© Copyright IBM Corporation 2013 TrademarksAccelerate the path to PCI DSS data compliance usingInfoSphere Guardium

Page 1 of 27

Accelerate the path to PCI DSS data compliance usingInfoSphere GuardiumUse prebuilt reports, policies, and groups to simplify configuration

Kathryn Zeidenstein (krzeide@us.ibm.com)InfoSphere Guardium EvangelistIBM

Shengyan Sun (sunssy@cn.ibm.com)InfoSphere Guardium QA EngineerIBM

18 April 2013

This article gives you a step-by-step overview of using the Payment Card Industry (PCI)Data Security Standard (DSS) accelerator that is included with the standard InfoSphere®Guardium® data security and protection solution. The PCI DSS is a set of technical andoperational requirements designed to protect cardholder data and applies to all organizationswho store, process, use, or transmit cardholder data. Failure to comply can mean loss ofprivileges, stiff fines, and, in the case of a data breach, severe loss of consumer confidencein your brand or services. The InfoSphere Guardium accelerator helps guide you throughthe process of complying with parts of the standard using predefined policies, reports, groupdefinitions, and more.

IntroductionRecent high profile data thefts, along with industry statistics, indicate significant work remainsto be done in most organizations to implement PCI DSS. In its 2010 Data Breach InvestigationReport of 141 global organizations that experienced breaches, Verizon's Business Risk Teamfound that 83% of records compromised involved payment card data. "While other types of dataare sought by certain groups (i.e. competitors may target IP), the vast majority of cybercriminalsare looking for a quick and easy payoff. Payment cards certainly fit the bill." Investigations alsoshowed that 79% of the organizations attacked that were subject to PCI DSS were not compliantwith the standard.

InfoSphere Guardium is designed to help you meet standard compliance requirements. Itincludes four compliance accelerators that you are entitled to use with your Activity Monitoringor Vulnerability Assessment license: Basel II, Data Privacy, PCI DSS, and Sarbanes-Oxley

developerWorks® ibm.com/developerWorks/

Accelerate the path to PCI DSS data compliance usingInfoSphere Guardium

Page 2 of 27

(SOX). They can be downloaded from Passport Advantage as part of the InfoSphere Guardiume-assembly. In this article, you will get an overview of the PCI accelerator, looking at each of themajor components of the accelerator. You will learn how the accelerator helps you design thecorrect reports and policies for compliance, but how it is also structured as a checklist of sortsto make it easy to demonstrate to an external auditor how you are managing to PCI compliancestandards using InfoSphere Guardium.

What is PCI DSS?Payment Card Industry (PCI) Data Security Standard (DSS) is a set of technical andoperational requirements designed to protect cardholder data and applies to all organizationswho store, process, use, or transmit cardholder data. As stated on the PCI Security standardwebsite, the framework for compliance is built around three steps:

• Assess: Inventory your IT assets and business processes for payment cardprocessing and analyze them for vulnerabilities that could expose cardholder data.

• Remediate: Fix those vulnerabilities.• Report: Compile records required by PCI DSS to validate remediation and submitting

compliance reports to the acquiring bank and global payment brands you do businesswith.

This article assumes some knowledge of InfoSphere Guardium to do the hands-on activities, butthe main points of the article, in terms of benefits for compliance, should be clear, even withoutprior Guardium experience. Because the examples show populated reports, this article alsoassumes that you have already installed and configured InfoSphere Guardium and are collectingdata activity from your database servers.

In this article, you will learn:

• How to install the accelerator and configure a PCI role that will see the GUI enhancementsspecifically for the PCI accelerator.

• The layout of the accelerator and the reports that are included to demonstrate compliance.You will learn how to add members to groups that will enable those reports to return thecorrect information. The article also briefly discusses security policies and rules.

• How to use audit processes to automate compliance workflow for reviews and sign-offs.

Recommendation: You can download the checklist, which helps you to gather the requiredinformation to populate the groups used in the PCI reports and policies.

Summary for advanced usersIf you are familiar with InfoSphere Guardium and don't need step-by-step instructions, here is asummary of what you need to do.

