What is PCI Requirement 1.1.6?

Your organization needs to restrict inbound and outbound traffic in and out of sensitive environments.  PCI DSS Requirement 1.1.6 relates specifically to the documentation of business justification and approval for use of all services, ports, and protocols.

PCI DSS v3.2 insists that organizations restrict inbound and outbound traffic to and from sensitive areas to only that which is needed for business purposes. We find that organizations are typically great at establishing inbound traffic rules, but what happens when someone is already in your environment? Are your outbound network traffic controls sufficient? Will they prevent someone trying to exfiltrate data from your network? Looking at past breaches, a primary reason that sensitive data was successfully taken was because the established traffic rules were insufficient. For this reason, it’s necessary to have a documented list of protocols, ports, and services that will be allowed in and out of your environment. PCI Requirement 1.1.6 requires this documentation, and specifically states, “Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.” If a protocol, port, or service is not required for your environment, disable it.

As assessors, we seek out this list of management-approved protocols, ports, and services to compare against your router and firewall configurations. We look to see that the traffic you’re allowing does not exceed that which is documented.

This documentation is one of the most important pieces of your PCI DSS assessment. Assessors will need this early on in the process because it is the basis for other aspects of your PCI DSS audit; other pieces of the assessment hinge on this document. It is also necessary to maintain this piece of documentation as part of your Change Control Program. If you will be making changes to your network, ports, or services, you will need to ensure this document is updated.

Your organization needs to restrict inbound and outbound traffic out of those environments that are considered sensitive or risky. What we find is that organizations are really, really good at establishing inbound traffic rules to prevent the bad guys from getting in, but think about what happens when somebody’s actually already in your environment. Are your networking controls sufficient to prevent them from exfiltrating the data? It’s interesting to look at all of the breaches that have happened throughout the years, and the only reason that cardholder data or health information or financial information was taken from these organizations is because the rules that they had established were insufficient to prevent the exfiltration of information.

Many of the requirements, such as PCI DSS Requirement 1.1.6, require that we actually have a documented list of the protocols, ports, and services that we’re going to allow in and out of our environment. It’s absolutely appropriate, if you need those protocols, ports, and services, to allow them, however if they’re not required, they need to be disabled. What we do from an assessment perspective, is we get that list of management-approved protocols, ports, and services and we compare that list against your router configs and your firewall configs. We look to see that whatever traffic you’re allowing out, does exceed that which has been documented within your management-approved protocols, ports, and services.

This is one area that’s probably the most important piece of the assessment. This is the basis of a lot of other assessments that we need. It’s often a piece of information that we need very early on in the assessment. Other pieces of the assessment are hinging on this one piece of data. It’s also necessary to maintain this piece of documentation as part of your Change Control Program. If you’re going to be making changes to your network or opening ports and services to allow things to happen, you need to update this document as well.

What is PCI Requirement 1.1.5?

It’s not enough that you have a network set up with established policies, procedures, and processes. You also need to ensure that you have someone within your organization that has the formal responsibility of managing the network. PCI Requirement 1.1.5 states that it’s necessary for your organization to have a “description of groups, roles, and responsibilities for management of network components.”

PCI Requirement 1.1.5 ensures that personnel at your organization are aware of who is responsible for managing your assets, and that the person or group who is responsible are aware of their specific responsibilities. If PCI Requirement 1.1.5 is neglected, it could leave your organization’s assets unmanaged and vulnerable.

To prepare for your PCI assessment, the PCI DSS v3.2 says that your organization should verify that the standards in place for firewall and router configurations contain a description of the network manager’s responsibilities. Your organization should also interview the group or individual who is responsible for network management to verify that the roles and responsibilities are assigned as documented.

It could be an individual or a group who is formally assigned the responsibility to manage the network, but whoever manages the network needs to fully understand how to securely manage assets. The network manager needs to have skills from a productivity perspective, but more importantly, from a security perspective. Assessors are looking for someone who has the necessary skills to manage the network securely.

It’s not enough that to have a network set up. We have established policies, we have procedures – it’s really not enough that we do that. You have to ensure that you have someone within your organization that has the overall responsibility of managing the network. The management of this network could be assigned to an individual, it could be assigned to a group, but somebody has to formally be assigned this role. The assignment of this role needs to be to somebody who truly understands how to manage these assets not just from a productivity perspective, but also from a security perspective, understanding that we have these assets in the environment that needs to be managed securely.

Often, organizations don’t quite understand that managing your assets from a productivity perspective isn’t always necessarily the same type of skills that are required for managing the asset from a security perspective. So, when you’re defining who’s specifically responsible for managing the security of these assets, understand that from an assessment perspective, assessors needs to see that the network manager has the necessary skill set to manage these things securely.

