Back

Payment Card Organizations > PCI Security Standards Council

Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3.1 April 2015



AD ID

0002756

AD STATUS

Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3.1 April 2015

ORIGINATOR

PCI Security Standards Council

TYPE

Contractual Obligation

AVAILABILITY

Free

SYNONYMS

PCI DSS 3.1 - Testing Procedures

Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures

EFFECTIVE

2015-04-01

ADDED

AD ID

0002756

AD STATUS

Free

ORIGINATOR

PCI Security Standards Council

TYPE

Contractual Obligation

AVAILABILITY

SYNONYMS

PCI DSS 3.1 - Testing Procedures

Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures

EFFECTIVE

2015-04-01

ADDED


Important Notice

This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.

This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.

This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.

The process we used to tag and map this document

This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.

Controls and asociated Citations breakdown

When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.

The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:

Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.

Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3.1 April 2015 that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.

Dictionary Terms – The dictionary terms listed for Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3.1 April 2015 are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.



Common Controls and
mandates by Impact Zone
30 Mandated Controls - bold    
27 Implied Controls - italic     84 Implementation

An Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.


The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.

Number of Controls
141 Total
  • Monitoring and measurement
    5
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Monitoring and measurement CC ID 00636 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a testing program. CC ID 00654 Behavior Preventive
    Establish, implement, and maintain a penetration test program. CC ID 01105 Behavior Preventive
    Perform penetration tests, as necessary. CC ID 00655 Testing Detective
    Test the system for insecure configuration management. CC ID 01327
    [{insecure protocol} {insecure port} Examine firewall and router configurations to verify that the documented security features are implemented for each insecure service, protocol, and port. 1.1.6.c]
    Testing Detective
  • Operational management
    7
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Operational management CC ID 00805 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a change control program. CC ID 00886 Establish/Maintain Documentation Preventive
    Manage change requests. CC ID 00887 Business Processes Preventive
    Test proposed changes prior to their approval. CC ID 00548
    [{approve} Examine documented procedures to verify there is a formal process for testing and approval of all: - Network connections and - Changes to firewall and router configurations 1.1.1.a
    Identify a sample of actual changes made to firewall and router configurations, compare to the change records, and interview responsible personnel to verify the changes were approved and tested. 1.1.1.c]
    Testing Detective
    Approve tested change requests. CC ID 11783
    [{approve} Examine documented procedures to verify there is a formal process for testing and approval of all: - Network connections and - Changes to firewall and router configurations 1.1.1.a
    Identify a sample of actual changes made to firewall and router configurations, compare to the change records, and interview responsible personnel to verify the changes were approved and tested. 1.1.1.c]
    Data and Information Management Preventive
    Validate the system before implementing approved changes. CC ID 01510 Systems Design, Build, and Implementation Preventive
    Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 Behavior Preventive
  • System hardening through configuration management
    48
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    System hardening through configuration management CC ID 00860 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain system hardening procedures. CC ID 12001 Establish/Maintain Documentation Preventive
    Change default configurations, as necessary. CC ID 00877
    [Interview personnel and examine supporting documentation to verify that: - All vendor defaults (including default passwords on operating systems, software providing security services, application and system accounts, POS terminals, Simple Network Management Protocol (SNMP) community strings, etc.) are changed before a system is installed on the network. - Unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled before a system is installed on the network. 2.1.c
    Interview personnel and examine supporting documentation to verify that: - All vendor defaults (including default passwords on operating systems, software providing security services, application and system accounts, POS terminals, Simple Network Management Protocol (SNMP) community strings, etc.) are changed before a system is installed on the network. - Unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled before a system is installed on the network. 2.1.c]
    Configuration Preventive
    Configure custom security parameters for X-Windows. CC ID 02168 Configuration Preventive
    Configure custom security settings for Lotus Domino. CC ID 02171 Configuration Preventive
    Configure custom security settings for the Automated Security Enhancement Tool. CC ID 02177 Configuration Preventive
    Configure custom Security settings for Sun Answerbook2. CC ID 02178 Configuration Preventive
    Configure custom security settings for Command (PROM) Monitor. CC ID 02180 Configuration Preventive
    Configure and secure each interface for Executive Interfaces. CC ID 02182 Configuration Preventive
    Reconfigure the default settings and configure the system security for Site Management Complex. CC ID 02183 Configuration Preventive
    Configure the unisys executive (GENNED) GEN tags. CC ID 02184 Configuration Preventive
    Reconfigure the default Console Mode privileges. CC ID 02189 Configuration Preventive
