PCI DSS Requirement 1.1.6: Documentation of Business Justification and Approval
What is PCI Requirement 1.1.6?
Your organization needs to restrict inbound and outbound traffic in and out of sensitive environments. PCI DSS Requirement 1.1.6 relates specifically to the documentation of business justification and approval for use of all services, ports, and protocols.
As assessors, we seek out this list of management-approved protocols, ports, and services to compare against your router and firewall configurations. We look to see that the traffic you’re allowing does not exceed that which is documented.
This documentation is one of the most important pieces of your PCI DSS assessment. Assessors will need this early on in the process because it is the basis for other aspects of your PCI DSS audit; other pieces of the assessment hinge on this document. It is also necessary to maintain this piece of documentation as part of your Change Control Program. If you will be making changes to your network, ports, or services, you will need to ensure this document is updated.
Your organization needs to restrict inbound and outbound traffic out of those environments that are considered sensitive or risky. What we find is that organizations are really, really good at establishing inbound traffic rules to prevent the bad guys from getting in, but think about what happens when somebody’s actually already in your environment. Are your networking controls sufficient to prevent them from exfiltrating the data? It’s interesting to look at all of the breaches that have happened throughout the years, and the only reason that cardholder data or health information or financial information was taken from these organizations is because the rules that they had established were insufficient to prevent the exfiltration of information.
Many of the requirements, such as PCI DSS Requirement 1.1.6, require that we actually have a documented list of the protocols, ports, and services that we’re going to allow in and out of our environment. It’s absolutely appropriate, if you need those protocols, ports, and services, to allow them, however if they’re not required, they need to be disabled. What we do from an assessment perspective, is we get that list of management-approved protocols, ports, and services and we compare that list against your router configs and your firewall configs. We look to see that whatever traffic you’re allowing out, does exceed that which has been documented within your management-approved protocols, ports, and services.
This is one area that’s probably the most important piece of the assessment. This is the basis of a lot of other assessments that we need. It’s often a piece of information that we need very early on in the assessment. Other pieces of the assessment are hinging on this one piece of data. It’s also necessary to maintain this piece of documentation as part of your Change Control Program. If you’re going to be making changes to your network or opening ports and services to allow things to happen, you need to update this document as well.