Benchmark: Requirement 7: Restrict access to cardholder data by business need to know

Description

To implement strong access control measures, service providers and merchants must be able to allow or deny access to cardholder data systems. This requirement is all about role-based access control (RBAC), which grants access to card data and systems on a need-to-know basis. Need to know is a fundamental concept within PCI DSS. Access control system (e.g. Active Directory, LDAP) must assess each request to prevent exposure of sensitive data to those who do not need this information. You must have documented list of all the users with their roles who need to access card data environment. This list must contain, each role, definition of role, current privilege level, expected privilege level and data resources for each user to perform operations on card data.

Usage

Install the mod:

mkdir dashboards
cd dashboards
powerpipe mod init
powerpipe mod install github.com/turbot/steampipe-mod-gcp-compliance

Start the Powerpipe server:

steampipe service start
powerpipe server

Open http://localhost:9033 in your browser and select Requirement 7: Restrict access to cardholder data by business need to know.

Run this benchmark in your terminal:

powerpipe benchmark run gcp_compliance.benchmark.pci_dss_v321_requirement_7

Snapshot and share results via Turbot Pipes:

powerpipe benchmark run gcp_compliance.benchmark.pci_dss_v321_requirement_7 --share

Benchmarks

7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access

Benchmark: Requirement 7: Restrict access to cardholder data by business need to know

Description

Usage

Benchmarks

Tags