1. Download and install the PCI DSS accelerator from Passport Advantage, assigning the PCIrole to a user, and resetting the GUI layout for that user. See Install the PCI DSS acceleratorand configure the PCI role for more details.

2. Using the Guardium API (See the appendix) or the Group Builder (see Populating groups),populate groups that are used to generate the reports you need, as summarized here:

• PCI Admin Users• PCI Authorized Client IPs

ibm.com/developerWorks/ developerWorks®

Accelerate the path to PCI DSS data compliance usingInfoSphere Guardium

Page 3 of 27

• PCI Authorized Server IPs• PCI Authorized Source Programs• PCI Cardholder DBs• PCI Cardholder Sensitive objects• PCI Limited Access Users

3. Configure a security policy, optionally using one of the PCI policies as a template. (See Set upthe security policy.)

4. Use regularly scheduled security assessments to detect common vulnerabilities or usage ofbad practices for security. (See Run regular security assessments.)

5. Use audit processes to automate sign-offs and review (See Use audit processes to automatesign-offs and review.)

Install the PCI DSS accelerator and configure the PCI roleThe PCI DSS accelerator, along with the accelerators for Sarbanes-Oxley, Data Privacy, andHIPAA, are part of your entitlement to InfoSphere Guardium. Use the following steps to obtain andinstall it.

1. From an authorized Passport Advantage ID, download the Accelerator module for yourrelease of InfoSphere Guardium and upload it to your file server.

2. Log in to the Guardium appliance as CLI (or an admin with CLI), run the following CLIcommand, and follow the prompted steps:store system patch install sys

3. After the installation is complete, use the following CLI command to confirm that the patchinstalled successfully:show system patch installed

In the listing of the command, you should see a line for the accelerator that shows a status of:DONE: Patch Installation Succeeded, as shown in Figure 1.Figure 1. Successful installation of the PCI accelerator

InfoSphere Guardium uses roles to segregate the components that a particular user has accessto. The Guardium access manager is responsible for assigning users to roles. The PCI roleenables the person responsible for configuring Guardium for PCI compliance to see the relevantinformation in the Guardium user interface.

In this section, learn how to configure an existing user to have the PCI role in Guardium andconfigure the layout for the PCI accelerator.

Recommendation: When you configure the layout, that user will lose any existing UIcustomization, so it is recommended that you create a different user for testing purposes.

developerWorks® ibm.com/developerWorks/

Accelerate the path to PCI DSS data compliance usingInfoSphere Guardium

Page 4 of 27

1. Log in to the Guardium web UI using the accessmgr user account. Select a user (in this case,user1), and click Roles.

Figure 2. Adding a role for a user

2. In the User Role Form, check the box for PCI, and then click Save.

Figure 3. Adding a role for a user

3. Next, click Change Layout to configure the user interface to add the PCI-specific userinterface components.

ibm.com/developerWorks/ developerWorks®

Accelerate the path to PCI DSS data compliance usingInfoSphere Guardium

Page 5 of 27

Figure 4. Change the layout to activate PCI components of the userinterface

4. A window opens asking for an optional description. You can add a description or not, thenclick Reset.Figure 5. Reset will reset the layout for the user when they log on

Now user1 is ready to begin configuring Guardium for PCI monitoring.

First, as user1, log in to the Guardium web interface. Because of your PCI role, you see acustomized layout for PCI. If not already highlighted, click on the PCI Accelerator tab and then theOverview subtab. On the left navigation pane, you have the option of viewing an overview of thePCI Standard (as shown in Figure 6) or an introduction to the Guardium PCI accelerator itself.

Figure 6. An overview of the PCI standard

• From the left menu pane, select the PCI Data Security Standard to open the Introductionpage.

developerWorks® ibm.com/developerWorks/

Accelerate the path to PCI DSS data compliance usingInfoSphere Guardium

Page 6 of 27

• From the left menu pane, select PCI Accelerator for Compliance to get the detailedintroduction to the PCI accelerator.

