Acceptable Network Locations

Your usage policies, as stated in PCI Requirement 12.3.6, should detail acceptable network locations for the technology at your organization. The PCI DSS explains that by defining acceptable network locations, your organization will be better equipped to manage and control gaps in configurations and operational controls, ensuring that a back door is not opened for attackers.

To test compliance with PCI Requirement 12.3.6, an assessor will need to examine your usage policies to ensure that they define acceptable network locations for the technology at your organization.

PCI Requirement 12.3.6 is an acceptable use requirement that defines acceptable network locations for the technology that you’ve implemented. Think about this: you’ve spent millions of dollars developing a security program, and yet somebody circumvents it by storing credit card data out in your DMZ. From an acceptable use perspective, we look to see that you have network locations and where things can be installed. Ideally, we see this in your classification policy, but if it’s not there, that’s quite all right. As long as it’s defined, we’re going to be okay with this part of the assessment.

Acceptable Use Policies

Your usage policies, as stated in PCI Requirement 12.3.5, should detail acceptable uses of the technology at your organization. Acceptable use policies (AUP) normally have users agree to not use the services for illegal purposes, not attempt to harm the security of the technology or system, and to report any suspicious activity. The PCI DSS explains that by defining acceptable uses of the technology, your organization will be better equipped to manage and control gaps in configurations and operational controls, ensuring that a back door is not opened for attackers.

To test compliance with PCI Requirement 12.3.5, an assessor will need to examine your usage policies to ensure that they define acceptable uses for the technology at your organization.

One time, I performed an assessment at an organization who had a receptionist that I met at the front desk. She was back there doing her daily job, and we get to talking about the badge access and restricting access to the badging system. The statement that was made to me was, “It’s kept up at the receptionist desk.”

I went up to ask the receptionist about the badging system, and she was using a PC. Well that isn’t so much as a problem, except if she sits all day busy playing Facebook games. Really what PCI Requirement 12.3.5 requires is that you have acceptable use policies and acceptable uses for your technologies in place to define what’s appropriate and what’s not appropriate and how to use these technologies that you’ve implemented within your environment.

Identification System

Your usage policies should have a method for identifying who an asset-owner is. PCI Requirement 12.3.4 specifically details, “A method to accurately and readily determine owner, contact information, and purpose.” This doesn’t mean you need a label on every device defining who the owner is, but you do need to have an identification system. This could be a serial number that traces back to the owner. Without a method to accurately and readily determine the owner and purpose of a device, an attack could place their own devices on your network, but no one would be able to quickly distinguish if it was approved or not.

Compliance with PCI Requirement 12.3.4 means being able to quickly identify non-approved versus approved devices, their owner, and purpose.

Think about this scenario: you walk into an environment such as your data center and all of the sudden, you see a server there that is smoking or you see a server there that shouldn’t be there. Do you have the means or methods within your organization to identify what the asset is and who owns it? PCI Requirement 12.3.4 establishes the need for being able to do that. We don’t necessarily require that you put a sticker on there with the name and the person. We find that a lot of organizations might have an asset list that’s traceable back to a serial number that they keep somewhere that defines what it is and who it’s for. Your assessor should not only be looking for the policy but looking to see that you’re actually carrying out this activity.

Approved Devices and Personnel with Access

To create compliant usage policies, your organization must meet PCI Requirement 12.3.3, which requires you to keep a list of all devices and personnel with access. Lists of approved devices and personnel come up often in the PCI DSS and PCI Requirement 12.3.3. Without this list of all devices and personnel with access, an attack could place their own devices on your network, but no one would be able to quickly distinguish if it was approved or not. Your personnel could also completely disregard or bypass physical security procedures and install unapproved devices. Compliance with PCI Requirement 12.3.3 means being able to quickly identify non-approved versus approved devices and personnel.

To test compliance with PCI Requirement 12.3.3, an assessor will need to examine your usage policies to ensure that there is a list of all devices and personnel with access.

You need to maintain a list of all the assets that you have in your environment and the individuals that are authorized to use them. This is not only a usage policy. From an assessment perspective, your assessor is likely to ask you for that list, making sure that you’re compliant with your own policies.

Proper Authentication in Usage Policies

We learned about authentication methods in PCI Requirement 7, and that ties in here. The more people who have access to cardholder data, the more risk there is. A crucial aspect of usage policies is authentication. PCI Requirement 12.3.2 says that usage policies must require authentication for the use of technology. If technology is implemented without proper authentication methods, malicious individuals may use this insecure technology to access critical systems and cardholder data. Authentication methods could include user IDs/passwords, tokens, VPNs, etc.

To test compliance with PCI Requirement 12.3.2, an assessor will need to examine your usage policies to ensure that there is a process for authentication when using technology

When we look back on PCI Requirement 7, there’s requirements for all of your technologies to be able to support your rule-based access controls. PCI Requirement 12.3.2 defines that all of your technology has the ability to authenticate individual users into that asset before they’re given access. When we’re looking from an assessment perspective, we’re looking at these usage policies and making sure that all systems require authentication.