Key web-facing applications should have application layer firewalls

Status: Live

The organization will ensure that all web-facing applications have application layer firewalls installed and properly configured. [UCF ID 01450]

Supporting and supported controls

This control directly supports:

There are no supporting controls.

Authority documents complied with:

Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2, § 6.6; The Standard of Good Practice for Information Security, CB6.4.3(a), SD4.6.4(a); Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, § 6.6; Archer Control Table, ATCS-500

Payment Card Guidance

The organization must ensure public-facing web applications are protected by installing a web-application firewall or reviewing the applications at least annually and after changes are made with an automated or manual security assessment tool.
Verify public-facing web applications have an application layer firewall installed to detect and prevent web-based attacks or the applications are reviewed by an automated or manual security assessment tool at least annually, when changes are made to the application, by an organization specializing in application security, identified vulnerabilities are corrected, and the application is reevaluated when the corrections are made. [§ 6.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2]

The organization must ensure public-facing web applications are protected by installing a web-application firewall or reviewing the applications at least annually and after changes are made with an automated or manual security assessment tool. [§ 6.6, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]

General Guidance

Connections between applications and web servers should be protected by an application layer firewall. [CB6.4.3(a), SD4.6.4(a), The Standard of Good Practice for Information Security]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of workstation firewalls, host firewalls, sub-network firewalls, and perimeter firewalls configured in accordance with policy [UCF Control ID 02116]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.