Plan and organizeThe accelerator can help you with planning and organizing for PCI compliance activities. Thissection includes reports that inventory your cardholder database servers, database users,authorized source programs, and more.

You can use Guardium API automation to keep these inventories updated as your environmentchanges, or you can update the inventory manually using the GUI.

Click on the Plan & Organize tab and then click on the Overview option from the left navigationmenu to get to the introduction of how the report templates in this section can help you:

• Create an inventory map of cardholder information servers, clients, databases, and users.• View information about the "who, what, when, and how" of cardholder information that has

been touched.• Verify that generic IDs and accounts are disabled or removed and that there are no shared

IDs for system administration activities and other critical functions.

Figure 7. Plan and organize overview

In the left menu pane, you see the list of report templates that are provided to help you plan andstay organized.

Figure 8. Built-in reports to help you plan and organize

If you click on any of these reports, you will see data not found because they rely on groups beingpopulated with relevant members. InfoSphere Guardium uses groups to simplify the management

ibm.com/developerWorks/ developerWorks®

Accelerate the path to PCI DSS data compliance usingInfoSphere Guardium

Page 7 of 27

of the system. So, for example, you might have a group of cardholder databases and a group ofauthorized programs. The reports use the appropriate populated groups as a runtime parameter toshow you the relevant information.

This becomes more clear as you continue in this article. First, you'll get a description of the reportsand the relevant groups, and then you'll see how to find for yourself what groups a report is usingand how to populate a group.

Here is an overview of the reports in the Plan & Organize tab and the group or groups it relies on.

Graphical maps

It is possible to create a graphical view (including a PDF) of client/server mapping as well.This is called the Access Map Application. That application uses IP addresses and databasetypes for filtering, not groups. See the "how-to" topic in the InfoSphere Guardium informationcenter for more details (see Resources for a link).

• Cardholder Server IPs List: This reports the cardholder information database server list.You will need to populate the PCI Authorized Server IPs group, which specifies the databaseserver that stores cardholder information.

• Cardholders Databases: Cardholder information databases. You will need to populate thePCI Cardholder DBs group.

• Cardholder Objects: Cardholder information objects. This could be a table, view, orstored procedure that contains the sensitive information. You will need to populate the PCICardholder Sensitive objects group.

• DB Clients to Servers Map: This report is a client to server mapping of PCI AuthorizedServer IPs (the group that specifies the database servers storing cardholder information) toclient IPs that are accessing that server. See Figure 14 for an example.

• Active DB Users: This reports on users (who are not administrators) who are visiting thecardholder database. This report uses the PCI Admin Users groups.

• Authorized Source Programs: This reports on the authorized credit applications. Thisreport relies on the PCI Authorized Server IPs and the PCI Authorized Source Programsgroups.

• Unauthorized Application Access: This report lets you know if there is a program other thanone of your authorized credit applications accessing the authorized database server. Again,this relies on the PCI Authorized Server IPs and PCI Authorized Source Programs groups. (Atruntime, the report uses negation on the PCI Authorized Source Program group to identify theunauthorized applications.)

• 8.5.8 Shared Accounts: PCI requirement 8 is that each person who has computer accessis assigned a unique ID. This report can help identify when the same user ID is used frommultiple client IPs to connect to the same server, which could indicate that ID sharing isoccurring

Populating groups

To see the magic behind the reports, you can go to any report and click on the pencil icon to seethe query that is used to build the report.

developerWorks® ibm.com/developerWorks/

Accelerate the path to PCI DSS data compliance usingInfoSphere Guardium

Page 8 of 27

Figure 9. Edit a report to see the query behind it

The Query Builder will include the names of relevant group or groups used when running thereport.

Figure 10. Query conditions for a report may contain groups

Your task now is to populate the group, and you'll do that using the Group Builder.

You can access the Group Builder from many different places as groups are a critical componentof reporting, security assessments, and policy rules. You navigate to the Group Builder from theComply tab, which is a tab that appears when you are logged on in the user role. Click on theComply tab, then select Group builder from the graphic, as shown in Figure 11.

