-
Requirement 1:
Design, Implement & Maintain Secure Networks
-
1.1 Rules for installing & maintaining effective Network Security Controls (NSCs) are defined & understood
-
1.1.1 Documentation in support of the design, implementation & maintenance of secure networks is maintained, in use and known by all affected parties.
-
Requirement 1 Documentation
- Network Security Policy
- Network Diagram(s)
- Data Flow Diagrams
- Change Management Policy
- NSC configuration standards
- Secure Systems Configuration Policy
- Vendor Documents
- Mobile device policy
- RACI Matrix
- 1.1.2 Secure Network roles & responsibilities are:
- Documented.
- Assigned.
- Understood.
-
1.2 NSCs are securely configured and maintained
- 1.2.1 NSC Configuration Standards are:
- Defined.
- Implemented.
- Maintained.
- 1.2.2 Changes to network connections & NSC configurations are approved & managed.
- 1.2.3 Create & maintain accurate network diagrams, showing:
- All connections between CDE and other networks (e.g.,Demarcation between Trusted, Semi-Trusted & Untrusted network zones).
- Demarcation of wireless environments.
- 1.2.4 Create & maintain accurate Data Flow Diagrams (DFDs):
- Data touch points.
- Updated in response to changes to the environment.
- 1.2.5 All legitimate Services, Protocols & Ports(SPPs) are identified, approved & documented.
- 1.2.6 All in-use insecure SPPs are identified & risk mitigated.
- 1.2.7 NSC configurations are subject to 6-monthly reviews.
- 1.2.8 NSC configuration files are securely retained & access strictly controlled.
-
1.3 Inbound & Outbound Network Traffic Flows are strictly controlled
- 1.3.1 Inbound traffic to the CDE is strictly controlled
- 1.3.2 Outbound network traffic from the CDE is strictly controlled.
- 1.3.3 Wireless environments are segregated.
- Regardless if the wireless network is a CDE, or not.
- Wireless traffic into CDE is denied by default.
- Only authorized wireless traffic is allowed into CDE.
-
1.4 Control network connections between trusted & untrusted network zones.
- 1.4.1 NSCs are appropriately sited between trusted and untrusted network zones.
- 1.4.2 Inbound traffic into trusted network zone is strictly controlled:
- Communications with systems that provide publicly accessible SPPs.
- Stateful responses to communications initiated by systems within a trusted zone.
- All other traffic is denied.
- 1.4.3 Prevent spoofing into the trusted network.
- 1.4.4 Data storage systems are not directly accessible for the untrusted networks.
- 1.4.5 Unauthorised disclosure of internal IP addresses is prevented:
- Restricted to authorised parties only.
-
1.5 Risks to the CDE, from computer devices that have connectivity between the CDE and untrusted networks are mitigated.
- 1.5. Appropriate security controls are implemented on computer devices that have connectivity between the CDE and untrusted networks:
- Specific configuration settings.
- Actively running security controls.
- Altering of security controls is strictly limited, documented and authorised on a case-by-case basis.
-
Requirement 2:
Design, Implement & Maintain Secure Systems
-
2.1 Rules for installing & maintaining secure systems are defined & understood
-
2.1.1 Documentation in support of the design, implementation & maintenance of secure networks is maintained, in use and known by all affected parties.
-
Requirement 2 Documentation
- Secure Systems Policy
- Systems Configuration Standards
- Industry Hardening Benchmarks
- Vendor Documents
- Secure Wireless Policy
- 2.1.2 Secure Systems roles & responsibilities are:
- Documented.
- Assigned.
- Understood.
-
2.2 All in-scope systems are securely configured and maintained.
- 2.2.1 All in-scope systems are locked down and hardened against configuration standards (developed using industry standards).
- 2.2.2 Change vendor defaults for all in-scope systems.
- 2.2.3 Configure appropriate primary functions
- 2.2.4 Remove or disable all unnecessary functionality (e.g., Services, Protocols & Daemons).
- 2.2.5 Document business justification and any additional security features used to mitigate any identified insecure services, protocols or daemons.
- 2.2.6 Prevent misuse through the configuration of system security parameters
- 2.2.7 Encrypt non-console (remote) access.
-
2.3 In-Scope wireless environments are securely configured & maintained.
-
2.3.1 CDE connected or account data transmitting wireless environments are securely configured & maintained:
- Change default wireless keys.
- Wireless access point password management.
- Change SNMP defaults.
- Change any other security-related wireless vendor defaults.
- 2.3.2 Encryption key management
- 6.5.1 Change Management.
- Reason for change.
- Documented security impact.
- Documented approval.
- Verification of no impact.
- Bespoke & custom software updates are tested I.A.W. 6.2.4 before going live.
- Rollback considerations are identified.
- 12.5 PCI DSS Scope