    Restrict access to security-related Console Mode key-in groups based on the security profiles. CC ID 02190 Configuration Preventive
    Configure security profiles for the various Console Mode levels. CC ID 02191 Configuration Preventive
    Configure custom access privileges for all mapper files. CC ID 02194 Configuration Preventive
    Configure custom access privileges for the PSERVER configuration file. CC ID 02195 Configuration Preventive
    Configure custom access privileges for the DEPCON configuration file. CC ID 02196 Configuration Preventive
    Disable the default NetWare user web page unless absolutely necessary. CC ID 04447 Configuration Preventive
    Enable and reset the primary administrator names, primary administrator passwords, root names, and root passwords. CC ID 04448 Configuration Preventive
    Remove unnecessary documentation or unprotected documentation from installed applications. CC ID 04452 Configuration Preventive
    Complete the NetWare eGuide configuration. CC ID 04449 Configuration Preventive
    Verify the usr/aset/masters/uid_aliases file exists and contains an appropriate aliases list. CC ID 04902 Configuration Preventive
    Set the low security directory list properly. CC ID 04903 Configuration Preventive
    Set the medium security directory list properly. CC ID 04904 Configuration Preventive
    Set the high security directory list properly. CC ID 04905 Configuration Preventive
    Set the UID aliases pointer properly. CC ID 04906 Configuration Preventive
    Verify users are listed in the ASET userlist file. CC ID 04907 Technical Security Preventive
    Verify Automated Security Enhancement Tool checks the NIS+ tables, as appropriate. CC ID 04908 Testing Preventive
    Reconfigure the encryption keys from their default setting or previous setting. CC ID 06079 Configuration Preventive
    Change the default Service Set Identifier for Wireless Access Points and wireless bridges. CC ID 06086 Configuration Preventive
    Revoke public execute privileges for all processes or applications that allow such privileges. CC ID 06568 Configuration Preventive
    Configure the system's booting configuration. CC ID 10656 Configuration Preventive
    Configure the system to boot directly to the correct Operating System. CC ID 04509 Configuration Preventive
    Verify an appropriate bootloader is used. CC ID 04900 Configuration Preventive
    Configure the ability to boot from USB devices, as appropriate. CC ID 04901 Configuration Preventive
    Configure the system to boot from hardware enforced read-only media. CC ID 10657 Configuration Preventive
    Establish, implement, and maintain authenticators. CC ID 15305 Technical Security Preventive
    Change all default authenticators. CC ID 15309
    [Choose a sample of system components, and attempt to log on (with system administrator help) to the devices and applications using default vendor-supplied accounts and passwords, to verify that ALL default passwords (including those on operating systems, software that provides security services, application and system accounts, POS terminals, and Simple Network Management Protocol (SNMP) community strings) have been changed. (Use vendor manuals and sources on the Internet to find vendor-supplied accounts/passwords.) 2.1.a]
    Configuration Preventive
    Configure the system account settings and the permission settings in accordance with the organizational standards. CC ID 01538 Configuration Preventive
    Configure user accounts. CC ID 07036 Configuration Preventive
    Remove unnecessary default accounts. CC ID 01539
    [For the sample of system components, verify that all unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled. 2.1.b
    Interview personnel and examine supporting documentation to verify that: - All vendor defaults (including default passwords on operating systems, software providing security services, application and system accounts, POS terminals, Simple Network Management Protocol (SNMP) community strings, etc.) are changed before a system is installed on the network. - Unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled before a system is installed on the network. 2.1.c
    Interview personnel and examine supporting documentation to verify that: - All vendor defaults (including default passwords on operating systems, software providing security services, application and system accounts, POS terminals, Simple Network Management Protocol (SNMP) community strings, etc.) are changed before a system is installed on the network. - Unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled before a system is installed on the network. 2.1.c]
    Configuration Preventive
    Disable or delete shared User IDs. CC ID 12478 Configuration Corrective
    Verify that no UID 0 accounts exist other than root. CC ID 01585 Configuration Detective
    Disable or delete generic user IDs. CC ID 12479 Configuration Corrective
    Disable all unnecessary user identifiers. CC ID 02185 Configuration Preventive
    Remove unnecessary user credentials. CC ID 16409 Configuration Preventive
    Remove the root user as appropriate. CC ID 01582 Configuration Preventive
    Disable or remove the null account. CC ID 06572 Configuration Preventive
  • Technical security
    81
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Technical security CC ID 00508 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain an access control program. CC ID 11702 Establish/Maintain Documentation Preventive
    Include digital identification procedures in the access control program. CC ID 11841 Technical Security Preventive
    Employ unique identifiers. CC ID 01273
    [To verify that users are authenticated using unique ID and additional authentication (for example, a password/phrase) for access to the cardholder data environment, perform the following: - Examine documentation describing the authentication method(s) used. - For each type of authentication method used and for each type of system component, observe an authentication to verify authentication is functioning consistent with documented authentication method(s). 8.2]
    Testing Detective
    Require proper authentication for user identifiers. CC ID 11785