Figure 11. Accessing the group builder tool

Highlight the group you want to modify, and then click Modify. In Figure 12, PCI Authorized ServerIPs is selected.

ibm.com/developerWorks/ developerWorks®

Accelerate the path to PCI DSS data compliance usingInfoSphere Guardium

Page 9 of 27

Figure 12. Modify the built-in group

In the Manage Members for Selected Group portlet you can add authorized server IPs to thegroup. Enter each server IP, and then click Add to put the member in the Group Members window.When you are done, click Back.

Figure 13. Adding members to a group

You can also use the Guardium APIs to populate your groups. The appendix includes an exampleof how to do this.

developerWorks® ibm.com/developerWorks/

Accelerate the path to PCI DSS data compliance usingInfoSphere Guardium

Page 10 of 27

As shown in Figure 13, the authorized server IP group is populated with the following IPs:

10.70.144.159

10.70.144.174

The client-to-server map report, shown in Figure 14, which uses that authorized server IP group forits query, shows the client accesses to just those two server IPs.

Figure 14. Client-to-server map report

Track and monitor (PCI requirement 10)Now that you've populated your groups and are able to report on PCI assets and use patterns,you're ready to move on to the Track & Monitor tab. Requirement 10 of the standard statesthat you must track and monitor all access to network resources and cardholder data. This tabincludes a combination of reports and information to help you reach compliance with this part ofthe standard. Let's take a look.

Figure 15. Reports and activities to comply with Requirement 10

• 10.2 and 10.3 Automation: This section explains the requirements for this part of thestandard and how InfoSphere Guardium reports help you comply. Compliance automationenables you to schedule reports and send reports to the appropriate people for action, if

ibm.com/developerWorks/ developerWorks®

Accelerate the path to PCI DSS data compliance usingInfoSphere Guardium

Page 11 of 27

required, and sign-off. For more information, see the online help section entitled Protect andComply.

• 10.2.1 Data Access: This report documents access to cardholder data and relies on thePCI Authorized Server IPs and PCI Admin Users groups (negation on this group means thatusers who are not admin users are tracked).

• 10.2.2 Admin Activity: Similar to the Data Access report, except that it tracks admin useraccess to PCI data.

• 10.2.3 Audit Trail Access: This section explains that compliance to this part of the standardrequires that the access to audit trails be logged to detect tampering by malicious users whomay attempt to hide their tracks. InfoSphere Guardium is self-monitoring so that all actions onthe appliance are monitored.

• 10.2.4 Invalid Access: This section contains two reports that can help you detect if someoneis trying a brute force attack or if there is an unauthorized application accessing cardholderobjects.

• 10.2.6 Initialization Log: PCI section 10.2.6 is concerned with initialization of assessmentlogs because loss of the log data means that evidence is completely destroyed. This sectionof the PCI accelerator explains how InfoSphere Guardium handles audit logs, which areencrypted and archived to secondary storage. The data can be restored to the Guardiumappliance if required for incident investigation.

• 10.5 Secure audit trails: This section explains how Guardium helps you address this sectionof the compliance standard, including use of security roles for separation of duties, the use ofa hardened, tamper-proof appliance to protect the audit repository, and the ability to automatethe archive and purge processes.

• 10.6 Access Auditing: This section of the standard is concerned with frequency of logreview, at least daily, to ensure that a breach is detected early. With InfoSphere Guardium,you can use the audit process workflow to automate review of audit reports and create anaudit trail of review and sign-offs to validate that you have met the requirements of this partof the standard. See Using audit processes to automate compliance workflow for moreinformation.

Run regular security assessments (PCI requirement 11)

Click on the Ongoing validation (PCI Req 11) tab. This section of the accelerator addressesthe PCI standard ("develop configuration standards for all system components") because of theextensive library of assessment tests that are built around Center for Internet Security (CIS) andDefense Information Systems Agency Security Technical Implementation Guides (DISA STIG). ForPCI Requirement 11.5, which requires regular monitoring of changes to critical system files, theassessment also includes configuration file "bad practices" as well as a configuration audit systemthat monitors any changes to those files after they have been locked down.

