09-08-2014 12:11 PM - edited 03-01-2019 09:10 AM
Looking for information on how Tidal is treated/mitigated within PCI environments within banks and retailers.
09-10-2014 06:42 AM
We're going through a PCI compliance audit right now, and TIDAL is out of scope.
(We're a wireless telecom.)
09-30-2014 03:31 PM
At a company I worked for, Tidal was in-scope as it ran jobs on in-scope applications. We had to show how security policies were setup to prevent unauthorized Tidal users from accessing those jobs or the agent/adapter. We had to show what our procedure was for adding and deleting interactive users. We had to show that alerts were generated for job failures for those applications, show how we entered the incidents in our ticketing system. And then show how we responded to the incident and what our resolution was.
I did a couple of things to help with the process. One was to require an agent/adapter was defined on each job, not inherited to ease showing auditors what job was running on what system (I know this one might generate comments. I was over-cautious since it was a financial audit. 6.x also improves searching). The second was that we were required to keep a full fiscal year up to the time of the audit, so I built a process to copy data to a Tidal_Archive database that I built. That way my production database stayed small, but I still had the history (alerts, operator actions, logs, events) for review.
Hope that helps,
Michelle
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide