Testing Procedure | How Sheriff CSM Delivers | Sheriff CSM Instructions | Sheriff CSM Documentation |
11.1.d If automated monitoring is utilized (for example, wireless IDS/IPS, NAC, etc.), verify the configuration will generate alerts to notify personnel. | Sheriff CSM can provide alerting for events that are collected and sent to the SIEM. | Verify that policies, especially those in the "Policies for events generated in server" section, are enabled and configured to use an Action that generates an email to the appropriate contact. | Tutorial: Create a Policy to Send Emails Triggered by Events |
11.1.1 Examine documented records to verify that an inventory of authorized wireless access points is maintained and a business justification is documented for all authorized wireless access points. | Sheriff CSM provides asset management features that can assist in collecting this data. | Schedule Asset scans to run regularly in Sheriff CSM. | Running Asset Scans |
Run the existing Asset Report for an inventory of all assets | How to Run Reports | ||
If you find any information outdated or missing, you may edit the asset to enter the appropriate information. | Editing the Assets | ||
11.2.1.a Review the scan reports and verify that four quarterly internal scans occurred in the most recent 12-month period. | Configure Vulnerability Scan in Sheriff CSM to satisfy this requirement. | See Scan results on Environment > Vulnerabilities > Scan Jobs, and use the Launch Time column to verify dates of scans. | Viewing the Scan Results |
11.2.1.b Review the scan reports and verify that the scan process includes rescans until all “high-risk” vulnerabilities (as defined in PCI DSS Requirement 6.1) are resolved. | Configure Vulnerability Scan in Sheriff CSM to satisfy this requirement. | See Scan results on Environment > Vulnerabilities > Scan Jobs, and use the Launch Time column to verify dates of scans. | Viewing the Scan Results |
11.2.3.b Review scan reports and verify that the scan process includes rescans until: • For external scans, no vulnerabilities exist that are scored 4.0 or higher by the CVSS. • For internal scans, all “high-risk” vulnerabilities as defined in PCI DSS Requirement 6.1 are resolved. | Configure Vulnerability Scan in Sheriff CSM to satisfy this requirement. Sheriff CSM keeps copies of scans results. Use them to show that ongoing internal scanning is being performed | See Scan results on Environment > Vulnerabilities > Scan Jobs, and use the Launch Time column to verify dates of scans. | Viewing the Scan Results |
11.4.a Examine system configurations and network diagrams to verify that techniques (such as intrusion-detection systems and/or intrusion-prevention systems) are in place to monitor all traffic: • At the perimeter of the cardholder data environment • At critical points in the cardholder data environment. | Sheriff CSM provides NIDS/HIDS functionality and NetFlow information to trace data flow. | From Analysis > Security Events, select “Sheriff NIDS” from the Data Source drop-down. Verify that events are being generated from network traffic that is not local to the Sheriff CSM device. | Security Events Views |
11.4.c Examine IDS/IPS configurations and vendor documentation to verify intrusion-detection and/or intrusion- prevention techniques are configured, maintained, and updated per vendor instructions to ensure optimal protection. | Sheriff CSM provides NIDS/HIDS functionality and NetFlow information to trace data flow. | From Analysis > Security Events, select “Sheriff NIDS” from the Data Source drop-down. Verify that events are being generated from network traffic that is not local to the Sheriff CSM device. | Security Events Views |
11.5.a Verify the use of a change-detection mechanism by observing system settings and monitored files, as well as reviewing results from monitoring activities. Examples of files that should be monitored: • System executables • Application executables • Configuration and parameter files • Centrally stored, historical or archived, log and audit files • Additional critical files determined by entity (i.e., through risk assessment or other means) | Sheriff CSM provides registry integrity monitoring and File Integrity Monitoring (FIM) through Sheriff HIDS. | Create a Security Events view with the search on Event Name containing "integrity" and the data source as "Sheriff HIDS". Then export the view as a report module and run the report. | Create Custom Reports from SIEM Events |
Additionally, create a directive to Alert on occurrences of HIDS integrity change events, which triggers immediate alarms. | Tutorial: Create a New Directive to Detect DoS Attack | ||
Examine long term logging on Analysis > Raw Logs by performing a search for any events containing "integrity" and data source as "Sheriff HIDS". | Search Raw Logs | ||
11.5.b Verify the mechanism is configured to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical files, and to perform critical file comparisons at least weekly. | Sheriff CSM provides File Integrity Monitoring (FIM) through Sheriff HIDS. | Create a Security Events view with the search on Event Name containing "integrity" and the data source as "Sheriff HIDS". Then export the view as a report module and run the report. | Create Custom Reports from SIEM Events |
Additionally, create a directive to Alert on occurrences of HIDS integrity change events, which triggers immediate alarms. | Tutorial: Create a New Directive to Detect DoS Attack | ||
Examine long term logging on Analysis > Raw Logs by performing a search for any events containing "integrity" and data source as "Sheriff HIDS". | Search Raw Logs |