iWay Service Manager Security Guide > Implementation for PCI Security Standards > Regularly Monitor and Test Networks

Regularly Monitor and Test Networks

Topics:

The following are recommendations and information for the Regularly Monitor and Test Networks requirements.

Requirement 10: Track and monitor all access to network resources and cardholder data

Recommendations and Information for Requirement 10

  • iWay applications do not use persistent stores, unless specifically configured to do so. In the case the persistent store is used, for example, Database, the user is advised to utilize the tools available for that system to monitor any external unintended access to that data. In general, persistent stores should be dedicated to the use by the application and not be accessed by another consumer.
  • iWay applications are transaction processing systems and do not store data for presentation or external access purposes, such logging of the data usage is not applicable outside of the transaction processing life cycle.
  • iWay applications log information at different levels, ranging from minimal, such as ERROR level, to a full trail, such as DEEP level. This log applies to the transaction processing as it happens within the iWay application. The log is available under the application log directory for inspection.
  • iWay application management events such as deployment, starting, stopping, and others are logged and tracked with user-specific details and event status.

Requirement 11: Regularly test security systems and processes

Recommendations and Information for Requirement 11

  • iWay Service Manager has an array of security features for ensuring data and application integrity. It provides for secure data processing with an array of security and encryption functions. It enables secure data transport on an array of secure protocols, including SFTP, AS2, and many others. It ensures application integrity by enabling the user to integrate with Source Management Systems, as well as having its run-time configurations signed to prevent any unintended physical access to the configuration files. iWay is constantly monitoring and updating its facilities to meet the industry standards.

Recommendations and Information for Requirement 11.5

  • The user is advised to protect the access to the iWay Service Manager run-time directory, which contains the following critical folders:
    • <iWayHome>\config
      • Contains all applications hosted by this server. Each subfolder represents an application and its configuration details.
      • \<app_name>\app_name.xml is a file that represents the run-time configuration for the application, also known as a dictionary file. This file is signed using the XML Digital Signatures. The user has an option to start the application with security enabled, which will force the validation of the signature and any unwanted manual manipulation of this file will prevent the application from starting.
    • <iWayHome>\etc\manager\extension
      • Contains the extended libraries for the application to load the additional connectors and components for runtime.
    • <IWayHome>\lib
      • Contains the core libraries for applications, as well as third-party libraries shared across applications.
    • <iWayHome>\bin
      • Contains startup and shutdown scripts.