PCI-DSS

Payment Card Industry Data Security Standard (PCI-DSS) has been widely adopted as the high priority for enterprise IT organizations to comply. Tons of money and resources have been spent into the compliance projects.  However, low efficiency of investment, particularly on access and audit areas, becomes the new pain on the journey.

The below is the PCI-DSS Requirement 10.2:

10.2 Implement automated audit trails for all system components to reconstruct the following events:
10.2.1 All individual accesses to cardholder data
10.2.2 All actions taken by any individual with root or administrative privileges
10.2.3 Access to all audit trails
10.2.4 Invalid logical access attempts
10.2 5 Use of identification and authentication mechanisms
10.2.6 Initialization of the audit logs
10.2.7 Creation and deletion of system-level objects

Because of the distributed characteristic of cardholder data and audit trails, it’s challenging to make sure all the access have been recorded and can be reconstruct/replay when needed later. Session Auditor is an ideal centralrecord and replay base to meet the above requirements.

Sarbanes Oxley Act

USA SEC public list companies must meet the compliance requirements from Sarbanes Oxley Act, which require the complete and integrated internal control systems.

Session-Auditor does help ease this by recording and replay the operations and network behavior related to secret and sensitive financial data. Those recorded data are strong first hand proof to show to auditors.

ISO27001/ISO17799

In ISO27001, titile A15.1.3 requires to protect the organization’s operating records, and titile A15.2.1 requires IT managers must assure all security procedures on the right track, complying to the requirements by security policy and standards.

Session Auditor could be deployed at critical network segments to record the network operations to database and protected applications.