Showing results for 
Search instead for 
Did you mean: 
Create Post

NCM compliance: join the PCI-Palooza!

Level 15

Many of you (a growing number) are reporting interest for compliance reporting.

NCM 6.1 delivered some great improvements in general and around compliance reporting in particular. Check these out.

We now have a set of available compliance reports for the following industries:

  • CISP: Cardholder Information Security Program
  • HIPAA: Health Insurance Portability and Accountability Act
  • SOX: Sarbanes-Oxley

- clip_image002

With 6.1, we also delivered on, our vibrant community, a set of DISA STIG compliance reports (Defense Information Systems Agency Security Technical Implementation Guide).

Let’s face it. Most of the time, your interest comes from the fact that your company HAS TO provide evidence of compliance (depending on your industry: health insurance, DOD, …).

But don’t forget that those compliance checks, even if your organization is not subject to them and you don’t HAVE TO show evidence of compliance, are an EXCELLENT PRACTICE ANYWAY.

Those security rules are good for you. Checking them regularly, on all your configurations, ensures consistency across dozens, sometimes hundreds or thousands of device configurations. This can catch for you some pretty bad security holes and allow for simple and quick remediation.

Why do you need a product like NCM to do this? Obviously because you will rarely see something in your life, as boring as checking network configuration devices manually.

With NCM, you can do 1000’s of checks automatically (huge time saver), sometimes do remediation automatically (error reduction) and more importantly generate that PDF report that will show evidence that you are taking this seriously - and will keep that auditor busy and off your back for a while Smile (yes, another huge time saver) !

Now I’m sure you can’t wait to get started with compliance reporting. If HIPAA, DISA, SOX is what you need, help yourself, it’s already in the product or on Thwack.

If PCI is what you are dreaming about (some call it a nightmare), keep reading.

This blog is about leveraging our amazing community of Solarwind’s product users, to cover the Payment Card Industry compliance area: the PCI DSS compliance.

You may have noticed the CISP reports in the snapshots above, which are related. But these CISP reports are still limited and there is a difference between the two. A little bit of history on the difference:

  • The Payment Card Industry Data Security Standard (PCI DSS) has been created jointly by Visa, MasterCard, Discover and American Express because of the growing occurrences of credit card and identity theft, aiming at protecting credit card data.
  • The Cardholder Information Security Program (CISP) was mandated before, by Visa (2001), but was then incorporated into the PCI DSS, to become the industry-wide standards for card security.

PCI DSS is therefore wider and more recent, and this is why we will focus on it.

How are we going to organize, as a community, to generate this PCI DSS content? The methodology we propose is one that has proven effective for centuries: Divide and conquer!

In a nutshell what we propose is pretty simple:

  • We will propose a break-down of the PCI DSS standard by section
  • Ask NCM users to volunteer and “take” one section
  • Each “volunteer” will write the PCI rules that will check network configuration for this particular section
  • They will contribute their work on a dedicated Thwack content exchange area
  • It will be freely available to everyone to consume

I can already hear you thinking… wait a minute… this looks like quite some work, it is probably complicated, and I’m not a PCI compliance expert anyway (otherwise I would not have read that far).

Here is why it’s actually simpler than it seems:

  • Because some have already started and will share soon a great starting point that you can take, try and use as model.
  • Because many of these rules actually are the same.
    Sure HIPAA, SOX, DISA and PCI look fairly different when you read the standards, which are usually fairly high level written, but at the end of the day, when you try to apply the spirit of the standard to network device configuration checks, they all comes down to very similar checks.
  • Many of those checks are already implemented in the hundreds of rules that we have today in NCM
  • So this work is about:
    1. Reading a portion of the PCI standard (the one you want to contribute for)
    2. Leverage your knowledge of network configuration to understand how you can check what the standard asks for, in a device configuration.
      Just think you had an auditor in front of you: what would you show him/her in your configurations, that proves that you comply?
      That’s it, this is what you want to convert into an NCM rule!
    3. Write and test the rule
    4. Package it and upload it on Thwack, following the recommended packaging and naming structure

The first package is here

And now, here is the real reason why, you will want to contribute.

Everyone who will contribute to the PCI-Palooza and upload PCI reports, will get free Solarwinds NCM tee shirts!



If you have questions or are interested, please reply to this blog, or send me directly an email and stay tuned for more instructions soon!

About the Author
Francois has joined the SW product management team in Dec 2010. He has been in the network management space for about 15 years, first in a startup company, then in one of the big 4 and back to a human-size company. Despite his bizarre accent, he is a decent guy to talk to.