Remote Support Ba Vulnerability Scan Reports

transcript

Remote Support 21.1.BaVulnerability Scan Reports

©2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified in this document are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC:1/12/2021

21.1.1 Remote Support FISMACompliance Report

ThisreportincludesimportantsecurityinformationaboutFISMAcomplianceofBeyondtrustRemoteSupport21.1.1

[US] Federal Information Security Mgmt. Act (FISMA)Compliance ReportThisreportwascreatedbyIBMSecurityAppScanStandard9.0.3.13iFix001,Rules:19712Scanstarted:12/29/20209:37:28AM

Regulations

Federal Information Security Management Act (FISMA)

Summary

TheFederalInformationSecurityManagementAct(FISMA)waspassedbyCongressandsignedintolawbythePresidentaspartoftheElectronicGovernmentActof2002.Itprovidesaframeworktoensurecomprehensivemeasuresaretakentosecurefederalinformationandassets.Itrequireseachfederalagencytodevelop,document,andimplementanagency-wideprogramtoprovideinformationsecurityfortheinformationandinformationsystemsthatsupporttheoperationsandassetsoftheagency,includingthoseprovidedormanagedbyanotheragency,contractor,orothersource.

TheOfficeofManagementandBudget(OMB)requiresfederalagenciestopreparePlansofActionandMilestonesProcess(POAandMs)reportsforallprogramsandsystemswheretheyhavefoundanITsecurityweakness.CIOsandagencyprogramofficialsmustdevelop,implement,andmanagePOAandMsforallprogramsandsystemstheyoperateandcontrol.ProgramofficialsmustregularlyupdatetheagencyCIOontheirprogresssotheCIOcanmonitoragency-wideremediationeffortsandprovidetheagency’squarterlyupdatetoOMB.

AgenciesmustsubmitareporttotheOMBthatsummarizestheresultsofannualITsecurityreviewsofsystemsandprograms,andanyprogresstheagencyhasmadetowardsfulfillingtheirFISMAgoalsandmilestones.

OMBusesthereportstohelpevaluategovernment-widesecurityperformance,developitsannualsecurityreporttoCongress,assistinimprovingandmaintainingadequateagencysecurityperformance,andinformdevelopmentoftheE-GovernmentScorecardunderthePresident’sManagementAgenda.ThereportmustsummarizetheresultsofannualITsecurityreviewsofsystemsandprograms,andanyprogresstheagencyhasmadetowardsfulfillingtheirFISMAgoalsandmilestones.

FISMArequiresthatfederalagencyofficialsunderstandthecurrentstatusoftheirsecurityprogramsandthesecuritycontrolsplannedorinplacetoprotecttheirinformationandinformationsystemsinordertomakeinformedjudgmentsandinvestmentsthatappropriatelymitigaterisktoanacceptablelevel.Theultimateobjectiveistoconducttheday-to-dayoperationsoftheagencyandtoaccomplishtheagency'sstatedmissionswithadequatesecurity,orsecuritycommensuratewithrisk,includingthemagnitudeofharmresultingfromtheunauthorizedaccess,use,disclosure,disruption,modification,ordestructionofinformation.

FISMAImplementation

PhaseI:StandardsandGuidelinesDevelopment

ThefirstphaseoftheFISMAImplementationProjectfocusesonthedevelopmentandupdatingofthesecurity

12/31/2020 1

standardsandguidancerequiredtoeffectivelyimplementtheprovisionsofthelegislation.TheimplementationoftheNISTstandardsandguidancewillhelpagenciescreateandmaintainrobustinformationsecurityprogramsandeffectivelymanagerisktoagencyoperations,agencyassets,andindividuals.

PhaseII:ImplementationandAssessmentAids

ThesecondphaseoftheFISMAImplementationProjectisfocusedonprovidinginformationsystemimplementationandassessmentreferencematerialsforbuildingcommonunderstandinginapplyingtheNISTsuiteofpublicationssupportingtheRiskManagementFramework(RMF).

NISTImplementationDocuments

NISTdevelopsandissuesstandards,guidelinesandotherpublicationstoassistfederalagenciesinimplementingFISMA,includingminimumrequirements,forprovidingadequateinformationsecurityforallagencyoperationsandassetsbutsuchstandardsandguidelinesshallnotapplytonationalsecuritysystems.

FederalInformationProcessingStandards(FIPS)areapprovedbytheSecretaryofCommerceandissuedbyNISTinaccordancewithFISMA.FIPSarecompulsoryandbindingforfederalagencies.FISMArequiresthatfederalagenciescomplywiththesestandards,andtherefore,agenciesmaynotwaivetheiruse.FIPS200mandatestheuseofSpecialPublication800-53,asamended.

AppScanandFISMA

AppScan'sFISMAcompliancereportwillautomaticallydetectpossibleissuesinyourWebenvironmentthatmayberelevanttoyouroverallcompliancewiththeminimumsecuritycontrolsrecommendationsassetinthesecuritycatalogofNISTSpecialPublication80053.ThisreportwasconstructedaccordingtotheHIGH-IMPACTInformationSystemsbaseline.Organizationsthatuselowormoderatecontrolbaselinemayhavetoadjusttheresultsaccordingly.

CoveredEntities

AllFederalagenciesandorganizationswhichpossessoruseFederalinformation--orwhichoperate,use,orhaveaccesstoFederalinformationsystems--onbehalfofaFederalagency,includingcontractors,grantees,Stateandlocalgovernments,andindustrypartners.

EffectiveDate

December2002

ComplianceRequiredby

FederalagenciesmustsubmittheirannualITreviewreportstotheOMBbyOctoberofeachyear.

12/31/2020 2

Regulators/Auditors

TheOfficeofManagementandBudget(OMB).

Formoreinformationonsecuringwebapplications,pleasevisit:http://www-03.ibm.com/software/products/en/category/application-security

The information provided does not constitute legal advice. The results of a vulnerability assessment will demonstratepotential vulnerabilities in your application that should be corrected in order to reduce the likelihood that yourinformation will be compromised. As legal advice must be tailored to the specific application of each law, and lawsare constantly changing, nothing provided herein should be used as a substitute for the advice of competent counsel.IBM customers are responsible for ensuring their own compliance with legal requirements. It is the customer's soleresponsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevantlaws and regulatory requirements that may affect the customer's business and any actions the customer may need totake to comply with such laws.

Violated SectionIssuesdetectedacross0/23sectionsoftheregulation:

SectionsNumberofIssues

Sec.3544.(A),Sec.3547(1)-Theheadofeachagencyshallberesponsibleforprovidinginformationsecurityprotectionscommensuratewiththeriskandmagnitudeoftheharmresultingfromunauthorizedaccess,use,disclosure,disruption,modification,ordestructionof—(i)informationcollectedormaintainedbyoronbehalfoftheagency;and(ii)informationsystemsusedoroperatedbyanagencyorbyacontractorofanagencyorotherorganizationonbehalfofanagency;

Sec.3544.(B)-Theheadofeachagencyshallberesponsibleforcomplyingwiththerequirementsofthissubchapterandrelatedpolicies,procedures,standards,andguidelines,including—(i)informationsecuritystandardspromulgatedundersection11331oftitle40;and(ii)informationsecuritystandardsandguidelinesfornationalsecuritysystemsissuedinaccordancewithlawandasdirectedbythePresident;

NISTSP800_53,AC-3-Theinformationsystemenforcesapprovedauthorizationsforlogicalaccesstoinformationandsystemresourcesinaccordancewithapplicableaccesscontrolpolicies.

NISTSP800_53,AC-6-Theorganizationemploystheprincipleofleastprivilege,allowingonlyauthorizedaccessesforusers(orprocessesactingonbehalfofusers)whicharenecessarytoaccomplishassignedtasksinaccordancewithorganizationalmissionsandbusinessfunctions.

NISTSP800_53,AC-10-Theinformationsystemlimitsthenumberofconcurrentsessionsforeach[Assignment:organization-definedaccountand/oraccounttype]to[Assignment:organization-definednumber].

NISTSP800_53,AC-11-TheOrganizationpreventsfurtheraccesstothesystembyinitiatingasessionlockafter[Assignment:organization-definedtimeperiod]ofinactivityoruponreceivingarequestfromauser;andretainsthesessionlockuntiltheuserreestablishesaccessusingestablishedidentificationandauthenticationprocedures.

NISTSP800_53,AC-17-Theorganization:Establishesanddocumentsusagerestrictions,configuration/connectionrequirements,andimplementationguidanceforeachtypeofremoteaccessallowed;andAuthorizesremoteaccesstotheinformationsystempriortoallowingsuchconnections.

NISTSP800_53,CM-6-Theorganization:a.Establishesanddocumentsconfigurationsettingsforinformationtechnologyproductsemployedwithintheinformationsystemusing[Assignment:organization-definedsecurityconfigurationchecklists]thatreflectthemostrestrictivemodeconsistentwithoperationalrequirements;b.Implementstheconfigurationsettings;c.Identifies,documents,and

12/31/2020 3

approvesanydeviationsfromestablishedconfigurationsettingsfor[Assignment:organization-definedinformationsystemcomponents]basedon[Assignment:organization-definedoperationalrequirements];andd.Monitorsandcontrolschangestotheconfigurationsettingsinaccordancewithorganizationalpoliciesandprocedures.NISTSP800_53,CM-7-Theorganization:a.Configurestheinformationsystemtoprovideonlyessentialcapabilities;andb.Prohibitsorrestrictstheuseofthefollowingfunctions,ports,protocols,and/orservices:[Assignment:organization-definedprohibitedorrestrictedfunctions,ports,protocols,and/orservices].

NISTSP800_53,IA-2-Theinformationsystemuniquelyidentifiesandauthenticatesorganizationalusers(orprocessesactingonbehalfoforganizationalusers).

NISTSP800_53,IA-4.D-Theorganizationmanagesinformationsystemidentifiersforusersanddevicesbypreventingreuseofuserordeviceidentifiersfor[Assignment:organization-definedtimeperiod].

NISTSP800_53,IA-4.E-Theorganizationmanagesinformationsystemidentifiersforusersanddevicesbydisablingtheuseridentifierafter[Assignment:organization-definedtimeperiodofinactivity].

NISTSP800_53,IA-5.C-Theorganizationmanagesinformationsystemauthenticatorsforusersanddevicesbyensuringthatauthenticatorshavesufficientstrengthofmechanismfortheirintendeduse.

NISTSP800_53,IA-5.E-Theorganizationmanagesinformationsystemauthenticatorsforusersanddevicesbychangingdefaultcontentofauthenticatorsuponinformationsysteminstallation.

NISTSP800_53,RA-5.A-Theorganization:a.Scansforvulnerabilitiesintheinformationsystemandhostedapplications[Assignment:organization-definedfrequencyand/orrandomlyinaccordancewithorganization-definedprocess]andwhennewvulnerabilitiespotentiallyaffectingthesystem/applicationsareidentifiedandreported.

NISTSP800_53,SC-5-Theinformationsystemprotectsagainstorlimitstheeffectsofthefollowingtypesofdenialofserviceattacks:[Assignment:organization-definedtypesofdenialofserviceattacksorreferencetosourceforsuchinformation]byemploying[Assignment:organization-definedsecuritysafeguards].

NISTSP800_53,SC-8-Theinformationsystemprotectsthe[Selection(oneormore):confidentiality;integrity]oftransmittedinformation.

NISTSP800_53,SC-13-Theinformationsystemimplements[Assignment:organization-definedcryptographicusesandtypeofcryptographyrequiredforeachuse]inaccordancewithapplicablefederallaws,ExecutiveOrders,directives,policies,regulations,andstandards.

NISTSP800_53,SC-23-Theinformationsystemprotectstheauthenticityofcommunicationssessions. 0NISTSP800_53,SI-3.A-Employsmaliciouscodeprotectionmechanismsatinformationsystementryandexitpointstodetectanderadicatemaliciouscode;

NISTSP800_53,SI-3.B-Theorganizationupdatesmaliciouscodeprotectionmechanismswhenevernewreleasesareavailableinaccordancewithorganizationalconfigurationmanagementpolicyandprocedures;

NISTSP800_53,SI-10-Theinformationsystemchecksthevalidityofinformationinputs. 0NISTSP800_53,SI-11.A-Generateserrormessagesthatprovideinformationnecessaryforcorrectiveactionswithoutrevealinginformationthatcouldbeexploitedbyadversaries;

Section Violation By Issue0Uniqueissuesdetectedacross0/23sectionsoftheregulation:

URL Entity Issue Type Sections

12/31/2020 4

Detailed Security Issues by Sections

Sec.3544.(A),Sec.3547(1)-Theheadofeachagencyshallberesponsibleforprovidinginformationsecurityprotectionscommensuratewiththeriskandmagnitudeoftheharmresultingfromunauthorizedaccess,use,disclosure,disruption,modification,ordestructionof—(i)informationcollectedormaintainedbyoronbehalfoftheagency;and(ii)informationsystemsusedoroperatedbyanagencyorbyacontractorofanagencyorotherorganizationonbehalfofanagency; 0

Sec.3544.(B)-Theheadofeachagencyshallberesponsibleforcomplyingwiththerequirementsofthissubchapterandrelatedpolicies,procedures,standards,andguidelines,including—(i)informationsecuritystandardspromulgatedundersection11331oftitle40;and(ii)informationsecuritystandardsandguidelinesfornationalsecuritysystemsissuedinaccordancewithlawandasdirectedbythePresident; 0

NISTSP800_53,AC-3-Theinformationsystemenforcesapprovedauthorizationsforlogicalaccesstoinformationandsystemresourcesinaccordancewithapplicableaccesscontrolpolicies. 0

NISTSP800_53,AC-6-Theorganizationemploystheprincipleofleastprivilege,allowingonlyauthorizedaccessesforusers(orprocessesactingonbehalfofusers)whicharenecessarytoaccomplishassignedtasksinaccordancewithorganizationalmissionsandbusinessfunctions. 0

NISTSP800_53,AC-10-Theinformationsystemlimitsthenumberofconcurrentsessionsforeach[Assignment:organization-definedaccountand/oraccounttype]to[Assignment:organization-definednumber]. 0

12/31/2020 5

NISTSP800_53,AC-11-TheOrganizationpreventsfurtheraccesstothesystembyinitiatingasessionlockafter[Assignment:organization-definedtimeperiod]ofinactivityoruponreceivingarequestfromauser;andretainsthesessionlockuntiltheuserreestablishesaccessusingestablishedidentificationandauthenticationprocedures. 0

NISTSP800_53,AC-17-Theorganization:Establishesanddocumentsusagerestrictions,configuration/connectionrequirements,andimplementationguidanceforeachtypeofremoteaccessallowed;andAuthorizesremoteaccesstotheinformationsystempriortoallowingsuchconnections. 0

NISTSP800_53,CM-6-Theorganization:a.Establishesanddocumentsconfigurationsettingsforinformationtechnologyproductsemployedwithintheinformationsystemusing[Assignment:organization-definedsecurityconfigurationchecklists]thatreflectthemostrestrictivemodeconsistentwithoperationalrequirements;b.Implementstheconfigurationsettings;c.Identifies,documents,andapprovesanydeviationsfromestablishedconfigurationsettingsfor[Assignment:organization-definedinformationsystemcomponents]basedon[Assignment:organization-definedoperationalrequirements];andd.Monitorsandcontrolschangestotheconfigurationsettingsinaccordancewithorganizationalpoliciesandprocedures. 0

