Security profiles: Global Data Protection Regulation (GDPR) and Payment Card Industry Data Security Standard (PCI-DSS)
Learn more on how Hardware Management Console (HMC) handles the privacy rights of the customers.
The Hardware Management Console (HMC) is a closed appliance that does not have any cardholder data. Hence, only a subset of requirements and security assessment procedures of IT security that are defined by PCI DSS are applicable for the HMC. Only trusted code that are distributed by IBM® can be installed on HMC. As soon as any vulnerability is known through the IBM PSIRT process, a fix is published. The requirements and recommendations include the following items:
GDPR queries
| Questions | Answers |
|---|---|
| What kind of data are stored by the HMC? | The HMC stores Power® hardware, PowerVM® virtualization configuration, and performance metrics information. |
| Does the HMC process any personal data? | You can provide contact information for call home function. Providing contact information for call home function is optional. |
| Which predefined accounts are used for system administration of the HMC? | The system administrator user uses the hscroot username. |
| Do any of the accounts in the HMC relates to a specific person? | No. |
| Is it mandatory to provide personal data in the HMC? | No. You do not need to provide personal data information. However, providing the information is optional. |
| Does the HMC log file have any personal data information? | No. |
| Is it possible to delete personal data completely and permanently? | Yes. Unconfigure call home. |
PCI-DSS queries
| Questions | Answers |
|---|---|
| How to install and maintain a firewall configuration to protect the data of the cardholder? | The HMC does not store or access any cardholder data. However, the HMC has a firewall configuration and you can control and enable specific ports. |
| Can I use vendor-supplied default value for system passwords and other security parameters? | Before you install a system on the network, change all the predefined passwords of the hscroot user. |
| How does the HMC protect the stored data of the cardholder? | The HMC does not store or access any cardholder data. |
| How does the HMC encrypt the data of the cardholder when the data is transmitted across open public networks? | The HMC does not store or access any cardholder data. |
| How to use and regularly update anti-virus software programs? | The HMC is a closed appliance, so malware cannot infect the HMC. |
| How to develop and maintain secure systems and applications? | You must install the required patches to your system manually from the IBM fix central site. Only trusted code that are distributed by IBM can be installed on the HMC. |
| Does the HMC restrict access to the cardholder data? | The HMC does not store or access any cardholder data. |
| How to assign a unique ID to each person who has access to the computer? | You can implement this requirement by ensuring that there are no shared IDs and you follow the password policies. |
| How to restrict the physical access to the data of the cardholder? | The HMC does not store or access any cardholder data |
| How to track and monitor the access to network resources and to the cardholder data? | The HMC does not store or access any cardholder data. |
| How does the HMC test the security of the system and processes? | The scan tools are used to run security scans on all released version of the HMC. The scan tools include: Qualys, Nessus, testssl, sslscan and ASoC. |
| How to maintain a security policy that includes information security for employees and contractors? | System administrator disables the remote user login, activates the user login on a need basis, and deactivates the user login when the access is no longer required. |