This section relies on capabilities found in the Vulnerability Assessment tools in InfoSphereGuardium.

From the PCI Req. 11 Ongoing Validation tab, click Overview to get the introduction about theimportance of doing regular assessments of possible vulnerabilities.

developerWorks® ibm.com/developerWorks/

Accelerate the path to PCI DSS data compliance usingInfoSphere Guardium

Page 12 of 27

1. From the left menu pane, select Security Assessment.2. From the graphic on that pane, select Define what database you want assessed to open

the Security Assessment builder.

Figure 16. Accessing security assessments

3. Click New to create a new assessment.

Figure 17. Creating a new assessment

4. Enter a description and time period for this assessment, and click Add Datasource toassociate this assessment with a data source.

ibm.com/developerWorks/ developerWorks®

Accelerate the path to PCI DSS data compliance usingInfoSphere Guardium

Page 13 of 27

Figure 18. Add a datasource for the assessment

5. Enter the name and type for the database as well as the user name and password. Enter theserver IP, port, and service name (if needed for that database). Click Apply, and then clickBack.

Figure 19. Datasource details

developerWorks® ibm.com/developerWorks/

Accelerate the path to PCI DSS data compliance usingInfoSphere Guardium

Page 14 of 27

6. Click Test Connection to make sure Guardium can connect to the data source with theprovided information. If all is well, click Back.

7. In the Datasource Finder, select the data source you just created, and then click Add.

Figure 20. Add the datasource to the new assessment

This adds this data source to theassessment you are building, as shown in Figure 21. Click Apply.

Figure 21. Datasource added to the assessment

Click Configure Tests…, whichbrings up the screen shown in Figure 22. From your database type tab, select and add tests,which are based on database security best practices, and test for common vulnerabilityexposures (CVEs). You may want to start by identifying only critical exposures and then addadditional tests after you fix the critical vulnerabilities.

ibm.com/developerWorks/ developerWorks®

Accelerate the path to PCI DSS data compliance usingInfoSphere Guardium

Page 15 of 27

Figure 22. Guardium includes a wide variety of built-in assessment tests

8. Click Run Once Now to run the assessment immediately. This may take a while if you havea lot of tests, which is why it is recommended to add these security tests to an audit process,which can be scheduled. (See Using audit processes to automate compliance workflow formore information.)As shown in the excerpts in Figure 23, you get an assessment result that shows you whichtests passed, which tests failed, and how you can fix the failures. There is also a graph thatshows you results over time so that you can set goals and show progress.

developerWorks® ibm.com/developerWorks/

Accelerate the path to PCI DSS data compliance usingInfoSphere Guardium

Page 16 of 27

Figure 23. Assessment test results

Again, it is recommended to add security assessment testing on a regular schedule by using theaudit process to help you comply with the PCI requirements.

This section has only briefly touched on the topic of vulnerability assessments. Be sure to read theAssess and Harden online help book for more information.

Set up the security policyClick on the PCI Policy Monitoring tab. This section of the accelerator is all about usingpolicies, which are at the heart of how InfoSphere Guardium does its job. Click Overview tolearn how InfoSphere Guardium policy-based monitoring and protection helps you comply withPCI mandates, including the ability to create a policy based on "normal" baseline activity so thatdeviations from that baseline can be logged as policy violations.

InfoSphere Guardium policies consist of an ordered set of rules that is applied between anyobserved traffic between the database clients and servers. The three main types of rules are:

• Access rules, which apply to traffic coming from the database client to the database server.• Exception rules, which apply to any exceptions returned from the database server to the

client.• Extrusion rules, which apply to data results. This might include a policy rule to mask

returned data, for example.

Although we describe how to find the currently installed policy and view its rules, the detailedinformation about how to create rules and their behavior is outside the scope of this article. If you

ibm.com/developerWorks/ developerWorks®

Accelerate the path to PCI DSS data compliance usingInfoSphere Guardium

Page 17 of 27

are responsible for creating policies in your organization, you should definitely review some of thematerials highlighted in Resources to learn more.

