—A look at documentation requirements for PCI DSS.I've been reviewing the Payment Card Industry Data Security Standard (PCI DSS) for purposes of obtaining compliance. The standard includes 12 requirements for any business that stores, processes or transmits payment cardholder data.
Requirement 1.1 Establish firewall and router configuration standards that include the following:
Requirement 1.1.1 A formal process for approving and testing all external network connections and changes to the firewall and router configurations.An obvious question is what form must these standards and processes take in order to comply with these requirements?
Test Procedure 1.1 Obtain and inspect the firewall and router configuration standards and other documentation specified below to verify that standards are complete.
Test Procedure 1.1.1 Verify that there is a formal process for testing and approval of all network connections and changes to firewall and router configurations.
Guidance 1.1 Without policies and procedures in place to document how staff should configure firewalls and routers ... The policies and procedures will help to ensure that the organization’s first line of defence in the protection of its data remains strong.
Guidance 1.1.1 A policy and process for approving and testing all connections and changes to the firewalls and routers will help prevent security problems caused by misconfiguration of the network, router, or firewall.The glossary provides these hints:
Policy: Organization-wide rules governing acceptable use of computing resources, security practices, and guiding development of operational procedures.
Procedure: A descriptive narrative for a policy. A procedure is the “how to” for a policy and describes how the policy is to be implemented.In effect, these requirements introduce the following documents into an organization.