to Take:

  • If you use custom sites, update your custom sites accordingly to use the latest content. You can synchronize your content by using the Synchronize Custom Checks wizard. For more information, see https://ibm.biz/Bd4LBt.
  • If you have not subscribed to the site above, you can use the License Overview dashboard to enable and gather the sites. Note that you must be entitled to the new content and you are using IBM BigFix version 9.0 and later.
  • If you were involved in the Early Access Program for IBM BigFix Compliance PCI Add-on, unsubscribe from the beta sites to avoid any conflicting issues with the production sites. If you do not unsubscribe from the beta sites, the content in the production sites will fail.

More Information:
To view the announcement on the PCI DSS v3.2 support for Windows 2008, Windows 2012, Windows 7, Windows Embedded POSReady 7, and Windows Embedded Standard 7, click here: https://ibm.biz/BdrFiu.

Please note that PCI DSS v3.2 support for the existing PCI checklists for other supported platforms will be available soon. Stay tuned for future announcements.

To know more information about the IBM BigFix Compliance SCM checklists, see:

We hope you find this latest release of SCM content useful and effective. Thank you!

– The IBM BigFix Compliance PCI Add-on team