1. From the left menu pane, click Policy Description to see the currently installed policy, whichwill look something like Figure 24.

Figure 24. Installed policy

2. To edit or create a new policy, click on the Monitor/Audit tab. This takes you to the policyfinder where you can find a list of predefined policies that you can modify. You can create yourown policy by creating new rules or by cloning an existing policy and modifying the rules. Let'ssee how to do that.

3. Click on the policy you want to modify, such as PCI , and click Clone.

developerWorks® ibm.com/developerWorks/

Accelerate the path to PCI DSS data compliance usingInfoSphere Guardium

Page 18 of 27

Figure 25. Cloning an existing policy to modify its rules

4. Give the policy a new name, and then click Save.

Figure 26. MYPCI new name

5. Select your policy from the policy finder list, and then click Edit Rules....

ibm.com/developerWorks/ developerWorks®

Accelerate the path to PCI DSS data compliance usingInfoSphere Guardium

Page 19 of 27

Figure 27. Modifying rules of cloned policy

6. As shown in Figure 28, you will see a collapsed list of all the policy rules in the PCI policythat you can modify for your environment. You'll see many different rules, including ones thatdetect and log violations for access to credit card magnetic stripe data and credit card numberpatterns as well as masking those numbers upon return to an unauthorized user.To view a rule, you can click on the plus sign. To modify the rule, click on the pencil icon asshown in Figure 28, where you are modifying rule 6.

developerWorks® ibm.com/developerWorks/

Accelerate the path to PCI DSS data compliance usingInfoSphere Guardium

Page 20 of 27

Figure 28. Click on pencil icon to modify a rule

7. Figure 29 is policy rule 6 expanded. Here, you can see two groups, Cardholder DB Objectsand DDL commands, that you need to add members to if you have not done so already.Remember how we said that Group Builder can be found in many places in Guardium? Youcan see it here in the Policy Builder as well.

ibm.com/developerWorks/ developerWorks®

Accelerate the path to PCI DSS data compliance usingInfoSphere Guardium

Page 21 of 27

Figure 29. Modify Cardholder Objects and DDL commands groups for thisrule

8. Click on the Group builder icon and enter members to the group, as described in Populatinggroups.

9. Any time you change a policy, you must install the policy. It's a simple click of a button toinstall, but you will not do that here, because you are just looking at an existing PCI policy tosee some of the rules that are there that you may want to use for your environment.

10. Now navigate back to PCI Accelerator > PCI Policy Monitoring, and from the left menupane select Policy Violations. This is where any policy rules that are triggered appear.You can define the severity of the rule with INFO, LOW, MEDIUM, or HIGH. Figure 30, forexample, is an excerpt of Rule #4 of the built-in PCI policy that has a medium level severity.

Figure 30. A medium severity alert for an exception violation

The violations will be color coded in thePolicy Violations report according to severity.

developerWorks® ibm.com/developerWorks/

Accelerate the path to PCI DSS data compliance usingInfoSphere Guardium

Page 22 of 27

Use audit processes to automate complianceA key ingredient in the recipe to reduce the burden of PCI compliance and to maintain an audit trailof all reviews and approvals is to use an audit process, which lets you define:

• What activities, such as reports or security assessments.• Who has to review or sign off.• When the activities in this audit process run. For example, some activities must be run daily,

others may be weekly, monthly, or even quarterly.

Figure 31 shows a sample audit process flow. In this example, the PCI owner must review andapprove all new connections to the database. That gets passed on to the Information Securityofficer who must review, and finally to the Guardium administrator, who has a task to perform toensure that the approved connection does not get reported as a violation in the future. The PCIowner and the Guardium administrator receive PDFs and CSVs of the report in their e-mail, whilethe information security office receives a link to the report.

Figure 31. Audit process workflows automate compliance processes

The audit process shown in Figure 31 can be run on a scheduled basis to ensure that newconnections are being reviewed and acted upon in a timely fashion.

Figure 32 shows an example of the audit trail comments that are included with the report.

Figure 32. The comments are included with the report for auditing

ibm.com/developerWorks/ developerWorks®

Accelerate the path to PCI DSS data compliance usingInfoSphere Guardium

Page 23 of 27

Reports can be automatically fed to a content repository such as Microsoft™ SharePoint afterall the previous receivers have reviewed and signed off. This makes it easy to retrieve all theinformation you need to satisfy an audit, including comments from the reviewers, without requiringretrieval of archived audit data.

In addition, by using the data-level security feature in InfoSphere Guardium, you can define asingle report and still ensure that only those people who are associated with a particular databaseserver see results for that server. For more information about using data-level security and auditprocesses, refer to the developerWorks article "Use data-level security for granular access controlof auditing results in InfoSphere Guardium" (see Resources).

SummaryBy following the best practices outlined by the standards, you are taking a major leap forward inprotecting your data assets from costly and embarrassing breaches.

InfoSphere Guardium standards accelerators are designed specifically to make it easy todemonstrate compliance to various standards such as PCI, Basel II, Sarbanes-Oxley, and dataprivacy. Not only are report and policy templates included for you, the accelerator itself helpsyou demonstrate to an auditor specifically which section of the compliance standard is beingaddressed and how. Automated workflow management helps you maintain compliance with areduced total cost of ownership.

Appendix: Use InfoSphere Guardium API to populate groupsInfoSphere Guardium has a rich set of APIs to help you automate configuration and maintenanceof groups. You can get more information in the Appendices help or from the command-lineinterface (CLI).

When logged in as CLI or as a user with a CLI role, to see a list of all grdapi commands, enter:

CLI> grdapi

To see the parameters for a particular command, enter the command and help=true as shownhere:

CLI> grdapi create_member_to_group_by_desc --help=true

Listing 1 shows an example of using the APIs to populate PCI groups and to list the members ofthose groups.

Listing 1. Using the Guardium APIs to populate groups for PCI compliance-- Populate PCI groupsgrdapi create_member_to_group_by_desc desc="PCI AdminUsers" member="Joe"grdapi create_member_to_group_by_desc desc="PCI AdminUsers" member="JDiPietro"grdapi create_member_to_group_by_desc desc="PCI AdminUsers" member="SA"grdapi create_member_to_group_by_desc desc="PCI Admin

developerWorks® ibm.com/developerWorks/

Accelerate the path to PCI DSS data compliance usingInfoSphere Guardium

Page 24 of 27

Users" member="System"grdapi create_member_to_group_by_desc desc="PCI AdminUsers" member="DB2inst2"grdapi create_member_to_group_by_desc desc="PCI AdminUsers" member="bill"

grdapi create_member_to_group_by_desc desc="PCIAuthorized Client IPs" member="10.10.9.56"grdapi create_member_to_group_by_desc desc="PCIAuthorized Client IPs" member="10.10.9.251"grdapi create_member_to_group_by_desc desc="PCIAuthorized Client IPs" member="10.10.9.57"grdapi create_member_to_group_by_desc desc="PCIAuthorized Client IPs" member="10.10.9.250"grdapi create_member_to_group_by_desc desc="PCIAuthorized Client IPs" member="10.10.9.249"

grdapi create_member_to_group_by_desc desc="PCIAuthorized Server IPs" member="10.10.9.56"grdapi create_member_to_group_by_desc desc="PCIAuthorized Server IPs" member="10.10.9.57"grdapi create_member_to_group_by_desc desc="PCIAuthorized Server IPs" member="10.10.9.251"grdapi create_member_to_group_by_desc desc="PCIAuthorized Server IPs" member="10.10.9.250"

grdapi create_member_to_group_by_desc desc="PCIAuthorized Source Programs" member="%SQLPLUS%"grdapi create_member_to_group_by_desc desc="PCIAuthorized Source Programs" member="SQLPLUS"grdapi create_member_to_group_by_desc desc="PCIAuthorized Source Programs" member="SAP"grdapi create_member_to_group_by_desc desc="PCIAuthorized Source Programs" member="Oracle EBS"grdapi create_member_to_group_by_desc desc="PCICardholder DBs" member="master"grdapi create_member_to_group_by_desc desc="PCICardholder DBs" member="creditcard"

grdapi create_member_to_group_by_desc desc="PCICardholder Sensitive objects" member="creditcard"grdapi create_member_to_group_by_desc desc="PCICardholder Sensitive objects" member="cc"grdapi create_member_to_group_by_desc desc="PCICardholder Sensitive objects" member="patient"

grdapi create_member_to_group_by_desc desc="PCI LimitedAccess Users" member="harry"

