I was surrounded by numbers, more numbers that I could ever remember or justify. Every time I tried to add them up they would find a new combination – one I hadn’t seen before – and mock me with a sum that was just a few dollars above or below where it was supposed to be. I spent nearly three days doing calculations before I finally swallowed my pride and put in a "calculation error" entry to finish the process.
Reconciling my family’s checkbook had defeated me…this time.
Over the years I got better at doing the reconciliations, and eventually Microsoft Money made everything easier by automating the process, downloading transactions from my bank and helping me categorize and track all expenses. Today I can happily say that balancing my account takes just a few minutes each month.
In many ways the PCI DSS section 1.1.5 requirement is a lot like reconciling a bank statement. It states the following:
Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.
Simply keeping track of the assets in a cardholder data environment (CDE) can be a challenge, and this requirement adds on the responsibility for administrators to keep track of all ports and protocols that are in use in the CDE. Additionally, the business justification for each port and protocol must be included; for most enterprises this requires involving multiple people and keeping notes about what the justification is and who provided it.
I’m pleased to announce that QualysGuard PCI version 5.3 now provides the Open Services Report. In the same way the Microsoft Money helped me keep track of my spending, the Open Services Report can help you comply with PCI 1.1.5 by automating the workflow for discovering, authorizing, and reporting of the ports and protocols in your CDE.
Once you have performed a scan of your CDE you can access the Open Services Report via Network -> Open Services Report.
You’ll immediately see a few key capabilities:
- The Summary section shows you how many services have been identified during the most recent scans and tracks how many have been categorized. As you perform the workflow to approve/reject services these numbers will be updated.
- A dynamic listing of all open ports and protocols detected in your CDE is listed in the grid. You can change the grouping by host IP or by service, and can filter the list to show only the items you are interested in (such as description containing "NetBIOS" or service marked as "Unauthorized")
- A CSV download of all the services and their status can be downloaded for distribution outside of the PCI application.
The Open Services Report includes the ability to classify services as authorized or unauthorized. To do so, simply select all the services you wish to mark and click on "Classfiy". You’ll be prompted to enter a business justification for that decision:
A complete history of all activity – who classified a service, when, and the reasons why – will be maintained and viewable in the report. You can then proceed to use the report to demonstrate your compliance with the PCI 1.1.5 requirement.
We hope you find these new capabilities helpful in tracking and justifying the business needs for services in your CDE, and look forward to hearing your feedback.