PAM Audit Evidence Assistance

Document ID : KB000106926
Last Modified Date : 16/10/2018
Show Technical Document Details
Introduction:
An audit team may ask for to proof that CA PAM is not vulnerable.  Here is some information that will help to satisfy the  auditors.
Instructions:
The PAM online documentation, e.g. at https://docops.ca.com/ca-privileged-access-manager/3-2-2/EN/implementing/protect-privileged-account-credentials/default-ports-for-credential-manager, contains information about the various ports used by PAM. Below are 3 options for checking PAM:

1. You can run a vulnerability analysis tool, like qualys.
2. You can use an SSL checker, like Symantec.
3. You can run a web application tool like webinspect.

A 3rd party tool would probably be preferred by the audit team.  The results are more likely to be believed if they come from an independent party.