Test and approve all firewall changes, ensuring the changes and changed documentation match and meet organizational standards.

UCF ID: 00548
Control Type: Process or Activity
Status: Live

Supporting and supported controls

This control directly supports:

    Establish and maintain a firewall standard for an overarching placement of all types of firewalls. [UCF Control ID 00546]

There are no supporting controls.

Authority documents complied with:

FFIEC IT Examination Handbook – Information Security, Pg 44, Exam Tier II Obj B.10, Exam Tier II Obj M.4; Federal Information System Controls Audit Manual (FISCAM), February 2009, AC-3.2; Guidelines on Firewalls and Firewall Policy, NIST SP 800-41, January 2002, § 4.3; The Standard of Good Practice for Information Security, NW2.2.6, NW2.2.7; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, § 1.1.1; DoD Instruction 8500.2 Information Assurance (IA) Implementation, DCSS-1

Banking and Finance Guidance

Changes to the firewall should be managed through well-administered change control procedures. [Pg 44, Exam Tier II Obj B.10, Exam Tier II Obj M.4, FFIEC IT Examination Handbook – Information Security]

Payment Card Guidance

The router and firewall configuration standards must include formal procedures for testing and approving any changes. [§ 1.1.1, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]

US Federal Security Guidance

[AC-3.2, Federal Information System Controls Audit Manual (FISCAM), February 2009]

Test the System initialization, shutdown, and aborts are configured to ensure that the system remains in a secure state. [DCSS-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]

NIST Guidance

Testing firewall policy involves comparing the firewall’s actual configuration to a written description of the configuration to ensure they match up. Another way to test is to mimic attacks on the system and see if the firewall does the job it is intended to do. [§ 4.3, Guidelines on Firewalls and Firewall Policy, NIST SP 800-41, January 2002]

General Guidance

Firewalls should filter traffic based on predefined rules that have been developed by trusted individuals based on least access and on the information security policy and network procedures; rules should be documented and kept up-to-date. Before rules are applied to the firewall, they should be verified and approved by the network owner. [NW2.2.6, NW2.2.7, The Standard of Good Practice for Information Security]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of system architecture changes that were approved through appropriate change procedure channels. [UCF Control ID 02061]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.