What is PCI Requirement 1.1.4?

PCI DSS Requirement 1.1.4 requires “a firewall at each internet connection and between any demilitarized zone (DMZ) and the internal network zone.” PCI DSS v3.2, the current version of the standard, says that the purpose behind PCI Requirement 1.1.4 is, “Using a firewall on every internet connection coming in to (and out of) the network, and between any DMZ and the internal network, allows the organizations to monitor and control access and minimize the chances of a malicious individual obtaining access to the internal network via an unprotected connection.”

Your organization needs to establish a DMZ for your inbound internet access, including a supporting web server, email services, or FTP. A DMZ is a physical or logical subnetwork containing an organization’s external facing services to untrusted networks, such as the internet. It adds an additional layer of security to your internal network by acting as a buffer between your internal corporate network and untrusted networks. By segmenting this untrusted network from your corporate environment, you are minimizing the threat of unauthorized access to your internal network.

We have to establish a DMZ, a demilitarized zone, for your inbound internet access. If you have inbound internet access – supporting a web server, supporting email services, supporting FTP – we want to make sure that those particular assets do not reside within the corporate aspect of your environment. We want to establish a small area that allow for those assets to sit in that have more open ports and a little less security than your entire corporate environment.

What we look for as an assessor is that you have a firewall that exists between your internet connection and the DMZ. And then, between your corporate network or area where you’re trying to secure your data/CDE, we look to see that there’s another firewall there. This doesn’t necessarily have to be 2 physical assets. It could be the same asset, as long as you’re routing traffic into an area of the network that is then managed, secured, and controlled. As the traffic flows in from the internet, we want to terminate it into the DMZ, we want to inspect it for authorize services, protocols, and ports before that traffic is then allowed into your network.

What are PCI Requirement 1.1.2 & 1.1.3?

PCI DSS Requirements 1.1.2 and 1.1.3 are all about maintaining network documentation. Network documentation consists of two things: a network diagram and a data flow diagram. An updated network diagram is required by PCI Requirement 1.1.2, which states that organizations must have a “current network diagram that identifies all connections between the Cardholder Data Environment (CDE) and other networks, including any wireless networks.” A data flow diagram is required by PCI Requirement 1.1.3, which requires that organizations have a “current diagram that shows all cardholder data flows across systems and networks.”

The Importance Behind PCI Requirements 1.1.2 & 1.1.3

The purpose of having network and data flow diagrams is so that your organization can fully understand where sensitive assets, such as cardholder data, exist throughout your network. If you are unaware of where your assets currently reside, you probably are not appropriately protecting them. Keeping updated network documentation, such as a network diagram and data flow diagram, can prevent your organization from unknowingly overlooking cardholder data that has been left out of the security controls and is susceptible to unauthorized access.

As an assessor, we look for evidence of your policies, procedures, and processes surrounding the maintenance of your network documentation and that your organization is keeping these network diagrams and data flow diagrams appropriately updated. Ideally, assessors look for some sort of tie into your Change Control Program as part of Requirement 1.1.1.

What Should Be Included in Network Documentation for PCI Compliance?

When your assessor is reviewing your network diagram and data flow diagram, they are verifying that your organization knows where your assets are located and how the connections in to and out of those environments exist. Your network documentation should include things such as:

  • Methods used for controlling traffic in and out of your network
  • Where your firewalls are located
  • Where your routers and switches are located
  • Intrusion Detection Systems (IDS)/Intrusion Prevention Systems (IPS)
  • Demilitarized Zone (DMZ)
  • Applications
  • Anti-virus
  • Wireless Networks
  • Remote access points
  • Operating systems
  • Email servers
  • DNS servers
  • Databases

Have questions on how you can comply with the PCI DSS Requirements? Contact us today. 

More PCI Resources

PCI Demystified Video Series 

Beginner’s Guide to PCI Compliance 

When Will You See the Benefit of an Audit? 

PCI Requirements 1.1.2 & 1.1.3 – Network Documentation

When your organization makes a change to your networking environment, you need to ensure that you maintain network documentation. This consists of two things; one is a data flow diagram and the other is a network diagram. So, if you’re going to be making a change to your networking environment, we want to make sure that you keep these documents appropriately updated. This doesn’t mean just changing the date. As an assessor, we often come into your environment and we’ll look at the documentation and see that the date is current. But understand that just because you changed the data doesn’t necessarily mean that the network diagram is current. So we’re looking for evidence of your processes and your procedures around maintaining your network documentation.

Ideally, what we look for in a perfect world, is that you have some type of tie into your Change Control Program. That change control will be held open until such time that the network documentation has been appropriately updated.

