PCI DSS Requirement 1.1.5: Defining Roles and Responsibilities for Managing Network Components

by KirkpatrickPrice / April 18th, 2017

What is PCI Requirement 1.1.5?

It’s not enough that you have a network set up with established policies, procedures, and processes. You also need to ensure that you have someone within your organization that has the formal responsibility of managing the network. PCI Requirement 1.1.5 states that it’s necessary for your organization to have a “description of groups, roles, and responsibilities for management of network components.”

PCI Requirement 1.1.5 ensures that personnel at your organization are aware of who is responsible for managing your assets, and that the person or group who is responsible are aware of their specific responsibilities. If PCI Requirement 1.1.5 is neglected, it could leave your organization’s assets unmanaged and vulnerable.

To prepare for your PCI assessment, the PCI DSS v3.2 says that your organization should verify that the standards in place for firewall and router configurations contain a description of the network manager’s responsibilities. Your organization should also interview the group or individual who is responsible for network management to verify that the roles and responsibilities are assigned as documented.

It could be an individual or a group who is formally assigned the responsibility to manage the network, but whoever manages the network needs to fully understand how to securely manage assets. The network manager needs to have skills from a productivity perspective, but more importantly, from a security perspective. Assessors are looking for someone who has the necessary skills to manage the network securely.

It’s not enough that to have a network set up. We have established policies, we have procedures – it’s really not enough that we do that. You have to ensure that you have someone within your organization that has the overall responsibility of managing the network. The management of this network could be assigned to an individual, it could be assigned to a group, but somebody has to formally be assigned this role. The assignment of this role needs to be to somebody who truly understands how to manage these assets not just from a productivity perspective, but also from a security perspective, understanding that we have these assets in the environment that needs to be managed securely.

Often, organizations don’t quite understand that managing your assets from a productivity perspective isn’t always necessarily the same type of skills that are required for managing the asset from a security perspective. So, when you’re defining who’s specifically responsible for managing the security of these assets, understand that from an assessment perspective, assessors needs to see that the network manager has the necessary skill set to manage these things securely.