Security profiles: Global Data Protection Regulation (GDPR) and Payment Card Industry Data Security Standard (PCI-DSS)
Learn about how the Hardware Management Console (HMC) handles the privacy information of the users.
The Hardware Management Console (HMC) is a closed appliance that does not store any cardholder data. Hence, only a subset of requirements and security assessment procedures of IT security that are defined by PCI-DSS are applicable for the HMC. Only trusted code that is distributed by IBM® can be installed on the HMC. When any vulnerability is known through the IBM PSIRT process, interim fixes are published. The requirements and recommendations include the following items:
GDPR queries
| Questions | Answers |
|---|---|
| What kind of data is stored in the HMC? | HMC stores Power® hardware, PowerVM® virtualization, and the performance metrics information. |
| Does the HMC process any personal data? | You can provide contact information for the call home function. Providing contact information for the call home function is optional. |
| Which predefined accounts are used for system administration of the HMC? | The system administrator user uses the hscroot username. |
| Do any of the accounts in the HMC relate to a specific person? | No. |
| Is it mandatory to provide personal data in the HMC? | No. You do not need to provide personal data information. However, providing this information is optional. |
| Does the HMC log file have any personal data information? | No. |
| Is it possible to delete personal data completely and permanently? | Yes. Unconfigure the call home function. |
PCI-DSS queries
| Questions | Answers |
|---|---|
| How to install and maintain a firewall configuration to protect the data of the cardholder? | The HMC does not store or access any cardholder data. However, the HMC has a firewall configuration and the user can control and enable specific ports. |
| Can I use vendor-supplied default value for system passwords and other security parameters? | Before you install a system on the network, change all the predefined passwords of the hscroot user. |
| How does the HMC protect the stored data of the cardholder? | The HMC does not store or access any cardholder data. |
| How does the HMC encrypt the data of the cardholder when the data is transmitted across open public networks? | The HMC does not store or access any cardholder data. |
| How to use and regularly update anti-virus software programs? | The HMC is a closed appliance. Therefore, malware cannot infect the HMC. |
| How to develop and maintain secure systems and applications? | You must install the required patches to your system manually from the IBM Fix Central website. Only trusted code that are distributed by IBM can be installed on the HMC. |
| Does the HMC restrict access to the cardholder data? | The HMC does not store or access any cardholder data. |
| How to assign a unique ID to each person who has access to the computer? | You can implement this requirement by ensuring that there are no shared IDs and by following the password policies. |
| How to restrict the physical access to the data of the cardholder? | The HMC does not store or access any cardholder data |
| How to track and monitor the access to network resources and to the cardholder data? | The HMC does not store or access any cardholder data. |
| How does the HMC test the security of the system and processes? | Scan tools are used to run security scans on all the released versions of the HMC. The scan tools include: Qualys, Nessus, testssl, sslscan and ASoC. |
| How to maintain a security policy that includes information security for employees and contractors? | System administrator disables the remote user login, activates the user login on a need basis, and deactivates the user login when the access is no longer required. |