What is PCI Requirement 1.2.2?
PCI DSS Requirement 1.2.2 states, “Secure and synchronize router configuration files.” This requirement focuses on enforcing the security and controls surrounding your organization’s firewall and router configurations. Before your PCI DSS assessment, your organization needs to determine, “Are our router and configuration files secured from unauthorized access?”
- Do you back-up your firewall and router configurations?
- Where are they kept?
- How are they kept?
- Who has access to them?
- What are the controls around them?
In order to follow Requirement 1.2.2, assessors will also expect you to have reviewed your organization’s configuration standards and examined the files and configurations prior to your PCI DSS assessment.
PCI DSS Requirement 1.2.2
When we look at the actual firewall and router configs, there’s an incredible amount of information in those that lend to being hacked if they fell into the wrong hands. There’s authentication information, there’s certificates, there’s keys, there’s all sorts of good, sensitive information in there that could lend itself into a compromise if it fell into the wrong hands.
We need to make sure that where you have your firewall and router configurations – if you’re storing them offsite, if you’re backing them up – that these particular files are going to be maintained securely. We also want to make sure that the configs within the devices themselves are maintained securely.
So as assessors, we’re going to ask you: Do you back-up your firewall and router configs? If you do, where are they kept? How are they kept? Who has access to them? What are the controls around them? We’re also going to have those same types of conversations about the physical devices and the ability to console into those and gain access to that configuration information.