NISTSP800_53,CM-7-Theorganization:a.Configurestheinformationsystemtoprovideonlyessentialcapabilities;andb.Prohibitsorrestrictstheuseofthefollowingfunctions,ports,protocols,and/orservices:[Assignment:organization-definedprohibitedorrestrictedfunctions,ports,protocols,and/orservices]. 0

12/31/2020 6

NISTSP800_53,IA-2-Theinformationsystemuniquelyidentifiesandauthenticatesorganizationalusers(orprocessesactingonbehalfoforganizationalusers). 0

NISTSP800_53,IA-4.D-Theorganizationmanagesinformationsystemidentifiersforusersanddevicesbypreventingreuseofuserordeviceidentifiersfor[Assignment:organization-definedtimeperiod]. 0

NISTSP800_53,IA-4.E-Theorganizationmanagesinformationsystemidentifiersforusersanddevicesbydisablingtheuseridentifierafter[Assignment:organization-definedtimeperiodofinactivity]. 0

NISTSP800_53,IA-5.C-Theorganizationmanagesinformationsystemauthenticatorsforusersanddevicesbyensuringthatauthenticatorshavesufficientstrengthofmechanismfortheirintendeduse. 0

NISTSP800_53,IA-5.E-Theorganizationmanagesinformationsystemauthenticatorsforusersanddevicesbychangingdefaultcontentofauthenticatorsuponinformationsysteminstallation. 0

NISTSP800_53,RA-5.A-Theorganization:a.Scansforvulnerabilitiesintheinformationsystemandhostedapplications[Assignment:organization-definedfrequencyand/orrandomlyinaccordancewithorganization-definedprocess]andwhennewvulnerabilitiespotentiallyaffectingthesystem/applicationsareidentifiedandreported. 0

12/31/2020 7

NISTSP800_53,SC-5-Theinformationsystemprotectsagainstorlimitstheeffectsofthefollowingtypesofdenialofserviceattacks:[Assignment:organization-definedtypesofdenialofserviceattacksorreferencetosourceforsuchinformation]byemploying[Assignment:organization-definedsecuritysafeguards]. 0

NISTSP800_53,SC-8-Theinformationsystemprotectsthe[Selection(oneormore):confidentiality;integrity]oftransmittedinformation. 0

NISTSP800_53,SC-13-Theinformationsystemimplements[Assignment:organization-definedcryptographicusesandtypeofcryptographyrequiredforeachuse]inaccordancewithapplicablefederallaws,ExecutiveOrders,directives,policies,regulations,andstandards. 0

NISTSP800_53,SC-23-Theinformationsystemprotectstheauthenticityofcommunicationssessions. 0

NISTSP800_53,SI-3.A-Employsmaliciouscodeprotectionmechanismsatinformationsystementryandexitpointstodetectanderadicatemaliciouscode; 0

NISTSP800_53,SI-3.B-Theorganizationupdatesmaliciouscodeprotectionmechanismswhenevernewreleasesareavailableinaccordancewithorganizationalconfigurationmanagementpolicyandprocedures; 0

12/31/2020 8

NISTSP800_53,SI-10-Theinformationsystemchecksthevalidityofinformationinputs. 0

NISTSP800_53,SI-11.A-Generateserrormessagesthatprovideinformationnecessaryforcorrectiveactionswithoutrevealinginformationthatcouldbeexploitedbyadversaries; 0

12/31/2020 9

21.1.1 Remote Support GDPRCompliance Report

ThisreportincludesimportantsecurityinformationaboutGDPRcomplianceofBeyondtrustRemoteSupport21.1.1

[EU] Regulation 2016/679 Of The European Parliament And OfThe Council (GDPR) Compliance ReportThisreportwascreatedbyIBMSecurityAppScanStandard9.0.3.13iFix001,Rules:19712Scanstarted:12/29/20209:37:28AM

Regulations

Regulation 2016/679 Of The European Parliament And Of TheCouncil - General Data Protection Regulation (GDPR)LearnmoreaboutIBMownGDPRreadinessjourneyandourGDPRcapabilitiesandofferingshere:https://ibm.com/gdpr

LearnmoreaboutGDPRontheEropeanUnion'sDataProtectionwebsitehere:https://ec.europa.eu/info/law/law-topic/data-protection_en

Please note that the table header 'Number of Issues' carries that naming due to technical reasons. It does notnecessarily indicate actual legal issues in the context GDPR, but rather points out areas of interest. A legally bindingassessment of applicability of any areas of interest shown in this report can and should only be made by a legalprofessional.

GDPR ArticlesIssuesdetectedacross0/4sectionsoftheregulation:

Article25(1)-Takingintoaccountthestateoftheart,thecostofimplementationandthenature,scope,contextandpurposesofprocessingaswellastherisksofvaryinglikelihoodandseverityforrightsandfreedomsofnaturalpersonsposedbytheprocessing,thecontrollershall,bothatthetimeofthedeterminationofthemeansforprocessingandatthetimeoftheprocessingitself,implementappropriatetechnicalandorganisationalmeasures,suchaspseudonymisation,whicharedesignedtoimplementdata-protectionprinciples,suchasdataminimisation,inaneffectivemannerandtointegratethenecessarysafeguardsintotheprocessinginordertomeettherequirementsofthisRegulationandprotecttherightsofdatasubjects.

Article32(1)(a)-Takingintoaccountthestateoftheart,thecostsofimplementationandthenature,scope,contextandpurposesofprocessingaswellastheriskofvaryinglikelihoodandseverityfortherightsandfreedomsofnaturalpersons,thecontrollerandtheprocessorshallimplementappropriatetechnicalandorganisationalmeasurestoensurealevelofsecurityappropriatetotherisk,includinginteraliaasappropriate:thepseudonymisationandencryptionofpersonaldata.

Article32(1)(b)-Takingintoaccountthestateoftheart,thecostsofimplementationandthenature,scope,contextandpurposesofprocessingaswellastheriskofvaryinglikelihoodandseverityfortherightsandfreedomsofnaturalpersons,thecontrollerandtheprocessorshallimplementappropriatetechnicalandorganisationalmeasurestoensurealevelofsecurityappropriatetotherisk,includinginteraliaasappropriate:theabilitytoensuretheongoingconfidentiality,integrity,availabilityandresilienceofprocessingsystemsandservices.

Article32(2)-Inassessingtheappropriatelevelofsecurityaccountshallbetakeninparticularofthe 0

12/31/2020 1

risksthatarepresentedbyprocessing,inparticularfromaccidentalorunlawfuldestruction,loss,alteration,unauthoriseddisclosureof,oraccesstopersonaldatatransmitted,storedorotherwiseprocessed

Article25(1)-Takingintoaccountthestateoftheart,thecostofimplementationandthenature,scope,contextandpurposesofprocessingaswellastherisksofvaryinglikelihoodandseverityforrightsandfreedomsofnaturalpersonsposedbytheprocessing,thecontrollershall,bothatthetimeofthedeterminationofthemeansforprocessingandatthetimeoftheprocessingitself,implementappropriatetechnicalandorganisationalmeasures,suchaspseudonymisation,whicharedesignedtoimplementdata-protectionprinciples,suchasdataminimisation,inaneffectivemannerandtointegratethenecessarysafeguardsintotheprocessinginordertomeettherequirementsofthisRegulationandprotecttherightsofdatasubjects. 0

Article32(1)(a)-Takingintoaccountthestateoftheart,thecostsofimplementationandthenature,scope,contextandpurposesofprocessingaswellastheriskofvaryinglikelihoodandseverityfortherightsandfreedomsofnaturalpersons,thecontrollerandtheprocessorshallimplementappropriatetechnicalandorganisationalmeasurestoensurealevelofsecurityappropriatetotherisk,includinginteraliaasappropriate:thepseudonymisationandencryptionofpersonaldata. 0

12/31/2020 2

Article32(1)(b)-Takingintoaccountthestateoftheart,thecostsofimplementationandthenature,scope,contextandpurposesofprocessingaswellastheriskofvaryinglikelihoodandseverityfortherightsandfreedomsofnaturalpersons,thecontrollerandtheprocessorshallimplementappropriatetechnicalandorganisationalmeasurestoensurealevelofsecurityappropriatetotherisk,includinginteraliaasappropriate:theabilitytoensuretheongoingconfidentiality,integrity,availabilityandresilienceofprocessingsystemsandservices. 0

Article32(2)-Inassessingtheappropriatelevelofsecurityaccountshallbetakeninparticularoftherisksthatarepresentedbyprocessing,inparticularfromaccidentalorunlawfuldestruction,loss,alteration,unauthoriseddisclosureof,oraccesstopersonaldatatransmitted,storedorotherwiseprocessed 0

12/31/2020 3

21.1.1 Remote Support HIPPACompliance Report

ThisreportincludesimportantsecurityinformationaboutHIPPAcomplianceofBeyondtrustRemoteSupport21.1.1

[US] Healthcare Services (HIPAA) Compliance ReportThisreportwascreatedbyIBMSecurityAppScanStandard9.0.3.13iFix001,Rules:19712Scanstarted:12/29/20209:37:28AM

Regulations

The Health Insurance Portability and Accountability Act(HIPAA) of 1996 - Security and Privacy Regulations

Summary

HIPAAprovidesfederalprotectionsforpersonalhealthinformationheldbycoveredentitiesandgivespatientsasetofrightswithrespecttothatinformation.However,HIPAAdoespermitthedisclosureofpersonalhealthinformationneededforpatientcareandotherimportantandnecessarypurposes.

TitleIofHIPAAprotectshealthinsurancecoverageforworkersandtheirfamilieswhentheychangeorlosetheirjobs.TitleIIofHIPAA,knownastheAdministrativeSimplificationprovisions,requirestheestablishmentofnationalstandardsforelectronichealthcaretransactionsandnationalidentifiersforproviders,healthinsuranceplans,andemployers.

TheAdministrationSimplificationprovisionsalsoaddressthesecurityandprivacyofhealthdata.Thestandardsaremeanttoimprovetheefficiencyandeffectivenessofthehealthcaresystem.

TheUnitedStatesDepartmentofHealthandHumanServices(HHS)hasissuedregulationsimplementingthoseprovisionsofHIPAAregulatingtheprivacyandsecurityofindividuals’medicalrecords.

CoveredInformation

TheRuleslimittheuseanddisclosureofpersonalhealthinformationbyCoveredEntities.Protectedhealthinformationisindividuallyidentifiablehealthinformationthatistransmittedormaintainedinanyformormedium,andwhichrelatestothepast,presentorfuturephysicalormentalheathorconditionofanindividual,theprovisionofheathcaretoanindividual,orthepast,presentorfuturepaymentfortheprovisionofhealthcare.Informationis“individuallyidentifiable”ifitactuallyidentifiesanindividualorcontainsinformationthatcouldreasonablybeusedtoidentifyandindividual.

HIPAArequiresmeasurestobetakentosecurethisinformationwhileinthecustodyofcoveredentitiesaswellasintransitbetweencoveredentitiesandfromcoveredentitiestoothers.

ThePrivacyRulerequiresthatcoveredentities,amongotherthings(i)obtainpriorwrittenauthorizationtouseordisclosecertainpersonalhealthinformationforanypurposeotherthanpayment,healthcaretreatmentorhealthcareoperations,(ii)givepatientsaccesstocertainpersonalhealthinformationuponrequest,(iii)instituteproceduralsafeguardstoprotectpersonalhealthinformation,and(iv)limittheuseanddisclosureofsuchinformationtotheminimumnecessarytoachievetheintendedpurposeforsuchinformation.

12/31/2020 1

TheSecurityRulerequiresthatcoveredentities,amongotherthings,implementadministrative,technical,andphysicalsafeguardsto(i)ensuretheconfidentiality,integrityandavailabilityofallelectronicprotectedhealthinformationthecoveredentitycreates,receives,maintains,ortransmits;(ii)protectagainstanyreasonablyanticipatedthreatsorhazardstothesecurityorintegrityofsuchinformation;(iii)protectagainstanyreasonablyanticipatedusesordisclosuresofsuchinformationthatarenotpermittedorrequiredtheSecurityRule;and(iv)ensurecompliancewiththeSecurityRulebythecoveredentity'sworkforce.

InrecognitionofthesecuritythreatstoElectronicProtectedHealthInformation(EPHI),HHShaspublishedHIPAAPrivacyandSecurityRules`guidancedocumentstoimplementprivacyandsecurityframeworkforelectronicexchangeofindividuallyidentifiablehealthinformation.Theseguidancedocumentsdiscusshowtheprivacyandsecurityrulescanfacilitatethesafeandadequateexchangeofelectronichealthinformationandhowtodealwiththechallengesthattheuseandexchangeofelectronichealthinformationposses.

CoveredEntities

TheRulesapplytofourtypesofentities:healthcareproviders,healthplans,healthcareclearinghousesandprescriptiondrugcardsponsors(collectively"CoveredEntities").Thisgenerallymeansthoseprovidinghealthcare,thosepayingfor(insuring)healthcareanddataprocessorsthatassistinthepreceding.

CompliancePenalties

AfinemaybeimposedonanypersonorcoveredentitythatviolatesanyHIPAArequirement.Thecivilmonetarypenaltyforviolatingtransactionstandardsisupto$100perpersonperviolationandupto$25,000perpersonperviolationofasinglestandardpercalendaryear.

Thefinemaybereducedorwaivedentirelyiftheviolationwasnotduetowillfulneglectoftherequirements,andiftheentitycorrectsitwithin30daysofbecomingawareofit.

Federalcriminalpenaltiescanalsobeplaceduponhealthplans,providersandhealthcareclearinghousesthatknowinglyandimproperlydiscloseinformationorobtaininformationunderfalsepretenses.Penaltieswouldbehigherforactionsdesignedtogeneratemonetarygain.

Criminalpenaltiesareupto$50,000andoneyearinprisonforobtainingordisclosingprotectedhealthinformation;upto$100,000anduptofiveyearsinprisonforobtainingprotectedhealthinformationunder"falsepretenses";andupto$250,000anduptotenyearsinprisonforobtainingordisclosingprotectedhealthinformationwiththeintenttosell,transferoruseitforcommercialadvantage,personalgainormaliciousharm.

Effectivedate

April14,2001

SecurityRule–April21,2003

PrivacyRule–April14,2003

12/31/2020 2

ComplianceRequiredby

Privacyprovisions-April14,2003

Securityprovisions-April20,2005

Administrativeprovisions–July1,2005

Regulators/Administrators

UnitedStatesDepartmentofHealthandHumanServices

OfficeforCivilRights

AppScan'sHIPAAComplianceReport

AppScan'sHIPAAcompliancereportwillautomaticallydetectpossibleissuesinyourWebenvironmentthatmayberelevanttoyouroverallcompliancewiththeHIPAASecurityRulerequirementsandrelatedrequiredactivitiesasdescribedintheNISTresourceguideforHIPAAsecurityruleimplementation.

AddressableIssue-asappearsinthisreportmeansacoveredentitymust-

(i)Assesswhethereachimplementationspecificationisareasonableandappropriatesafeguardinitsenvironment,whenanalyzedwithreferencetothelikelycontributiontoprotectingtheentity'selectronicprotectedhealthinformation;and

(ii)Asapplicabletotheentity-

(A)Implementtheimplementationspecificationifreasonableandappropriate;or

(B)Ifimplementingtheimplementationspecificationisnotreasonableandappropriate-

(1)Documentwhyitwouldnotbereasonableandappropriatetoimplementtheimplementationspecification;and

(2)Implementanequivalentalternativemeasureifreasonableandappropriate.

PossibleIssue-asappearsinthisreportmeansthedetectedresultsmayimplythatarequiredimplementationspecificationisnotmet.

Formoreinformationonsecuringwebapplications,pleasevisithttp://www-03.ibm.com/software/products/en/category/application-security

The information provided does not constitute legal advice. The results of a vulnerability assessment will demonstratepotential vulnerabilities in your application that should be corrected in order to reduce the likelihood that yourinformation will be compromised. As legal advice must be tailored to the specific application of each law, and lawsare constantly changing, nothing provided herein should be used as a substitute for the advice of competent counsel.IBM customers are responsible for ensuring their own compliance with legal requirements. It is the customer's sole

12/31/2020 3

responsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevantlaws and regulatory requirements that may affect the customer's business and any actions the customer may need totake to comply with such laws.

S.Rule-Part164,SubpartC,164.308(a)(3)(i)-AddressableIssue-Implementpoliciesandprocedurestoensurethatallmembersofitsworkforcehaveappropriateaccesstoelectronicprotectedhealthinformation,asprovidedunder[theInformationAccessManagementstandard],andtopreventthoseworkforcememberswhodonothaveaccessunder[theInformationAccessManagementstandard]fromobtainingaccesstoelectronicprotectedhealthinformation.

S.Rule-Part164,SubpartC,164.308(a)(3)(ii)(A)-AddressableIssue-Implementproceduresfortheauthorizationand/orsupervisionofworkforcememberswhoworkwithelectronicprotectedhealthinformationorinlocationswhereitmightbeaccessed.

S.Rule-Part164,SubpartC,164.308(a)(4)(i)-PossibleIssue-ImplementpoliciesandproceduresforauthorizingaccesstoelectronicprotectedhealthinformationthatareconsistentwiththeapplicablerequirementsofsubpartEofthispartthePrivacyRule.

S.Rule-Part164,SubpartC,164.308(a)(4)(ii)(B)-PossibleIssue-Implementpoliciesandproceduresforgrantingaccesstoelectronicprotectedhealthinformation,forexample,throughaccesstoaworkstation,transaction,program,process,orothermechanism.

S.Rule-Part164,SubpartC,164.308(a)(5)(ii)(D)-AddressableIssue-Implementproceduresforcreating,changing,andsafeguardingpasswords

S.Rule-Part164,SubpartC,164.312(a)(1)-PossibleIssue-Implementtechnicalpoliciesandproceduresforelectronicinformationsystemsthatmaintainelectronicprotectedhealthinformationtoallowaccessonlytothosepersonsorsoftwareprogramsthathavebeengrantedaccessrightsasspecifiedinsection164.308(a)(4).

S.Rule-Part164,SubpartC,164.312(a)(2)(iv)-AddressableIssue-Implementamechanismtoencryptanddecryptelectronicprotectedhealthinformation.

NISTResourceGuide-Section4.14,Activity8-AddressableIssue-Implementelectronicproceduresthatterminateanelectronicsessionafterapredeterminedtimeofinactivity.

S.Rule-Part164,SubpartC,164.312(c)(1)-PossibleIssue-Implementpoliciesandprocedurestoprotectprivatehealthinformationfromimproperalterationordestruction

S.Rule-Part164,SubpartC,164.312(d)-PossibleIssue-Implementprocedurestoverifythatapersonorentityseekingaccesstoprivatehealthinformationistheoneclaimed

S.Rule-Part164,SubpartC,164.312(e)(1)-PossibleIssue-Implementtechnicalsecuritymeasurestoguardagainstunauthorizedaccesstoelectronicprotectedhealthinformationthatisbeingtransmittedoveranelectroniccommunicationsnetwork.

S.Rule-Part164,SubpartC,164.312(e)(2)(ii)-AddressableIssue-Implementamechanismtoencryptelectronicprivatehealthinformationwheneverdeemedappropriate

12/31/2020 4

S.Rule-Part164,SubpartC,164.308(a)(3)(i)-AddressableIssue-Implementpoliciesandprocedurestoensurethatallmembersofitsworkforcehaveappropriateaccesstoelectronicprotectedhealthinformation,asprovidedunder[theInformationAccessManagementstandard],andtopreventthoseworkforcememberswhodonothaveaccessunder[theInformationAccessManagementstandard]fromobtainingaccesstoelectronicprotectedhealthinformation. 0

S.Rule-Part164,SubpartC,164.308(a)(3)(ii)(A)-AddressableIssue-Implementproceduresfortheauthorizationand/orsupervisionofworkforcememberswhoworkwithelectronicprotectedhealthinformationorinlocationswhereitmightbeaccessed. 0

S.Rule-Part164,SubpartC,164.308(a)(4)(i)-PossibleIssue-ImplementpoliciesandproceduresforauthorizingaccesstoelectronicprotectedhealthinformationthatareconsistentwiththeapplicablerequirementsofsubpartEofthispartthePrivacyRule. 0

S.Rule-Part164,SubpartC,164.308(a)(4)(ii)(B)-PossibleIssue-Implementpoliciesandproceduresforgrantingaccesstoelectronicprotectedhealthinformation,forexample,throughaccesstoaworkstation,transaction,program,process,orothermechanism. 0

12/31/2020 5

S.Rule-Part164,SubpartC,164.308(a)(5)(ii)(D)-AddressableIssue-Implementproceduresforcreating,changing,andsafeguardingpasswords0

S.Rule-Part164,SubpartC,164.312(a)(1)-PossibleIssue-Implementtechnicalpoliciesandproceduresforelectronicinformationsystemsthatmaintainelectronicprotectedhealthinformationtoallowaccessonlytothosepersonsorsoftwareprogramsthathavebeengrantedaccessrightsasspecifiedinsection164.308(a)(4). 0

S.Rule-Part164,SubpartC,164.312(a)(2)(iv)-AddressableIssue-Implementamechanismtoencryptanddecryptelectronicprotectedhealthinformation. 0

NISTResourceGuide-Section4.14,Activity8-AddressableIssue-Implementelectronicproceduresthatterminateanelectronicsessionafterapredeterminedtimeofinactivity. 0

S.Rule-Part164,SubpartC,164.312(c)(1)-PossibleIssue-Implementpoliciesandprocedurestoprotectprivatehealthinformationfromimproperalterationordestruction 0

S.Rule-Part164,SubpartC,164.312(d)-PossibleIssue-Implementprocedurestoverifythatapersonorentityseekingaccesstoprivatehealthinformationistheoneclaimed 0

12/31/2020 6

S.Rule-Part164,SubpartC,164.312(e)(1)-PossibleIssue-Implementtechnicalsecuritymeasurestoguardagainstunauthorizedaccesstoelectronicprotectedhealthinformationthatisbeingtransmittedoveranelectroniccommunicationsnetwork. 0

S.Rule-Part164,SubpartC,164.312(e)(2)(ii)-AddressableIssue-Implementamechanismtoencryptelectronicprivatehealthinformationwheneverdeemedappropriate 0

12/31/2020 7

21.1.1 Remote Support OWASP Top10 Report

ThisreportincludesimportantsecurityinformationabouttestcoverageoftheOWASPtop10weaknessesbyBeyondtrustRemoteSupport21.1.1

OWASP Top 10 2017 ReportThisreportwascreatedbyIBMSecurityAppScanStandard9.0.3.13iFix001,Rules:19712Scanstarted:12/29/20209:37:28AM

Regulations

OWASP Top Ten 2017 – The Ten Most Critical WebApplication Security Risks

SummaryDescription

ThegoaloftheTop10projectistoraiseawarenessaboutapplicationsecuritybyidentifyingsomeofthemostcriticalrisksfacingorganizations.Developmentprojectsshouldaddressthesepotentialrisksintheirrequirementsdocumentsanddesign,buildandtesttheirapplicationstoensurethattheyhavetakenthenecessarymeasurestoreducetheseriskstotheminimum.Projectmanagersshouldincludetimeandbudgetforapplicationsecurityactivitiesincludingdevelopertraining,applicationsecuritypolicydevelopment,securitymechanismdesignanddevelopment,penetrationtesting,andsecuritycodereviewaspartovertheoverallefforttoaddresstherisks.

TheprimaryaimoftheOWASPTop10istoeducatedevelopers,designers,architects,managers,andorganizationsabouttheconsequencesofthemostimportantwebapplicationsecurityrisks.TheTop10providesbasicguidanceonhowtoaddressagainsttheserisksandwheretogotolearnmoreonhowtoaddressthem.

Althoughsetoutasaneducationpiece,ratherthanastandardoraregulation,itisimportanttonotethatseveralprominentindustryandgovernmentregulatorsarereferencingtheOWASPtopten.ThesebodiesincludeamongothersVISAUSA,MasterCardInternationalandtheAmericanFederalTradeCommission(FTC).

However,accordingtotheOWASPteamtheOWASPtoptenfirstandforemostaneducationpiece,notastandard.TheOWASPteamsuggeststhatanyorganizationabouttoadopttheTopTenpaperasapolicyorstandardtoconsultwiththeOWASPteamfirst.

WhatChangedFrom2013to2017?

ThethreatlandscapeforapplicationsandAPIsconstantlychanges.Keyfactorsinthisevolutionaretherapidadoptionofnewtechnologies(includingcloud,containers,andAPIs),theaccelerationandautomationofsoftwaredevelopmentprocesseslikeAgileandDevOps,theexplosionofthird-partylibrariesandframeworks,andadvancesmadebyattackers.ThesefactorsfrequentlymakeapplicationsandAPIsmoredifficulttoanalyze,andcansignificantlychangethethreatlandscape.Tokeeppace,theOWASPorganizationperiodicallyupdatetheOWASPTop10.Inthis2017release,followingchangesweremade:

Merged2013-A4:"InsecureDirectObjectReferences"and2013-A7:"MissingFunctionLevelAccessControl"into2017-A5:"BrokenAccessControl".

Dropped2013-A8:"Cross-SiteRequestForgery(CSRF)"asmanyframeworksincludeCSRFdefenses,itwasfoundinonly5%ofapplications.

12/31/2020 1

Dropped2013-A10:"UnvalidatedRedirectsandForwards",whilefoundinapproximatelyin8%ofapplications,itwasedgedoutoverallbyXXE.

Added2017-A4:"XMLExternalEntities(XXE)".

Added2017-A8:"InsecureDeserialization".

Added2017-A10:"InsufficientLoggingandMonitoring".

CoveredEntities

Allcompaniesandotherentitiesthatdevelopanykindofwebapplicationcodeareencouragedtoaddressthetoptenlistaspartoftheiroverallsecurityriskmanagement.AdoptingtheOWASPTopTenisaneffectivefirststeptowardschangingthesoftwaredevelopmentculturewithintheorganizationintoonethatproducessecurecode.

FormoreinformationonOWASPTopTen,pleasereviewthe-OWASPTopTen2017–TheTenMostCriticalWebApplicationSecurityRisks,athttp://www.owasp.org

Formoreinformationonsecuringwebapplications,pleasevisithttp://www-03.ibm.com/software/products/en/category/application-security

Sections Number of Issues

A1-Injection 0A2-Brokenauthentication 0A3-SensitiveDataExposure 0A4-XMLExternalEntities(XXE) 0A5-BrokenAccessControl 0A6-SecurityMisconfiguration 0A7-Crosssitescripting(XSS) 0A8-InsecureDeserialization 0A9-UsingComponentswithKnownVulnerabilities 0A10-InsufficientLoggingandMonitoring 0

12/31/2020 2

A1-Injection 0

A2-Brokenauthentication 0

A3-SensitiveDataExposure 0

A4-XMLExternalEntities(XXE) 0

A5-BrokenAccessControl 0

A6-SecurityMisconfiguration 0

12/31/2020 3

A7-Crosssitescripting(XSS) 0

A8-InsecureDeserialization 0

A9-UsingComponentswithKnownVulnerabilities 0

A10-InsufficientLoggingandMonitoring 0

12/31/2020 4

21.1.1 Remote Support PCICompliance Report

ThisreportincludesimportantsecurityinformationaboutPCIcomplianceofBeyondtrustRemoteSupport21.1.1

The Payment Card Industry Data Security Standard (PCI DSS)Compliance ReportThisreportwascreatedbyIBMSecurityAppScanStandard9.0.3.13iFix001,Rules:19712Scanstarted:12/29/20209:37:28AM

Regulations

The Payment Card Industry Data Security Standard (PCI)Version 3.2.1

Summary

ThePaymentCardIndustryDataSecurityStandard(PCIDSS)wasdevelopedtoencourageandenhancecardholderdatasecurityandfacilitatethebroadadoptionofconsistentdatasecuritymeasuresglobally.PCIDSSprovidesabaselineoftechnicalandoperationalrequirementsdesignedtoprotectaccountdata.

PCIDSScomprisesaminimumsetofrequirementsforprotectingcardholderdata,andmaybeenhancedbyadditionalcontrolsandpracticestofurthermitigaterisks,aswellaslocal,regionalandsectorlawsandregulations.Additionally,legislationorregulatoryrequirementsmayrequirespecificprotectionofpersonalinformationorotherdataelements(forexample,cardholdername).PCIDSSdoesnotsupersedelocalorregionallaws,governmentregulations,orotherlegalrequirements.

ThePCIDSSsecurityrequirementsapplytoallsystemcomponentsincludedinorconnectedtothecardholderdataenvironment.Thecardholderdataenvironment(CDE)iscomprisedofpeople,processesandtechnologiesthatstore,process,ortransmitcardholderdataorsensitiveauthenticationdata.

“Systemcomponents”includenetworkdevices,servers,computingdevices,andapplications.Examplesofsystemcomponentsincludebutarenotlimitedtothefollowing:Systemsthatprovidesecurityservices(forexample,authenticationservers),facilitatesegmentation(forexample,internalfirewalls),ormayimpactthesecurityof(forexample,nameresolutionorwebredirectionservers)theCDE.

Virtualizationcomponentssuchasvirtualmachines,virtualswitches/routers,virtualappliances,virtualapplications/desktops,andhypervisors.

Networkcomponentsincludingbutnotlimitedtofirewalls,switches,routers,wirelessaccesspoints,networkappliances,andothersecurityappliances.

Servertypesincludingbutnotlimitedtoweb,application,database,authentication,mail,proxy,NetworkTimeProtocol(NTP),andDomainNameSystem(DNS).

Applicationsincludingallpurchasedandcustomapplications,includinginternalandexternal(forexample,Internet)applications.AnyothercomponentordevicelocatedwithinorconnectedtotheCDE.

CoveredEntities

12/31/2020 1

PCIDSSappliestoallentitiesinvolvedinpaymentcardprocessing—includingmerchants,processors,acquirers,issuers,andserviceproviders,aswellasallotherentitiesthatstore,processortransmitcardholderdata(CHD)and/orsensitiveauthenticationdata(SAD).

PCIDSSrequirementsapplytoorganizationsandenvironmentswhereaccountdata(cardholderdataand/orsensitiveauthenticationdata)isstored,processedortransmitted.SomePCIDSSrequirementsmayalsobeapplicabletoorganizationsthathaveoutsourcedtheirpaymentoperationsormanagementoftheirCDE1.Additionally,organizationsthatoutsourcetheirCDEorpaymentoperationstothirdpartiesareresponsibleforensuringthattheaccountdataisprotectedbythethirdpartypertheapplicablePCIDSSrequirements.

