What is PCI Requirement 1.1.7?
There are several sub-requirements under the umbrella of Requirement 1. PCI Requirement 1.1.7 states, “review firewall and router rule sets at least every six months.” This requirement includes verifying that the firewall and router configuration standards and documentation relating to rule set reviews and personnel interviews are reviewed every six months.
Unpacking PCI Requirement 1.1.7
It’s not enough for your organization to establish these rules for your network regarding inbound and outbound traffic. Why? As time goes on, rules become deprecated and protocols become insecure. Many security frameworks, including PCI DSS, require that your organization has a process to review firewall and router configurations to ensure that they are still secure. This process could be manual or using automated tools, but there must be a process.
Many frameworks do not define what organizations need to do to create a compliant review process, but there are two things that assessors examine. First, assessors look to see that your organization is reviewing your environment regularly. If you’re being assessed against the PCI DSS standards, we look to see that you’re doing this at least every six months. This means you must also maintain some type of evidence that the review process has occurred. Second, assessors are looking to see that your organization has spent time ensuring that the inbound traffic rules are still appropriate and secure. If for some reason the protocol has become insecure, you must document what you’re doing to make it secure. You’re required to implement specific controls that will render that protocol as secure.
As an organization, you establish these rules for your network to allow traffic inbound and outbound. But, you need to understand that as time goes on, rules become deprecated and protocols become insecure. Many of the security frameworks, including that of the PCI DSS, require that you as an organization have a process where you’re manually or using automated tools to review these firewall and router configs to ensure that they’re still secure.
While the PCI DSS or these other frameworks don’t necessarily define for you what you need to do as part of that rule, we like to spend some time, as an assessor, discussing what we’re looking for. We look to see, first of all, that you’re doing this periodically. If you’re being assessed against the PCI DSS standards, we look to see that you’re doing this at least every 6 months. So, you need to maintain some artifact that this has actually occurred. What we’re looking for, in terms of the assessment of these firewalls and routers, is looking to make sure that you’ve spent the time ensuring that these protocols, ports, and services, inbound and outbound, are still appropriate and they’re still secure.
If for some reason the protocol has become insecure, you need to document the means and methods for what you’re doing to make sure that it is secure. You’re required to implement specific controls that will render that particular protocol as secure.