This network diagram should also be considerate of all assets, or at least types of assets, within your environment. With the networking clouds that we have today, such as Amazon or Microsoft Azure, the number of assets will often wax and wane. From an assessment perspective, what we’re looking for is that you fully understand where your assets are at, how connections into and out of those environments exist, and define the methods and means that you’re using for controlling that traffic.

So as part of this network documentation, we look to see that several things exist. We look to examine where your firewalls and routers exists, we look to see that if you have wireless devices. Whether they’re in scope or not, if the wireless devices are in your environment, they need to be demonstrated on that network diagram.

The purpose of this is that if you’re being assessed against the PCI standards, there’s a requirement that says you must adhere to the requirement that says you need to have a firewall between your cardholder data environment and your wireless access points – so we look for that as assessors.

Your network diagram should also demonstrate where your IPS/IDS is. Assessors need to see that those are standing in front of your network and other areas that you might determine as being critical in your environment.

The whole point of having data flow and network diagrams is so that your organization and your staff can fully understand where those assets are at that need to be protected. If you don’t know where your assets are at, chances are you’re probably not appropriately protecting them.

What is PCI Requirement 1.1.1?

Your organization needs to ensure that you have the appropriate methods to control any changes into and out of your environment. PCI Requirement 1.1.1 requires, “a formal process for approving and testing all network connections and changes to the firewall and router configurations.” The PCI DSS v3.2.1 states that PCI Requirement 1.1.1 exists because, “Without formal approval and testing of changes, records of the changes might not be updated, which could lead to inconsistencies between network documentation and the actual configuration.” If you’re going to install hardware or make changes to your networking environment, management should be well aware of those changes and is required to approve them. In order for management to approve those changes, your organization needs to have a formal Change Control Program.

Jeff Wilder walks us through PCI Requirement 1.1.1.

What is a Change Control Program and How Does it Impact PCI Compliance?

This first step in a Change Control Program is providing narrative information to those in management who approve change controls. This narrative information should include a description of what the change is going to be, testing information, and roll-back procedures. By receiving this narrative information, management can see what tests were performed, or are going to be performed, to ensure that the change doesn’t negatively impact the security of your environment. It’s important to include the information on roll-back procedures to ensure that if something goes wrong in the future, management can roll back the changes that have been made.

To prepare for your PCI audit, your organization should examine policies and procedures regarding changes to network connections and firewall and router configurations to verify that there is a formal process for the testing and approving of change controls. It’s also important to interview responsible personnel and look at their records during your preparation period to further verify that network connections have been approved and tested.

How Long Should You Keep Change Control Documentation for PCI Compliance?

Updated change control documentation should be kept for no less than a year or at least during your audit period. During the PCI audit process, your assessor will be asking for these documents and looking through your change control information to ensure that your organization has a formal Change Control Program. It’s not sufficient to simply have the processes in place for change control; assessors will need to see that there are documented policies and procedures that define how to maintain your Change Control Program.

Have questions on how you can comply with the PCI DSS Requirements? Contact us today. 

More PCI Resources 

PCI Demystified Video Series 

Beginner’s Guide to PCI Compliance 

When Will You See the Benefit of an Audit? 

PCI Requirement 1.1.1 – Change Control Program

Before you start the assessment, your assessor will spend some time with your organization going through a thorough scoping exercise. If you want to understand what scoping is about, we have a prior video which you can view.

Once the scope of the environment is established, your organization needs to ensure that you have the appropriate methods to control the changes into and out of that environment. If you’re going to be installing hardware or making changes to your networking environment, management should be well-aware of that and management is required to approve those changes. In order for management to approve those changes, we need to have a formal Change Control Program. This Change Control Program should carry a couple of merits. One of the first things we should do is talk about and provide some narrative information to management, or those who approve the change controls. This narrative information should describe what the change is going to be.

We’re also going to be testing. What tests were performed or are going to be performed to ensure that the changes to your environment do not negatively impact the security of your environment? We also need to make sure that we have back-up procedures, making sure that if something should go wrong at a later time, that management can roll those changes back. In the narrative information that we provide to the person who’s going to be approving a change, not only are we going to include the roll-back procedures, but we’re going to include the changes that are going to occur and management’s approval.

This information should be kept for no less than a period of a year or should be kept for at least the period of your audit cycle. During the assessment process, your assessor will be asking for this information, they’re going to want a list of all these change controls, and they’re going to be looking this information to make sure that your organization has a formal Change Control Program. It’s not just sufficient that your organization has the processes in place for change controls; assessors also need to see that there are policies and procedures that define how to go about maintaining your change control program.