CompliancePenalties

Ifamerchantorserviceproviderdoesnotcomplywiththesecurityrequirementsorfailstorectifyasecurityissue,thecardcompaniesmayfinetheacquiringmember,orimposerestrictionsonthemerchantoritsagent.

ComplianceRequiredBy

PCIDSSversion3.2.1hasreplacedPCIDSSversion3.2andiseffectiveasofMay2018.ThePCIDSSversion3.2maynotbeusedforPCIDSScomplianceafterDecember31,2018.

Regulators

ThePCISecurityStandardsCouncil,anditsfoundingmembersincludingAmericanExpress,DiscoverFinancialServices,JCB,MasterCardWorldwideandVisaInternational.

FormoreinformationonthePCIDataSecurityStandard,pleasevisit:

https://www.pcisecuritystandards.org./index.htm

Formoreinformationonsecuringwebapplications,pleasevisithttp://www-01.ibm.com/software/rational/offerings/websecurity/

Copyright:ThePCIinformationcontainedinthisreportisproprietarytoPCISecurityStandardsCouncil,LLC.AnyuseofthismaterialissubjecttothePCISECURITYSTANDARDSCOUNCIL,LLCLICENSEAGREEMENTthatcanbefoundat:

https://www.pcisecuritystandards.org./tech/download_the_pci_dss.htm

12/31/2020 2

Requirement2-Donotusevendor-supplieddefaultsforsystempasswordsandothersecurityparameters.

Requirement2.1-Alwayschangevendor-supplieddefaultsandremoveordisableunnecessarydefaultaccountsbeforeinstallingasystemonthenetwork.ThisappliestoALLdefaultpasswords,includingbutnotlimitedtothoseusedbyoperatingsystems,softwarethatprovidessecurityservices,applicationandsystemaccounts,point-of-sale(POS)terminals,paymentapplications,SimpleNetworkManagementProtocol(SNMP)communitystrings,etc.)

Requirement2.2.2-Enableonlynecessaryservices,protocols,daemons,etc.,asrequiredforthefunctionofthesystem.

Requirement2.2.4-Configuresystemsecurityparameterstopreventmisuse. 0Requirement2.2.5-Removeallunnecessaryfunctionality,suchasscripts,drivers,features,subsystems,filesystems.

Requirement2.3-Encryptallnon-consoleadministrativeaccessusingstrongcryptography. 0Requirement2.6-Thissectionappliestowebapplicationsthatareusedbyhostingprovidersforhostingpurposes–Hostingprovidersmustprotecteachentity’shostedenvironmentanddata.

Requirement4-Encrypttransmissionofcardholderdataacrossopen,publicnetworks. 0Requirement4.1-Usestrongcryptographyandsecurityprotocolstosafeguardsensitivecardholderdataduringtransmissionoveropen,publicnetworks,includingthefollowing:-Onlytrustedkeysandcertificatesareaccepted.-Theprotocolinuseonlysupportssecureversionsorconfigurations.-Theencryptionstrengthisappropriatefortheencryptionmethodologyinuse.

Requirement6-Developandmaintainsecuresystemsandapplications. 0Requirement6.1-Establishaprocesstoidentifysecurityvulnerabilities,usingreputableoutsidesourcesforsecurityvulnerabilityinformation,andassignariskranking(forexample,as“high,”“medium,”or“low”)tonewlydiscoveredsecurityvulnerabilities.

Requirement6.2-Ensurethatallsystemcomponentsandsoftwareareprotectedfromknownvulnerabilitiesbyinstallingapplicablevendor-suppliedsecuritypatches.Installcriticalsecuritypatcheswithinonemonthofrelease.CriticalsecuritypatchesshouldbeidentifiedaccordingtotheriskrankingprocessdefinedinRequirement6.1

Requirement6.3-Developinternalandexternalsoftwareapplications(includingweb-basedadministrativeaccesstoapplications)securely,asfollows:•InaccordancewithPCIDSS(forexample,secureauthenticationandlogging)•Basedonindustrystandardsand/orbestpractices.•Incorporatinginformationsecuritythroughoutthesoftware-developmentlifecycleNote:thisappliestoallsoftwaredevelopedinternallyaswellasbespokeorcustomsoftwaredevelopedbyathirdparty.

Requirement6.3.1-Removedevelopment,testand/orcustomapplicationaccounts,userIDs,andpasswordsbeforeapplicationsbecomeactiveorarereleasedtocustomers.

Requirement6.4.4-Removaloftestdataandaccountsfromsystemcomponentsbeforethesystembecomesactive/goesintoproduction.

Requirement6.5-Addresscommoncodingvulnerabilitiesinsoftware-developmentprocessesasfollows:•Traindevelopersinsecurecodingtechniques,includinghowtoavoidcommoncodingvulnerabilities,andunderstandinghowsensitivedataishandledinmemory.•Developapplicationsbasedonsecurecodingguidelines.Note:Thevulnerabilitieslistedat6.5.1through6.5.10werecurrentwithindustrybestpracticeswhenthisversionofPCIDSSwaspublished.However,asindustrybestpracticesforvulnerabilitymanagementareupdated(forexample,theOWASPGuide,SANSCWETop25,CERTSecureCoding,etc.),thecurrentbestpracticesmustbeusedfortheserequirements.

Requirement6.5.1-Injectionflaws,particularlySQLinjection.AlsoconsiderOSCommandInjection,LDAPandXPathinjectionflawsaswellasotherinjectionflaws.

Requirement6.5.2-Bufferoverflow 0

12/31/2020 3

Requirement6.5.3-Insecurecryptographicstorage 0Requirement6.5.4-Insecurecommunications 0Requirement6.5.5-Impropererrorhandling 0Requirement6.5.7-Crosssitescripting(XSS) 0Requirement6.5.8-Improperaccesscontrol(suchasinsecuredirectobjectreferences,failuretorestrictURLaccess,directorytraversal,andfailuretorestrictuseraccesstofunctions).

Requirement6.5.9-Crosssiterequestforgery(CSRF) 0Requirement6.5.10-BrokenauthenticationandsessionmanagementNote:Requirement6.5.10isabestpracticeuntilJune30,2015,afterwhichitbecomesarequirement

Requirement6.6-Forpublic-facingwebapplications,addressnewthreatsandvulnerabilitiesonanongoingbasisandensuretheseapplicationsareprotectedagainstknownattacksbyeitherofthefollowingmethods:•Reviewingpublic-facingwebapplicationsviamanualorautomatedapplicationvulnerabilitysecurityassessmenttoolsormethods,atleastannuallyandafteranychangesNote:ThisassessmentisnotthesameasthevulnerabilityscansperformedforRequirement11.2.•Installinganautomatedtechnicalsolutionthatdetectsandpreventsweb-basedattacks(forexample,aweb-applicationfirewall)infrontofpublic-facingwebapplications,tocontinuallycheckalltraffic.

Requirement7-Restrictaccesstodatabybusinessneed-to-know 0Requirement7.1-Limitaccesstosystemcomponentsandcardholderdatatoonlythoseindividualswhosejobrequiressuchaccess.

Requirement7.1.2-RestrictaccesstoprivilegeduserIDstoleastprivilegesnecessarytoperformjobresponsibilities.

Requirement8.2-InadditiontoassigningauniqueID,ensureproperuser-authenticationmanagementfornon-consumerusersandadministratorsonallsystemcomponentsbyemployingatleastoneofthefollowingmethodstoauthenticateallusers:•Somethingyouknow,suchasapasswordorpassphrase•Somethingyouhave,suchasatokendeviceorsmartcard•Somethingyouare,suchasabiometric.

Requirement8.2.1-Usingstrongcryptography,renderallauthenticationcredentials(suchaspasswords/phrases)unreadableduringtransmissionandstorageonallsystemcomponents.

Requirement8.7-Allaccesstoanydatabasecontainingcardholderdata(includingaccessbyapplications,administrators,andallotherusers)isrestrictedasfollows:•Alluseraccessto,userqueriesof,anduseractionsondatabasesarethroughprogrammaticmethods.•Onlydatabaseadministratorshavetheabilitytodirectlyaccessorquerydatabases.•ApplicationIDsfordatabaseapplicationscanonlybeusedbytheapplications(andnotbyindividualusersorothernon-applicationprocesses).

12/31/2020 4

Requirement2-Donotusevendor-supplieddefaultsforsystempasswordsandothersecurityparameters. 0

Requirement2.1-Alwayschangevendor-supplieddefaultsandremoveordisableunnecessarydefaultaccountsbeforeinstallingasystemonthenetwork.ThisappliestoALLdefaultpasswords,includingbutnotlimitedtothoseusedbyoperatingsystems,softwarethatprovidessecurityservices,applicationandsystemaccounts,point-of-sale(POS)terminals,paymentapplications,SimpleNetworkManagementProtocol(SNMP)communitystrings,etc.) 0

Requirement2.2.2-Enableonlynecessaryservices,protocols,daemons,etc.,asrequiredforthefunctionofthesystem. 0

Requirement2.2.4-Configuresystemsecurityparameterstopreventmisuse. 0

Requirement2.2.5-Removeallunnecessaryfunctionality,suchasscripts,drivers,features,subsystems,filesystems. 0

Requirement2.3-Encryptallnon-consoleadministrativeaccessusingstrongcryptography. 0

12/31/2020 5

Requirement2.6-Thissectionappliestowebapplicationsthatareusedbyhostingprovidersforhostingpurposes–Hostingprovidersmustprotecteachentity’shostedenvironmentanddata. 0

Requirement4-Encrypttransmissionofcardholderdataacrossopen,publicnetworks. 0

Requirement4.1-Usestrongcryptographyandsecurityprotocolstosafeguardsensitivecardholderdataduringtransmissionoveropen,publicnetworks,includingthefollowing:-Onlytrustedkeysandcertificatesareaccepted.-Theprotocolinuseonlysupportssecureversionsorconfigurations.-Theencryptionstrengthisappropriatefortheencryptionmethodologyinuse. 0

Requirement6-Developandmaintainsecuresystemsandapplications. 0

Requirement6.1-Establishaprocesstoidentifysecurityvulnerabilities,usingreputableoutsidesourcesforsecurityvulnerabilityinformation,andassignariskranking(forexample,as“high,”“medium,”or“low”)tonewlydiscoveredsecurityvulnerabilities. 0

Requirement6.2-Ensurethatallsystemcomponentsandsoftwareareprotectedfromknownvulnerabilitiesbyinstallingapplicablevendor-suppliedsecuritypatches.Installcriticalsecuritypatcheswithinonemonthofrelease.CriticalsecuritypatchesshouldbeidentifiedaccordingtotheriskrankingprocessdefinedinRequirement6.1 0

12/31/2020 6

Requirement6.3-Developinternalandexternalsoftwareapplications(includingweb-basedadministrativeaccesstoapplications)securely,asfollows:•InaccordancewithPCIDSS(forexample,secureauthenticationandlogging)•Basedonindustrystandardsand/orbestpractices.•Incorporatinginformationsecuritythroughoutthesoftware-developmentlifecycleNote:thisappliestoallsoftwaredevelopedinternallyaswellasbespokeorcustomsoftwaredevelopedbyathirdparty. 0

Requirement6.3.1-Removedevelopment,testand/orcustomapplicationaccounts,userIDs,andpasswordsbeforeapplicationsbecomeactiveorarereleasedtocustomers. 0

Requirement6.4.4-Removaloftestdataandaccountsfromsystemcomponentsbeforethesystembecomesactive/goesintoproduction. 0

Requirement6.5-Addresscommoncodingvulnerabilitiesinsoftware-developmentprocessesasfollows:•Traindevelopersinsecurecodingtechniques,includinghowtoavoidcommoncodingvulnerabilities,andunderstandinghowsensitivedataishandledinmemory.•Developapplicationsbasedonsecurecodingguidelines.Note:Thevulnerabilitieslistedat6.5.1through6.5.10werecurrentwithindustrybestpracticeswhenthisversionofPCIDSSwaspublished.However,asindustrybestpracticesforvulnerabilitymanagementareupdated(forexample,theOWASPGuide,SANSCWETop25,CERTSecureCoding,etc.),thecurrentbestpracticesmustbeusedfortheserequirements. 0

Requirement6.5.1-Injectionflaws,particularlySQLinjection.AlsoconsiderOSCommandInjection,LDAPandXPathinjectionflawsaswellasotherinjectionflaws. 0

12/31/2020 7

Requirement6.5.2-Bufferoverflow 0

Requirement6.5.3-Insecurecryptographicstorage 0

Requirement6.5.4-Insecurecommunications 0

Requirement6.5.5-Impropererrorhandling 0

Requirement6.5.7-Crosssitescripting(XSS) 0

Requirement6.5.8-Improperaccesscontrol(suchasinsecuredirectobjectreferences,failuretorestrictURLaccess,directorytraversal,andfailuretorestrictuseraccesstofunctions). 0

Requirement6.5.9-Crosssiterequestforgery(CSRF) 0

Requirement6.5.10-BrokenauthenticationandsessionmanagementNote:Requirement6.5.10isabestpracticeuntilJune30,2015,afterwhichitbecomesarequirement 0

12/31/2020 8

Requirement6.6-Forpublic-facingwebapplications,addressnewthreatsandvulnerabilitiesonanongoingbasisandensuretheseapplicationsareprotectedagainstknownattacksbyeitherofthefollowingmethods:•Reviewingpublic-facingwebapplicationsviamanualorautomatedapplicationvulnerabilitysecurityassessmenttoolsormethods,atleastannuallyandafteranychangesNote:ThisassessmentisnotthesameasthevulnerabilityscansperformedforRequirement11.2.•Installinganautomatedtechnicalsolutionthatdetectsandpreventsweb-basedattacks(forexample,aweb-applicationfirewall)infrontofpublic-facingwebapplications,tocontinuallycheckalltraffic. 0

Requirement7-Restrictaccesstodatabybusinessneed-to-know 0

Requirement7.1-Limitaccesstosystemcomponentsandcardholderdatatoonlythoseindividualswhosejobrequiressuchaccess. 0

Requirement7.1.2-RestrictaccesstoprivilegeduserIDstoleastprivilegesnecessarytoperformjobresponsibilities. 0

Requirement8.2-InadditiontoassigningauniqueID,ensureproperuser-authenticationmanagementfornon-consumerusersandadministratorsonallsystemcomponentsbyemployingatleastoneofthefollowingmethodstoauthenticateallusers:•Somethingyouknow,suchasapasswordorpassphrase•Somethingyouhave,suchasatokendeviceorsmartcard•Somethingyouare,suchasabiometric. 0

12/31/2020 9

Requirement8.2.1-Usingstrongcryptography,renderallauthenticationcredentials(suchaspasswords/phrases)unreadableduringtransmissionandstorageonallsystemcomponents. 0

Requirement8.7-Allaccesstoanydatabasecontainingcardholderdata(includingaccessbyapplications,administrators,andallotherusers)isrestrictedasfollows:•Alluseraccessto,userqueriesof,anduseractionsondatabasesarethroughprogrammaticmethods.•Onlydatabaseadministratorshavetheabilitytodirectlyaccessorquerydatabases.•ApplicationIDsfordatabaseapplicationscanonlybeusedbytheapplications(andnotbyindividualusersorothernon-applicationprocesses). 0

12/31/2020 10