PCI DSS Requirement 1.1.1: Implementing a Change Control Program
What is PCI Requirement 1.1.1?
Your organization needs to ensure that you have the appropriate methods to control any changes into and out of your environment. PCI Requirement 1.1.1 requires, “a formal process for approving and testing all network connections and changes to the firewall and router configurations.” The PCI DSS v3.2.1 states that PCI Requirement 1.1.1 exists because, “Without formal approval and testing of changes, records of the changes might not be updated, which could lead to inconsistencies between network documentation and the actual configuration.” If you’re going to install hardware or make changes to your networking environment, management should be well aware of those changes and is required to approve them. In order for management to approve those changes, your organization needs to have a formal Change Control Program.
What is a Change Control Program and How Does it Impact PCI Compliance?
This first step in a Change Control Program is providing narrative information to those in management who approve change controls. This narrative information should include a description of what the change is going to be, testing information, and roll-back procedures. By receiving this narrative information, management can see what tests were performed, or are going to be performed, to ensure that the change doesn’t negatively impact the security of your environment. It’s important to include the information on roll-back procedures to ensure that if something goes wrong in the future, management can roll back the changes that have been made.
To prepare for your PCI audit, your organization should examine policies and procedures regarding changes to network connections and firewall and router configurations to verify that there is a formal process for the testing and approving of change controls. It’s also important to interview responsible personnel and look at their records during your preparation period to further verify that network connections have been approved and tested.
How Long Should You Keep Change Control Documentation for PCI Compliance?
Updated change control documentation should be kept for no less than a year or at least during your audit period. During the PCI audit process, your assessor will be asking for these documents and looking through your change control information to ensure that your organization has a formal Change Control Program. It’s not sufficient to simply have the processes in place for change control; assessors will need to see that there are documented policies and procedures that define how to maintain your Change Control Program.
More PCI Resources
PCI Requirement 1.1.1 – Change Control Program
Before you start the assessment, your assessor will spend some time with your organization going through a thorough scoping exercise. If you want to understand what scoping is about, we have a prior video which you can view.
Once the scope of the environment is established, your organization needs to ensure that you have the appropriate methods to control the changes into and out of that environment. If you’re going to be installing hardware or making changes to your networking environment, management should be well-aware of that and management is required to approve those changes. In order for management to approve those changes, we need to have a formal Change Control Program. This Change Control Program should carry a couple of merits. One of the first things we should do is talk about and provide some narrative information to management, or those who approve the change controls. This narrative information should describe what the change is going to be.
We’re also going to be testing. What tests were performed or are going to be performed to ensure that the changes to your environment do not negatively impact the security of your environment? We also need to make sure that we have back-up procedures, making sure that if something should go wrong at a later time, that management can roll those changes back. In the narrative information that we provide to the person who’s going to be approving a change, not only are we going to include the roll-back procedures, but we’re going to include the changes that are going to occur and management’s approval.
This information should be kept for no less than a period of a year or should be kept for at least the period of your audit cycle. During the assessment process, your assessor will be asking for this information, they’re going to want a list of all these change controls, and they’re going to be looking this information to make sure that your organization has a formal Change Control Program. It’s not just sufficient that your organization has the processes in place for change controls; assessors also need to see that there are policies and procedures that define how to go about maintaining your change control program.