PCI DSS Requirement 1.1.6: Documentation of Business Justification and Approval

PCI DSS Requirement 1.1.6: Documentation of Business Justification and Approval

What is PCI Requirement 1.1.6?

Your organization needs to restrict inbound and outbound traffic in and out of sensitive environments.  PCI DSS Requirement 1.1.6 relates specifically to the documentation of business justification and approval for use of all services, ports, and protocols.

PCI DSS v3.2 insists that organizations restrict inbound and outbound traffic to and from sensitive areas to only that which is needed for business purposes. We find that organizations are typically great at establishing inbound traffic rules, but what happens when someone is already in your environment? Are your outbound network traffic controls sufficient? Will they prevent someone trying to exfiltrate data from your network? Looking at past breaches, a primary reason that sensitive data was successfully taken was because the established traffic rules were insufficient. For this reason, it’s necessary to have a documented list of protocols, ports, and services that will be allowed in and out of your environment. PCI Requirement 1.1.6 requires this documentation, and specifically states, “Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.” If a protocol, port, or service is not required for your environment, disable it.

As assessors, we seek out this list of management-approved protocols, ports, and services to compare against your router and firewall configurations. We look to see that the traffic you’re allowing does not exceed that which is documented.

This documentation is one of the most important pieces of your PCI DSS assessment. Assessors will need this early on in the process because it is the basis for other aspects of your PCI DSS audit; other pieces of the assessment hinge on this document. It is also necessary to maintain this piece of documentation as part of your Change Control Program. If you will be making changes to your network, ports, or services, you will need to ensure this document is updated.

Video Transcription

PCI Requirement 1.1.6

Your organization needs to restrict inbound and outbound traffic out of those environments that are considered sensitive or risky. What we find is that organizations are really, really good at establishing inbound traffic rules to prevent the bad guys from getting in, but think about what happens when somebody’s actually already in your environment. Are your networking controls sufficient to prevent them from exfiltrating the data? It’s interesting to look at all of the breaches that have happened throughout the years, and the only reason that cardholder data or health information or financial information was taken from these organizations is because the rules that they had established were insufficient to prevent the exfiltration of information.

Many of the requirements, such as PCI DSS Requirement 1.1.6, require that we actually have a documented list of the protocols, ports, and services that we’re going to allow in and out of our environment. It’s absolutely appropriate, if you need those protocols, ports, and services, to allow them, however if they’re not required, they need to be disabled. What we do from an assessment perspective, is we get that list of management-approved protocols, ports, and services and we compare that list against your router configs and your firewall configs. We look to see that whatever traffic you’re allowing out, does exceed that which has been documented within your management-approved protocols, ports, and services.

This is one area that’s probably the most important piece of the assessment. This is the basis of a lot of other assessments that we need. It’s often a piece of information that we need very early on in the assessment. Other pieces of the assessment are hinging on this one piece of data. It’s also necessary to maintain this piece of documentation as part of your Change Control Program. If you’re going to be making changes to your network or opening ports and services to allow things to happen, you need to update this document as well.

6 replies

Trackbacks & Pingbacks

  1. […] as well. Assessors will expect you to have an authorized list of protocols, ports, and services (Requirement 1.1.6) that are allowed in and out of those personal laptops, employee-owned devices, or portable […]

  2. […] has established rules based on the list of approved protocols, ports, and services (from Requirement 1.1.6), traffic is stopped within the DMZ and it’s vetted against a set of appropriate rules before […]

  3. […] They make sure that all traffic that’s inbound into your environment is explicitly authorized as part of Requirement 1.1.6. […]

  4. […] outbound protocols, ports, and services that have been previously authorized are allowed. Remember Requirement 1.1.6? That list you’ve made of management-approved protocols, ports, and services? That list that is […]

  5. […] we learned from Requirement 1.1.6, your organization is required to maintain a list of authorized protocols, ports, or services. […]

  6. […] external to your organization’s network, as untrustworthy. Assessors will take the data found in PCI Requirement 1.1.6, which is your organization’s authorized ports, protocols, and services, and compare that data to […]

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *