Video Screencast Help

CCS Standard Manager on PCI DSS setup

Created: 06 Feb 2014 | 2 comments

Hi all,

I am new to the CCS Standard Manager and need you guys help with it.  I installed the CCS with all the default settings and did a scanning with my assest with the predefined standard on the "CIS Security... 2008 R2v 1.1.0", when I try to lookup the data from my dashborad, I found there is data under the "PCI Mandate" Panels.  Can anyone explain to me that what is the mechanism behind this?  Is it there are some checks on the predefinded CIS standard related to the PCI?  When I check on the "Coverage of Control Statements in PCI Mandate", it shows 100% Unmapped Count", so I am confused.  Anyone can point me to the right direction will be great, as I need to find out how does the checks on the predefined CIS are related to the PCI DSS.  Appreciate you help!  Thanks!

Operating Systems:

Comments 2 CommentsJump to latest comment

cmccoy2's picture

The dashboard panels in the PCI Mandate views are related to the standards and other content available via the controls studio.  The pre-defined standards have the control statements mapped to individual checks where they apply.   The mandate in the Controls Studio, mapped to the control statements as well.  The Control statements are the common thread that allows all of this to be tied together.   For example, the PCI DSS section 8.5.12 states:  "Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used".  So this section of the PCI Mandate is mapped to the Control statement:  "Password Reuse Restriction".   in the CIS Security Benchmarks.... for 2008 servers, the check called "Is 'Enforce password history" set to 24 passwords remembered?"  is also mapped to the control statement "Password Reuse Restriction".   When you run an evaluation for a machine against this standard, you will get a pass/fail for this check and all of the other checks in the standard.   Since the PCI Mandate and the CIS Standard have the same control statement mapped, this allows our dashboard panels to show the common thread between the two.   in this case, you can see how the PCI Mandate applies to the Checks in the CIS Standard without having to create a separate standard just for PCI.   The contol studio also allows for mapping control statements to Assessment Manager questionnaires, Policy Manager and External Data Evidence.  Ideally, if all data is mapped properly, you should be able to get a consolidated view of all of the CCS data based on the Mandate or framework that you are concerned with