PCI DSS Requirement 1.4: Install Personal Firewall Software

PCI DSS Requirement 1.4: Install Personal Firewall Software

Unpacking PCI Requirement 1.4

PCI Requirement 1.4 states, “Install personal firewall software or equivalent functionality on any portable computing devices (including company and/or employee-owned) that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the CDE.” PCI DSS v3.2 explains that portable computing devices that are allowed to connect to the Internet from outside the corporate firewall are more vulnerable to Internet-based threats. The use of firewall functionality (e.g., personal firewall software or hardware) helps to protect devices from Internet-based attacks, which could use the device to gain access the organization’s systems and data once the device is re-connected to the network.

Jeff Wilder examines PCI DSS Requirement 1.4 and installing personal firewall software.
PCI Requirement 1.4 requires that wherever your organization has an employee-owned device, a laptop, or a portable device that connects to the Internet, and would also connect to your environment, that device has a personal firewall enabled. All of the rules that are subject to PCI DSS surrounding inbound and outbound traffic and establishing rules for authorized protocols, ports, and services – all of that applies to this as well. Assessors will expect you to have an authorized list of protocols, ports, and services (Requirement 1.1.6) that are allowed in and out of those personal laptops, employee-owned devices, or portable devices. These personal firewalls must be enabled, and they cannot be alterable by end-users. We want to ensure that end-users do not have the ability to open a port or service that isn’t authorized, or to shut it off if they desire to do so.

 

Video Transcription

PCI DSS Requirement 1.4

Requirement 1 has primarily been talking about securing your networks and establishing rules around firewalls and routers and all of those things to keep the bad guys out. Within the specific requirement, PCI DSS Requirement 1.4, it requires that where you have an employee-owned device or a laptop or a portable device that connects to the Internet and would also connect to your environment, we want to make sure that it as well has a personal firewall enabled. All of the rules that are subject to PCI DSS surround inbound and outbound traffic and establishing rules for authorized ports – all of that applies to this as well.

When we’re assessing for PCI Requirement 1.4, we expect that you have authorized ports and services that are allowed in and out of those personal laptops, employee-owned devices, or portable devices as well. These personal firewalls must be enabled, they cannot be alterable by the end-users. We want to make sure they don’t have the ability to open up a port or service that isn’t authorized to do so, or to shut if off if they desire to do so.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *