Implement Strong Access Control Measures


The following are recommendations and information for the Implement Strong Access Control Measures requirements.

Requirement 7: Restrict access to cardholder data by business need to know

  • Omni-Gen user-facing applications, such as Omni Governance Console, utilize WSO2 for secure access. The user is advised to follow the WSO2 guidelines for role and user management or enable the integration with existing security system such as LDAP/AD using WSO2. For detailed information, see the WSO2 user manual and the Omni Governance Console User's Guide.
  • Omni-Gen operations interfaces, such as Omni-Gen Server Console and Deployment Console, utilize internal user authentication and should be made available only to a given operations user able to access the system-level information only.
  • Omni-Gen developer tools, such as Data Quality Server and Omni Designer, should be granted access to developers only. The client is advised to utilize a source management system for user management.
  • The Administrative users who are authorized to assign roles and manage user access should be given proper training on what components are required to be accessed by which role-based user. This information should be documented and referred to.

Requirement 8: Identify and authenticate access to system components

Recommendations and Information for Requirement 8.1

Omni-Gen does not provide an internal user management facility, but instead uses externalized systems, such as AD/LDAP, WSO2, and Source Management, for user access. The client is advised to refer to the available documentation for the user management aspect based on the utilized component. Integration with the corporate level systems, such as Active Directory (AD), should ensure that user access is automatically synchronized across corporate access and Omni-Gen Governance access, eliminating the need for double maintenance.

Recommendations and Information for Requirement 8.2

Access to the user management systems themselves should be made available only to vetted administrators who are trusted to have access to such systems. The monitoring of any user administrative tasks, such as the addition of a user or the altering of user roles should be done based on client requirements.

Recommendations and Information for Requirement 8.7

Any access to the data sources, which may contain sensitive information, shall be managed and restricted by the client network and security policies in place outside of the Omni-Gen product.

Any direct access to the Omni-Gen database repositories shall be protected by the client's existing security model, ensuring that only approved users can get direct access. The physical systems where the data may rest in place, shall be protected by the network security model following the client requirements.

Any externalization of data to the outside non-Omni-Gen consumer, such as customized application and reports, should be done by creating a layer of abstraction-like Consumption Views to limit or filter authorized data to be exposed. The Omni-Gen Consumption View builder enables the client to generate a slice of data for a specific type of end user application, such ensuring that no sensitive data is included, unless the end user application is authorized to access it.

Requirement 9: Restrict physical access to cardholder data

Requirements are not applicable to the Omni-Gen product line.