PCI Requirement 9.1.2 – Implement Physical and/or Logical Controls to Restrict Access to Publicly Accessible Network Jacks

by Randy Bartels / January 31st, 2018

Controls for Publicly Accessible Network Jacks

To ensure that visitors cannot exploit network jacks, PCI Requirement 9.1.2 requires that organizations implement physical controls and/or implement logical controls that restrict access to publicly accessible network jacks. The PCI DSS also explains, “Restricting access to network jacks will prevent malicious individuals from plugging into readily available network jacks and gain access into internal network resources. Whether logical or physical controls, or a combination of both, are used, they should be sufficient to prevent an individual or device that is not explicitly authorized from being able to connect to the network.”

Your organization could comply with PCI Requirement 9.1.2 in several ways. You could implement logical controls, such as following the method that network jacks (or network ports) located in public areas or any areas that are accessible to visitors could be consistently disabled, but occasionally enabled when network access is explicitly authorized by management. Or, your organization could implement physical controls, such as having a process in place so that visitors are escorted at all times in areas that have active, enabled, publicly accessible network jacks.

During an assessment, your staff will be interviewed and assessors will observe the locations of publicly accessible network jacks. Assessors need to verify that you implement physical controls and/or logical controls that restrict access to publicly accessible network jacks.

You need to maintain a log of those individuals who are guests or vendors who have come in and out of your environment. There are two places that this log needs to reside: as someone walks into your facility and as someone walks into your data center/sensitive areas.

The PCI DSS is pretty specific about the information you are required to retain and how long you’re required to retain it. This information includes the individual’s name, the firm they represent, and who has authorized them to come into that facility. This information is then retained for at least 90 days. I find that many organizations almost keep this information in perpetuity, which is fine, but they fail in a couple of areas. First, they don’t have the necessary information on the log-in sheet. They might have the date, they might have the year, they might have the purpose of the visit, however, they’re missing the necessary points of information: name, the firm they represent, and who has authorized their entry.

From an assessment perspective, we’re looking for that log-in sheet in both places (as you’re entering the facility and then into your sensitive areas) and we’re looking to see that you have 90 days worth of that information.