PCI - Policy
Policy definition within PCI DSS focuses on restricting access to cardholder data based on business "need to know," defined by access rights granted to only the least amount of data and privileges needed to perform a job. (Requirement 7.0)
The Avenda eTIPS identity-aware policy platform uses extensible role-based rules with a rich set of data sensitive operators to support even the most complex use cases. Policies can be created using static or dynamic attributes within the session, access protocol method and identity stores, in order to make fine grained access control decisions. The eTIPS policy management interface provides the ability to simulate policies and test effectiveness to prevent negative impact on an organization's operations. Easy to use "3 click" implementation and helpdesk navigation streamline management and troubleshooting.
Policies can be specific for individual network access methods within PCI DSS. If wireless networks are part of the cardholder data environment (CDE), organizations must develop usage policies for wireless access (Requirement 12.3) and log wireless access centrally (Requirement 10.5.4).
Avenda's solution offers enforcement options that will prohibit the use of unknown wireless AP and endpoint devices that do not meet set policy requirements. Periodic scans of these devices can be used to ensure they maintain proper requirements. Administrative privileges can also be controlled to deter malicious access.
