1. Requirement 1: Design, Implement & Maintain Secure Networks
    1. 1.1 Rules for installing & maintaining effective Network Security Controls (NSCs) are defined & understood
      1. 1.1.1 Documentation in support of the design, implementation & maintenance of secure networks is maintained, in use and known by all affected parties.
        1. Network Security Policy
        2. Network Diagram(s)
        3. Data Flow Diagrams
        4. Change Management Policy
        5. NSC configuration standards
        6. Secure Systems Configuration Policy
        7. Mobile device policy
        8. RACI Matrix
      2. 1.1.2 Secure Network roles & responsibilities are: - Documented. - Assigned. - Understood.
    2. 1.2 NSCs are securely configured and maintained
      1. 1.2.1 NSC Configuration Standards are: - Defined. - Implemented. - Maintained.
      2. 1.2.2 Changes to network connections & NSC configurations are approved & managed.
      3. 1.2.3 Create & maintain accurate network diagrams, showing: - All connections between CDE and other networks (e.g.,Demarcation between Trusted, Semi-Trusted & Untrusted network zones). - Demarcation of wireless environments.
      4. 1.2.4 Create & maintain accurate Data Flow Diagrams (DFDs): - Data touch points. - Updated in response to changes to the environment.
      5. 1.2.5 All legitimate Services, Protocols & Ports(SPPs) are identified, approved & documented.
      6. 1.2.6 All in-use insecure SPPs are identified & risk mitigated.
      7. 1.2.7 NSC configurations are subject to 6-monthly reviews.
      8. 1.2.8 NSC configuration files are securely retained & access strictly controlled.
    3. 1.3 Inbound & Outbound Network Traffic Flows are strictly controlled
      1. 1.3.1 Inbound traffic to the CDE is strictly controlled
      2. 1.3.2 Outbound network traffic from the CDE is strictly controlled.
      3. 1.3.3 Wireless environments are segregated. - Regardless if the wireless network is a CDE, or not. - Wireless traffic into CDE is denied by default. - Only authorized wireless traffic is allowed into CDE.
    4. 1.4 Control network connections between trusted & untrusted network zones.
      1. 1.4.1 NSCs are appropriately sited between trusted and untrusted network zones.
      2. 1.4.2 Inbound traffic into trusted network zone is strictly controlled: - Communications with systems that provide publicly accessible SPPs. - Stateful responses to communications initiated by systems within a trusted zone. - All other traffic is denied.
      3. 1.4.3 Prevent spoofing into the trusted network.
      4. 1.4.4 Data storage systems are not directly accessible for the untrusted networks.
      5. 1.4.5 Unauthorised disclosure of internal IP addresses is prevented: - Restricted to authorised parties only.
    5. 1.5 Risks to the CDE, from computer devices that have connectivity between the CDE and untrusted networks are mitigated.
      1. 1.5. Appropriate security controls are implemented on computer devices that have connectivity between the CDE and untrusted networks: - Specific configuration settings. - Actively running security controls. - Altering of security controls is strictly limited, documented and authorised on a case-by-case basis.
  2. Requirement 2: Design, Implement & Maintain Secure Systems
    1. 2.1 Rules for installing & maintaining secure systems are defined & understood
      1. 2.1.1 Documentation in support of the design, implementation & maintenance of secure networks is maintained, in use and known by all affected parties.
        1. Secure Systems Policy
        2. Systems Configuration Standards
        3. Industry Hardening Benchmarks
        4. Secure Wireless Policy
      2. 2.1.2 Secure Systems roles & responsibilities are: - Documented. - Assigned. - Understood.
    2. 2.2 All in-scope systems are securely configured and maintained.
      1. 2.2.1 All in-scope systems are locked down and hardened against configuration standards (developed using industry standards).
      2. 2.2.2 Change vendor defaults for all in-scope systems.
      3. 2.2.3 Configure appropriate primary functions
      4. 2.2.4 Remove or disable all unnecessary functionality (e.g., Services, Protocols & Daemons).
      5. 2.2.5 Document business justification and any additional security features used to mitigate any identified insecure services, protocols or daemons.
      6. 2.2.6 Prevent misuse through the configuration of system security parameters
      7. 2.2.7 Encrypt non-console (remote) access.
    3. 2.3 In-Scope wireless environments are securely configured & maintained.
      1. 2.3.1 CDE connected or account data transmitting wireless environments are securely configured & maintained: - Change default wireless keys. - Wireless access point password management. - Change SNMP defaults. - Change any other security-related wireless vendor defaults.
        1. 2.3.2 Encryption key management
  3. 6.5.1 Change Management. - Reason for change. - Documented security impact. - Documented approval. - Verification of no impact. - Bespoke & custom software updates are tested I.A.W. 6.2.4 before going live. - Rollback considerations are identified.
  4. 12.5 PCI DSS Scope