-- Verify members added to group

grdapi list_group_members_by_desc desc="PCI LimitedAccess Users"grdapi list_group_members_by_desc desc="PCI CardholderSensitive objects"grdapi list_group_members_by_desc desc="PCI CardholderDBs"grdapi list_group_members_by_desc desc="PCI AuthorizedSource Programs"grdapi list_group_members_by_desc desc="PCI AuthorizedServer IPs"grdapi list_group_members_by_desc desc="PCI AuthorizedClient IPs"grdapi list_group_members_by_desc desc="PCI Admin Users"

ibm.com/developerWorks/ developerWorks®

Accelerate the path to PCI DSS data compliance usingInfoSphere Guardium

Page 25 of 27

Downloads

Description Name SizePCI pre-audting checklist PCIpre-audit.pdf 143KB

developerWorks® ibm.com/developerWorks/

Accelerate the path to PCI DSS data compliance usingInfoSphere Guardium

Page 26 of 27

Resources

Learn

• The Getting started with PCI security standards website is a great introduction to the PCIDSS standard.

• This article cites the Verizon Data Breach Investigation Report 2010 . Links to all reports canbe found at the Verizon Enterprise website .

• The InfoSphere Guardium website includes links to white papers, demos, and more.• The developerWorks article "Use data-level security for granular access control of auditing

results in InfoSphere Guardium" (developerWorks, February 2013) includes step-by-stepinstructions for how to enable data-level security and how to incorporate it into an auditprocess workflow.

• A new developerWorks community for InfoSphere Guardium is evolving to include links torelevant technical content, industry-specific information, and FAQs. Join the community andhelp it grow.

• Visit the InfoSphere Guardium Tech Talk page to find links to recordings of previous techtalks and get information about upcoming talks.

• The InfoSphere Guardium Information Center includes many "how-tos" to help you make themost of the InfoSphere Guardium data activity monitoring solution. The topic of creating avisual access map is covered in this topic of the Information Center.

• Watch videos on the InfoSphere Guardium YouTube channel, including demos of support forSAP, DB2 for z/OS, and others.

• Stay current with information, events, and industry news related to data security and privacyby registering for the InfoSphere Guardium newsletter.

• Follow developerWorks on Twitter.

Get products and technologies

• Evaluate IBM products in the way that suits you best: Download a product trial, try a productonline, use a product in a cloud environment, or spend a few hours in the SOA Sandboxlearning how to implement Service Oriented Architecture efficiently.

Discuss

• Get involved in the Guardium users group on LinkedIn to ask questions and get advice fromother users.

ibm.com/developerWorks/ developerWorks®

Accelerate the path to PCI DSS data compliance usingInfoSphere Guardium

Page 27 of 27

About the authors

Kathryn Zeidenstein

Kathy Zeidenstein has worked at IBM for a bazillion years. Currently, she is workingas a technology evangelist for InfoSphere Guardium data activity monitoring, basedout of the Silicon Valley Lab. Previously, she was an Information DevelopmentManager for InfoSphere Optim data lifecycle tools. She has had roles in technicalenablement, product management and product marketing within the InformationManagement and ECM organizations at IBM.

Shengyan Sun

Shengyan Sun has focused on IBM InfoSphere Guardium core component testingsince she joined IBM in 2010. She works closely with customers and activelypromotes the application of InfoSphere Guardium in the Asia-Pacific market. Shehad many years of experience in DBA and data analysis system development beforejoining IBM.

© Copyright IBM Corporation 2013(www.ibm.com/legal/copytrade.shtml)Trademarks(www.ibm.com/developerworks/ibm/trademarks/)