Scribd Logo
Carica

Benvenuto in Scribd!

  • PCI DSS Requirements & Security Assessment Procedures - Prep4audit

    Caricato da

    John Griggs
    126 visualizzazioni4 pagine
    PCI DSS (v2) Compliance Assessment Toolkits include both Requirements and Testing Procedures. The Self-Assessment Worksheet is in Excel.

    Titolo originale

    PCI DSS Requirements & Security Assessment Procedures | Prep4audit

    Copyright

    © © All Rights Reserved

    Formati disponibili

    PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    PCI DSS (v2) Compliance Assessment Toolkits include both Requirements and Testing Procedures. The Self-Assessment Worksheet is in Excel.

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    126 visualizzazioni4 pagine

    PCI DSS Requirements & Security Assessment Procedures - Prep4audit

    Caricato da

    John Griggs
    PCI DSS (v2) Compliance Assessment Toolkits include both Requirements and Testing Procedures. The Self-Assessment Worksheet is in Excel.

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 4

    PCI DSS Requirements and Security Assessment Procedures

    Copyright 2010 PCI Security Standards Council LLC


    1.0.0

    Build and Maintain a Secure Network - Requirement 1


    Requirement 1: Install and maintain a firewall configuration to protect cardholder data
    Firewalls are devices that control computer traffic allowed between an entitys networks (internal) and untrusted networks (external), as well as traffic
    into and out of more sensitive areas within an entitys internal trusted networks. The cardholder data environment is an example of a more sensitive
    area within an entitys trusted network.
    A firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria.
    All systems must be protected from unauthorized access from untrusted networks, whether entering the system via the Internet as e-commerce,
    employee Internet access through desktop browsers, employee e-mail access, dedicated connections such as business-to-business connections, via
    wireless networks, or via other sources. Often, seemingly insignificant paths to and from untrusted networks can provide unprotected pathways into
    key systems. Firewalls are a key protection mechanism for any computer network.
    Other system components may provide firewall functionality, provided they meet the minimum requirements for firewalls as provided in Requirement
    1. Where other system components are used within the cardholder data environment to provide firewall functionality, these devices must be included
    within the scope and assessment of Requirement 1

    ID

    PCI DSS Requirements


    1.1 Establish firewall and
    router configuration standards
    that include the following the
    r
    1.1.0 equirements in 1.1.1 through
    1.1.6.

    1.1.1 A formal process for


    approving and testing all
    network connections and
    1.1.1
    changes to the firewall and
    router configurations

    (c) Preparation by Prep4Audit LLC

    Testing Procedures
    1.1 Obtain and inspect the
    firewall and router
    configuration standards and
    other documentation specified
    below to verify that standards
    are complete.
    1.1.1 Verify that there is a
    formal process for testing and
    approval of all network
    connections and changes to
    firewall and router
    configurations.

    Select

    In
    Place

    In Place
    Not In Place
    est magna, blandit non
    egestas id, commodo ac
    nisi.

    Target Date/Comments

    1 of 4

    PCI DSS Requirements and Security Assessment Procedures


    Copyright 2010 PCI Security Standards Council LLC
    1.1.2.a Verify that a current
    network diagram (for example,
    one that shows cardholder
    data flows over the network)
    1.1.2 Current network diagram exists and that it documents all Not In
    Place
    with all connections to
    connections to cardholder
    1.1.2
    cardholder data, including any data, including any wireless
    wireless networks
    networks.

    Curabitur sed ornare


    augue. Aenean purus
    sapien, aliquet a purus a,
    fermentum commodo
    purus. Maecenas
    consequat augue mi,
    varius pellentesque nulla
    ultrices

    Cras vulputate faucibus


    felis, ut tincidunt dui
    luctus laoreet. Sed ipsum
    diam, tristique vel tellus
    eget, sollicitudin
    consectetur sem.

    Praesent ut mollis est.


    Nam egestas metus sed
    mauris cursus
    condimentum.

    Integer facilisis tortor


    non lacus tincidunt

    1.1.2.b Verify that the diagram


    is kept current.

    1.1.3 Requirements for a


    firewall at each Internet
    1.1.3 connection and between any
    demilitarized zone (DMZ) and
    the internal network zone

    1.1.4 Description of groups,


    roles, and responsibilities for
    1.1.4
    logical management of
    network components

    (c) Preparation by Prep4Audit LLC

    1.1.3.a Verify that firewall


    configuration standards
    include requirements for a
    firewall at each Internet
    connection and between any
    DMZ and the internal network
    zone.

    In
    Place

    1.1.3.b Verify that the current


    network diagram is consistent Not In
    with the firewall configuration Place
    standards.
    1.1.4 Verify that firewall and
    router configuration standards
    include a description of groups,
    In
    roles, and responsibilities for
    P
    l
    ace
    logical management of
    network components.

    Phasellus congue viverra


    dolor nec ultricies. Sed
    sem felis, molestie ut
    eleifend tempus, rutrum
    ac tortor.

    2 of 4

    PCI DSS Requirements and Security Assessment Procedures


    Copyright 2010 PCI Security Standards Council LLC
    1.1.5.a Verify that firewall and
    router configuration standards
    include a documented list of
    services, protocols and ports
    1.1.5 Documentation and
    necessary for businessfor
    business justification for use of example, hypertext transfer
    all services, protocols, and
    protocol (HTTP) and Secure
    ports allowed, including
    Sockets Layer (SSL), Secure
    documentation of security
    Shell (SSH), and Virtual Private
    features implemented for
    Network (VPN) protocols.
    1.1.5
    those protocols considered to
    be insecure.Examples of
    1.1.5.b Identify insecure
    insecure services, protocols, or services, protocols, and ports
    ports include but are not
    allowed; and verify they are
    limited to FTP, Telnet, POP3,
    necessary and that security
    IMAP, and SNMP.
    features are documented and
    implemented by examining
    firewall and router
    configuration standards and
    settings for each service.
    1.1.6 Requirement to review
    1.1.6.a Verify that firewall and
    firewall and router rule sets at router configuration standards
    least every six months
    require review of firewall and
    router rule sets at least every
    six months.
    1.1.6
    1.1.6.b Obtain and examine
    documentation to verify that
    the rule sets are reviewed at
    least every six months.

    (c) Preparation by Prep4Audit LLC

    In
    Place

    3 of 4

    PCI DSS Requirements and Security Assessment Procedures


    Copyright 2010 PCI Security Standards Council LLC
    ID

    PCI DSS Requirements


    1.2 Build firewall and router
    configurations that restrict
    connections between
    untrusted networks and any
    1.2.0 system components in the
    cardholder data environment.
    Note: An untrusted network is
    any network that is external to
    the networks belonging to the
    entity under review, and/or

    Testing Procedures
    1.2 Examine firewall and router
    configurations to verify that
    connections are restricted
    between untrusted networks
    and system components in the
    cardholder data environment,
    as specified below.
    Select

    In Place

    Not In Place

    Target Date/Comments

    1.2.1.a Verify that inbound and


    outbound traffic is limited to
    that which is necessary for the
    cardholder data environment,
    and that the restrictions are
    1.2.1 Restrict inbound and
    d
    ocumented.
    outbound traffic to that which
    1.2.1
    is necessary for the cardholder 1.2.1.b Verify that all other
    inbound and outbound traffic
    data environment.
    is specifically denied, for
    example by using an explicit
    "deny all" or an implicit deny
    after allow statement.

    (c) Preparation by Prep4Audit LLC

    4 of 4

    Potrebbero piacerti anche