    [To verify that users are authenticated using unique ID and additional authentication (for example, a password/phrase) for access to the cardholder data environment, perform the following: - Examine documentation describing the authentication method(s) used. - For each type of authentication method used and for each type of system component, observe an authentication to verify authentication is functioning consistent with documented authentication method(s). 8.2]
    Technical Security Preventive
    Assign authenticators to user accounts. CC ID 06855 Configuration Preventive
    Assign authentication mechanisms for user account authentication. CC ID 06856 Configuration Preventive
    Refrain from allowing individuals to share authentication mechanisms. CC ID 11932 Technical Security Preventive
    Establish and maintain a memorized secret list. CC ID 13791 Establish/Maintain Documentation Preventive
    Limit account credential reuse as a part of digital identification procedures. CC ID 12357 Configuration Preventive
    Refrain from assigning authentication mechanisms for shared accounts. CC ID 11910 Technical Security Preventive
    Use biometric authentication for identification and authentication, as necessary. CC ID 06857 Establish Roles Preventive
    Employ live scans to verify biometric authentication. CC ID 06847 Technical Security Preventive
    Identify the user when enrolling them in the biometric system. CC ID 06882 Testing Detective
    Disallow self-enrollment of biometric information. CC ID 11834 Process or Activity Preventive
    Tune the biometric identification equipment, as necessary. CC ID 07077 Configuration Corrective
    Notify a user when an authenticator for a user account is changed. CC ID 13820 Communicate Preventive
    Identify and control all network access controls. CC ID 00529 Technical Security Preventive
    Establish, implement, and maintain a network configuration standard. CC ID 00530 Establish/Maintain Documentation Preventive
    Maintain up-to-date network diagrams. CC ID 00531
    [{network diagram} Interview responsible personnel to verify that the diagram is kept current. 1.1.2.b
    Examine diagram(s) and observe network configurations to verify that a current network diagram exists and that it documents all connections to cardholder data, including any wireless networks. 1.1.2.a]
    Establish/Maintain Documentation Preventive
    Include the date of the most recent update on the network diagram. CC ID 14319 Establish/Maintain Documentation Preventive
    Include virtual systems in the network diagram. CC ID 16324 Data and Information Management Preventive
    Include the organization's name in the network diagram. CC ID 14318 Establish/Maintain Documentation Preventive
    Use a passive asset inventory discovery tool to identify assets when network mapping. CC ID 13735 Process or Activity Detective
    Include Internet Protocol addresses in the network diagram. CC ID 16244 Establish/Maintain Documentation Preventive
    Include Domain Name System names in the network diagram. CC ID 16240 Establish/Maintain Documentation Preventive
    Accept, by formal signature, the security implications of the network topology. CC ID 12323 Establish/Maintain Documentation Preventive
    Disseminate and communicate network diagrams to interested personnel and affected parties. CC ID 13137 Communicate Preventive
    Establish, implement, and maintain a Boundary Defense program. CC ID 00544 Establish/Maintain Documentation Preventive
    Refrain from disclosing private Internet Protocol addresses and routing information, unless necessary. CC ID 11891
    [Examine firewall and router configurations to verify that methods are in place to prevent the disclosure of private IP addresses and routing information from internal networks to the Internet. 1.3.8.a]
    Technical Security Preventive
    Authorize the disclosure of private Internet Protocol addresses and routing information to external entities. CC ID 12034
    [Interview personnel and examine documentation to verify that any disclosure of private IP addresses and routing information to external entities is authorized. 1.3.8.b]
    Communicate Preventive
    Segregate systems in accordance with organizational standards. CC ID 12546 Technical Security Preventive
    Segregate servers that contain restricted data or restricted information from direct public access. CC ID 00533 Technical Security Preventive
    Restrict inbound network traffic into the Demilitarized Zone. CC ID 01285 Data and Information Management Preventive
    Restrict inbound network traffic into the Demilitarized Zone to Internet Protocol addresses within the Demilitarized Zone. CC ID 11998
    [Examine firewall and router configurations to verify that inbound Internet traffic is limited to IP addresses within the DMZ. 1.3.2]
    Technical Security Preventive
    Restrict inbound Internet traffic within the Demilitarized Zone to system components that provide publicly accessible services, protocols, and ports. CC ID 11993
    [{inbound Internet traffic} Examine firewall and router configurations to verify that a DMZ is implemented to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports. 1.3.1]
    Technical Security Preventive
    Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289
    [Examine firewall and router configurations to verify that system components that store cardholder data are on an internal network zone, segregated from the DMZ and other untrusted networks. 1.3.7]
    Data and Information Management Preventive
    Establish, implement, and maintain a network access control standard. CC ID 00546 Establish/Maintain Documentation Preventive
    Include assigned roles and responsibilities in the network access control standard. CC ID 06410
    [Verify that firewall and router configuration standards include a description of groups, roles, and responsibilities for management of network components. 1.1.5.a
    Interview personnel responsible for management of network components to confirm that roles and responsibilities are assigned as documented. 1.1.5.b]
    Establish Roles Preventive
    Employ firewalls to secure network connections between trusted networks and untrusted networks, as necessary. CC ID 11821 Technical Security Preventive
    Place firewalls between all security domains and between any Demilitarized Zone and internal network zones. CC ID 01274
    [Observe network configurations to verify that a firewall is in place at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone, per the documented configuration standards and network diagrams. 1.1.4.c]
    Configuration Preventive
    Place firewalls between wireless networks and applications or databases that contain restricted data or restricted information. CC ID 01293
    [Examine firewall and router configurations to verify that there are perimeter firewalls installed between all wireless networks and the cardholder data environment. 1.2.3.a]
    Configuration Preventive
    Establish, implement, and maintain a firewall and router configuration standard. CC ID 00541 Configuration Preventive
    Include testing and approving all network connections through the firewall in the firewall and router configuration standard. CC ID 01270
    [{approve} Examine documented procedures to verify there is a formal process for testing and approval of all: - Network connections and - Changes to firewall and router configurations 1.1.1.a
    For a sample of network connections, interview responsible personnel and examine records to verify that network connections were approved and tested. 1.1.1.b]
    Process or Activity Detective
    Include reviewing the rulesets for firewalls and routers in the firewall and router configuration standard, as necessary. CC ID 11903
    [Verify that firewall and router configuration standards require review of firewall and router rule sets at least every six months. 1.1.7.a
    Examine documentation relating to rule set reviews and interview responsible personnel to verify that the rule sets are reviewed at least every six months. 1.1.7.b
    Examine documentation relating to rule set reviews and interview responsible personnel to verify that the rule sets are reviewed at least every six months. 1.1.7.b]
    Technical Security Corrective
    Include restricting inbound network traffic in the firewall and router configuration standard. CC ID 11960
    [{inbound Internet traffic} {outbound network traffic} Examine firewall and router configuration standards to verify that they identify inbound and outbound traffic necessary for the cardholder data environment. 1.2.1.a
    {inbound Internet traffic} {outbound network traffic} Examine firewall and router configurations to verify that inbound and outbound traffic is limited to that which is necessary for the cardholder data environment. 1.2.1.b
    {direct inbound connection} {direct outbound connection} Examine firewall and router configurations to verify direct connections inbound or outbound are not allowed for traffic between the Internet and the cardholder data environment. 1.3.3]
    Establish/Maintain Documentation Preventive
    Include restricting outbound network traffic in the firewall and router configuration standard. CC ID 11961
    [{inbound Internet traffic} {outbound network traffic} Examine firewall and router configuration standards to verify that they identify inbound and outbound traffic necessary for the cardholder data environment. 1.2.1.a
    {inbound Internet traffic} {outbound network traffic} Examine firewall and router configurations to verify that inbound and outbound traffic is limited to that which is necessary for the cardholder data environment. 1.2.1.b
    {direct inbound connection} {direct outbound connection} Examine firewall and router configurations to verify direct connections inbound or outbound are not allowed for traffic between the Internet and the cardholder data environment. 1.3.3]
    Establish/Maintain Documentation Preventive
    Deny or strictly control wireless traffic to applications or databases that contain restricted data or restricted information. CC ID 11847
    [Verify that the firewalls deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment. 1.2.3.b]
    Configuration Preventive
    Include a protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00537
    [Verify that firewall and router configuration standards include a documented list of all services, protocols and ports, including business justification for each—for example, hypertext transfer protocol (HTTP) and Secure Sockets Layer (SSL), Secure Shell (SSH), and Virtual Private Network (VPN) protocols. 1.1.6.a]
    Establish/Maintain Documentation Preventive
    Configure network ports to organizational standards. CC ID 14007 Configuration Preventive
    Include approval of the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 12547 Establish/Maintain Documentation Preventive
    Include the use of protocols above and beyond common information service protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00539 Establish/Maintain Documentation Preventive
    Include justifying the use of risky protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 01280
    [Verify that firewall and router configuration standards include a documented list of all services, protocols and ports, including business justification for each—for example, hypertext transfer protocol (HTTP) and Secure Sockets Layer (SSL), Secure Shell (SSH), and Virtual Private Network (VPN) protocols. 1.1.6.a]
    Establish/Maintain Documentation Preventive
    Document and implement security features for each identified insecure service, protocol, and port in the protocols, ports, applications, and services list. CC ID 12033 Establish/Maintain Documentation Preventive
    Identify the insecure services, protocols, and ports in the protocols, ports, applications, and services list in the firewall and router configuration. CC ID 12032 Establish/Maintain Documentation Preventive
    Install and configure firewalls to be enabled on all mobile devices, if possible. CC ID 00550
    [{mobile device} Examine policies and configuration standards to verify: - Personal firewall software is required for all mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network. - Specific configuration settings are defined for personal firewall software. - Personal firewall software is configured to actively run. - Personal firewall software is configured to not be alterable by users of mobile and/or employee-owned devices. 1.4.a
    {mobile device} Examine policies and configuration standards to verify: - Personal firewall software is required for all mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network. - Specific configuration settings are defined for personal firewall software. - Personal firewall software is configured to actively run. - Personal firewall software is configured to not be alterable by users of mobile and/or employee-owned devices. 1.4.a
    {mobile device} Examine policies and configuration standards to verify: - Personal firewall software is required for all mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network. - Specific configuration settings are defined for personal firewall software. - Personal firewall software is configured to actively run. - Personal firewall software is configured to not be alterable by users of mobile and/or employee-owned devices. 1.4.a
    {mobile device} Inspect a sample of mobile and/or employee-owned devices to verify that: - Personal firewall software is installed and configured per the organization’s specific configuration settings. - Personal firewall software is actively running. - Personal firewall software is not alterable by users of mobile and/or employee-owned devices. 1.4.b
    {mobile device} Inspect a sample of mobile and/or employee-owned devices to verify that: - Personal firewall software is installed and configured per the organization’s specific configuration settings. - Personal firewall software is actively running. - Personal firewall software is not alterable by users of mobile and/or employee-owned devices. 1.4.b]
    Configuration Preventive
    Lock personal firewall configurations to prevent them from being disabled or changed by end users. CC ID 06420
    [{mobile device} Examine policies and configuration standards to verify: - Personal firewall software is required for all mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network. - Specific configuration settings are defined for personal firewall software. - Personal firewall software is configured to actively run. - Personal firewall software is configured to not be alterable by users of mobile and/or employee-owned devices. 1.4.a
    {mobile device} Inspect a sample of mobile and/or employee-owned devices to verify that: - Personal firewall software is installed and configured per the organization’s specific configuration settings. - Personal firewall software is actively running. - Personal firewall software is not alterable by users of mobile and/or employee-owned devices. 1.4.b]
    Technical Security Preventive
    Configure network access and control points to protect restricted data or restricted information. CC ID 01284 Configuration Preventive
    Configure firewalls to deny all traffic by default, except explicitly designated traffic. CC ID 00547
    [{inbound Internet traffic} {outbound network traffic} Examine firewall and router configurations to verify that all other inbound and outbound traffic is specifically denied, for example by using an explicit “deny all” or an implicit deny after allow statement. 1.2.1.c]
    Configuration Preventive
    Allow local program exceptions on the firewall, as necessary. CC ID 01956 Configuration Preventive
    Allow remote administration exceptions on the firewall, as necessary. CC ID 01957 Configuration Preventive
    Allow file sharing exceptions on the firewall, as necessary. CC ID 01958 Configuration Preventive
    Allow printer sharing exceptions on the firewall, as necessary. CC ID 11849 Configuration Preventive
    Allow Internet Control Message Protocol exceptions on the firewall, as necessary. CC ID 01959 Configuration Preventive
    Allow Remote Desktop Connection exceptions on the firewall, as necessary. CC ID 01960 Configuration Preventive
    Allow UPnP framework exceptions on the firewall, as necessary. CC ID 01961 Configuration Preventive
    Allow notification exceptions on the firewall, as necessary. CC ID 01962 Configuration Preventive
    Allow unicast response to multicast or broadcast exceptions on the firewall, as necessary. CC ID 01964 Configuration Preventive
    Allow protocol port exceptions on the firewall, as necessary. CC ID 01965 Configuration Preventive
    Allow local port exceptions on the firewall, as necessary. CC ID 01966 Configuration Preventive
    Configure firewalls to perform dynamic packet filtering. CC ID 01288
    [Examine firewall and router configurations to verify that the firewall performs stateful inspection (dynamic packet filtering). (Only established connections should be allowed in, and only if they are associated with a previously established session.) 1.3.6]
    Testing Detective
    Establish, implement, and maintain packet filtering requirements. CC ID 16362 Technical Security Preventive
    Configure firewall filtering to only permit established connections into the network. CC ID 12482 Technical Security Preventive
    Restrict outbound network traffic from systems that contain restricted data or restricted information. CC ID 01295 Data and Information Management Preventive
    Synchronize and secure all router configuration files. CC ID 01291
    [{router configuration files} Examine router configurations to verify they are synchronized—for example, the running (or active) configuration matches the start-up configuration (used when machines are booted). 1.2.2.b]
    Configuration Preventive
    Manage the use of encryption controls and cryptographic controls. CC ID 00570 Technical Security Preventive
    Establish, implement, and maintain cryptographic key management procedures. CC ID 00571 Establish/Maintain Documentation Preventive
    Store cryptographic keys securely. CC ID 01298
    [Verify that key-management procedures specify how to securely store keys. 3.6.3.a]
    Data and Information Management Preventive
    Restrict access to cryptographic keys. CC ID 01297 Data and Information Management Preventive
    Store cryptographic keys in encrypted format. CC ID 06084 Data and Information Management Preventive
    Store key-encrypting keys and data-encrypting keys in different locations. CC ID 06085 Technical Security Preventive
Common Controls and
mandates by Type
30 Mandated Controls - bold    
27 Implied Controls - italic     84 Implementation

Each Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.

Number of Controls
141 Total
  • Behavior
    3
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain a testing program. CC ID 00654 Monitoring and measurement Preventive
    Establish, implement, and maintain a penetration test program. CC ID 01105 Monitoring and measurement Preventive
    Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 Operational management Preventive
  • Business Processes
    1
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Manage change requests. CC ID 00887 Operational management Preventive
  • Communicate
    3
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Notify a user when an authenticator for a user account is changed. CC ID 13820 Technical security Preventive
    Disseminate and communicate network diagrams to interested personnel and affected parties. CC ID 13137 Technical security Preventive
    Authorize the disclosure of private Internet Protocol addresses and routing information to external entities. CC ID 12034
    [Interview personnel and examine documentation to verify that any disclosure of private IP addresses and routing information to external entities is authorized. 1.3.8.b]
    Technical security Preventive
  • Configuration
    67
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Assign authenticators to user accounts. CC ID 06855 Technical security Preventive
    Assign authentication mechanisms for user account authentication. CC ID 06856 Technical security Preventive
    Limit account credential reuse as a part of digital identification procedures. CC ID 12357 Technical security Preventive
    Tune the biometric identification equipment, as necessary. CC ID 07077 Technical security Corrective
    Place firewalls between all security domains and between any Demilitarized Zone and internal network zones. CC ID 01274
    [Observe network configurations to verify that a firewall is in place at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone, per the documented configuration standards and network diagrams. 1.1.4.c]
    Technical security Preventive
    Place firewalls between wireless networks and applications or databases that contain restricted data or restricted information. CC ID 01293
    [Examine firewall and router configurations to verify that there are perimeter firewalls installed between all wireless networks and the cardholder data environment. 1.2.3.a]
    Technical security Preventive
    Establish, implement, and maintain a firewall and router configuration standard. CC ID 00541 Technical security Preventive
    Deny or strictly control wireless traffic to applications or databases that contain restricted data or restricted information. CC ID 11847
    [Verify that the firewalls deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment. 1.2.3.b]
    Technical security Preventive
    Configure network ports to organizational standards. CC ID 14007 Technical security Preventive
    Install and configure firewalls to be enabled on all mobile devices, if possible. CC ID 00550
    [{mobile device} Examine policies and configuration standards to verify: - Personal firewall software is required for all mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network. - Specific configuration settings are defined for personal firewall software. - Personal firewall software is configured to actively run. - Personal firewall software is configured to not be alterable by users of mobile and/or employee-owned devices. 1.4.a
    {mobile device} Examine policies and configuration standards to verify: - Personal firewall software is required for all mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network. - Specific configuration settings are defined for personal firewall software. - Personal firewall software is configured to actively run. - Personal firewall software is configured to not be alterable by users of mobile and/or employee-owned devices. 1.4.a
    {mobile device} Examine policies and configuration standards to verify: - Personal firewall software is required for all mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network. - Specific configuration settings are defined for personal firewall software. - Personal firewall software is configured to actively run. - Personal firewall software is configured to not be alterable by users of mobile and/or employee-owned devices. 1.4.a
    {mobile device} Inspect a sample of mobile and/or employee-owned devices to verify that: - Personal firewall software is installed and configured per the organization’s specific configuration settings. - Personal firewall software is actively running. - Personal firewall software is not alterable by users of mobile and/or employee-owned devices. 1.4.b
    {mobile device} Inspect a sample of mobile and/or employee-owned devices to verify that: - Personal firewall software is installed and configured per the organization’s specific configuration settings. - Personal firewall software is actively running. - Personal firewall software is not alterable by users of mobile and/or employee-owned devices. 1.4.b]
    Technical security Preventive
    Configure network access and control points to protect restricted data or restricted information. CC ID 01284 Technical security Preventive
    Configure firewalls to deny all traffic by default, except explicitly designated traffic. CC ID 00547
    [{inbound Internet traffic} {outbound network traffic} Examine firewall and router configurations to verify that all other inbound and outbound traffic is specifically denied, for example by using an explicit “deny all” or an implicit deny after allow statement. 1.2.1.c]
    Technical security Preventive
    Allow local program exceptions on the firewall, as necessary. CC ID 01956 Technical security Preventive
    Allow remote administration exceptions on the firewall, as necessary. CC ID 01957 Technical security Preventive
    Allow file sharing exceptions on the firewall, as necessary. CC ID 01958 Technical security Preventive
    Allow printer sharing exceptions on the firewall, as necessary. CC ID 11849 Technical security Preventive
    Allow Internet Control Message Protocol exceptions on the firewall, as necessary. CC ID 01959 Technical security Preventive
    Allow Remote Desktop Connection exceptions on the firewall, as necessary. CC ID 01960 Technical security Preventive
    Allow UPnP framework exceptions on the firewall, as necessary. CC ID 01961 Technical security Preventive
    Allow notification exceptions on the firewall, as necessary. CC ID 01962 Technical security Preventive
    Allow unicast response to multicast or broadcast exceptions on the firewall, as necessary. CC ID 01964 Technical security Preventive
    Allow protocol port exceptions on the firewall, as necessary. CC ID 01965 Technical security Preventive
    Allow local port exceptions on the firewall, as necessary. CC ID 01966 Technical security Preventive
    Synchronize and secure all router configuration files. CC ID 01291
    [{router configuration files} Examine router configurations to verify they are synchronized—for example, the running (or active) configuration matches the start-up configuration (used when machines are booted). 1.2.2.b]
    Technical security Preventive
    Change default configurations, as necessary. CC ID 00877
    [Interview personnel and examine supporting documentation to verify that: - All vendor defaults (including default passwords on operating systems, software providing security services, application and system accounts, POS terminals, Simple Network Management Protocol (SNMP) community strings, etc.) are changed before a system is installed on the network. - Unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled before a system is installed on the network. 2.1.c
    Interview personnel and examine supporting documentation to verify that: - All vendor defaults (including default passwords on operating systems, software providing security services, application and system accounts, POS terminals, Simple Network Management Protocol (SNMP) community strings, etc.) are changed before a system is installed on the network. - Unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled before a system is installed on the network. 2.1.c]
    System hardening through configuration management Preventive
    Configure custom security parameters for X-Windows. CC ID 02168 System hardening through configuration management Preventive
    Configure custom security settings for Lotus Domino. CC ID 02171 System hardening through configuration management Preventive
    Configure custom security settings for the Automated Security Enhancement Tool. CC ID 02177 System hardening through configuration management Preventive
    Configure custom Security settings for Sun Answerbook2. CC ID 02178 System hardening through configuration management Preventive
    Configure custom security settings for Command (PROM) Monitor. CC ID 02180 System hardening through configuration management Preventive
    Configure and secure each interface for Executive Interfaces. CC ID 02182 System hardening through configuration management Preventive
    Reconfigure the default settings and configure the system security for Site Management Complex. CC ID 02183 System hardening through configuration management Preventive
    Configure the unisys executive (GENNED) GEN tags. CC ID 02184 System hardening through configuration management Preventive
    Reconfigure the default Console Mode privileges. CC ID 02189 System hardening through configuration management Preventive
    Restrict access to security-related Console Mode key-in groups based on the security profiles. CC ID 02190 System hardening through configuration management Preventive
    Configure security profiles for the various Console Mode levels. CC ID 02191 System hardening through configuration management Preventive
    Configure custom access privileges for all mapper files. CC ID 02194 System hardening through configuration management Preventive
    Configure custom access privileges for the PSERVER configuration file. CC ID 02195 System hardening through configuration management Preventive
    Configure custom access privileges for the DEPCON configuration file. CC ID 02196 System hardening through configuration management Preventive
    Disable the default NetWare user web page unless absolutely necessary. CC ID 04447 System hardening through configuration management Preventive
    Enable and reset the primary administrator names, primary administrator passwords, root names, and root passwords. CC ID 04448 System hardening through configuration management Preventive
    Remove unnecessary documentation or unprotected documentation from installed applications. CC ID 04452 System hardening through configuration management Preventive
    Complete the NetWare eGuide configuration. CC ID 04449 System hardening through configuration management Preventive
    Verify the usr/aset/masters/uid_aliases file exists and contains an appropriate aliases list. CC ID 04902 System hardening through configuration management Preventive
    Set the low security directory list properly. CC ID 04903 System hardening through configuration management Preventive
    Set the medium security directory list properly. CC ID 04904 System hardening through configuration management Preventive
    Set the high security directory list properly. CC ID 04905 System hardening through configuration management Preventive
    Set the UID aliases pointer properly. CC ID 04906 System hardening through configuration management Preventive
    Reconfigure the encryption keys from their default setting or previous setting. CC ID 06079 System hardening through configuration management Preventive
    Change the default Service Set Identifier for Wireless Access Points and wireless bridges. CC ID 06086 System hardening through configuration management Preventive
    Revoke public execute privileges for all processes or applications that allow such privileges. CC ID 06568 System hardening through configuration management Preventive
    Configure the system's booting configuration. CC ID 10656 System hardening through configuration management Preventive
    Configure the system to boot directly to the correct Operating System. CC ID 04509 System hardening through configuration management Preventive
    Verify an appropriate bootloader is used. CC ID 04900 System hardening through configuration management Preventive
    Configure the ability to boot from USB devices, as appropriate. CC ID 04901 System hardening through configuration management Preventive
    Configure the system to boot from hardware enforced read-only media. CC ID 10657 System hardening through configuration management Preventive
    Change all default authenticators. CC ID 15309
    [Choose a sample of system components, and attempt to log on (with system administrator help) to the devices and applications using default vendor-supplied accounts and passwords, to verify that ALL default passwords (including those on operating systems, software that provides security services, application and system accounts, POS terminals, and Simple Network Management Protocol (SNMP) community strings) have been changed. (Use vendor manuals and sources on the Internet to find vendor-supplied accounts/passwords.) 2.1.a]
    System hardening through configuration management Preventive
    Configure the system account settings and the permission settings in accordance with the organizational standards. CC ID 01538 System hardening through configuration management Preventive
    Configure user accounts. CC ID 07036 System hardening through configuration management Preventive
    Remove unnecessary default accounts. CC ID 01539
    [For the sample of system components, verify that all unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled. 2.1.b
    Interview personnel and examine supporting documentation to verify that: - All vendor defaults (including default passwords on operating systems, software providing security services, application and system accounts, POS terminals, Simple Network Management Protocol (SNMP) community strings, etc.) are changed before a system is installed on the network. - Unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled before a system is installed on the network. 2.1.c
    Interview personnel and examine supporting documentation to verify that: - All vendor defaults (including default passwords on operating systems, software providing security services, application and system accounts, POS terminals, Simple Network Management Protocol (SNMP) community strings, etc.) are changed before a system is installed on the network. - Unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled before a system is installed on the network. 2.1.c]
    System hardening through configuration management Preventive
    Disable or delete shared User IDs. CC ID 12478 System hardening through configuration management Corrective
    Verify that no UID 0 accounts exist other than root. CC ID 01585 System hardening through configuration management Detective
    Disable or delete generic user IDs. CC ID 12479 System hardening through configuration management Corrective
    Disable all unnecessary user identifiers. CC ID 02185 System hardening through configuration management Preventive
    Remove unnecessary user credentials. CC ID 16409 System hardening through configuration management Preventive
    Remove the root user as appropriate. CC ID 01582 System hardening through configuration management Preventive
    Disable or remove the null account. CC ID 06572 System hardening through configuration management Preventive
  • Data and Information Management
    8
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Include virtual systems in the network diagram. CC ID 16324 Technical security Preventive
    Restrict inbound network traffic into the Demilitarized Zone. CC ID 01285 Technical security Preventive
    Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289
    [Examine firewall and router configurations to verify that system components that store cardholder data are on an internal network zone, segregated from the DMZ and other untrusted networks. 1.3.7]
    Technical security Preventive
    Restrict outbound network traffic from systems that contain restricted data or restricted information. CC ID 01295 Technical security Preventive
    Store cryptographic keys securely. CC ID 01298
    [Verify that key-management procedures specify how to securely store keys. 3.6.3.a]
    Technical security Preventive
    Restrict access to cryptographic keys. CC ID 01297 Technical security Preventive
    Store cryptographic keys in encrypted format. CC ID 06084 Technical security Preventive
    Approve tested change requests. CC ID 11783
    [{approve} Examine documented procedures to verify there is a formal process for testing and approval of all: - Network connections and - Changes to firewall and router configurations 1.1.1.a
    Identify a sample of actual changes made to firewall and router configurations, compare to the change records, and interview responsible personnel to verify the changes were approved and tested. 1.1.1.c]
    Operational management Preventive
  • Establish Roles
    2
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Use biometric authentication for identification and authentication, as necessary. CC ID 06857 Technical security Preventive
    Include assigned roles and responsibilities in the network access control standard. CC ID 06410
    [Verify that firewall and router configuration standards include a description of groups, roles, and responsibilities for management of network components. 1.1.5.a
    Interview personnel responsible for management of network components to confirm that roles and responsibilities are assigned as documented. 1.1.5.b]
    Technical security Preventive
  • Establish/Maintain Documentation
    22
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain an access control program. CC ID 11702 Technical security Preventive
    Establish and maintain a memorized secret list. CC ID 13791 Technical security Preventive
    Establish, implement, and maintain a network configuration standard. CC ID 00530 Technical security Preventive
    Maintain up-to-date network diagrams. CC ID 00531
    [{network diagram} Interview responsible personnel to verify that the diagram is kept current. 1.1.2.b
    Examine diagram(s) and observe network configurations to verify that a current network diagram exists and that it documents all connections to cardholder data, including any wireless networks. 1.1.2.a]
    Technical security Preventive
    Include the date of the most recent update on the network diagram. CC ID 14319 Technical security Preventive
    Include the organization's name in the network diagram. CC ID 14318 Technical security Preventive
    Include Internet Protocol addresses in the network diagram. CC ID 16244 Technical security Preventive
    Include Domain Name System names in the network diagram. CC ID 16240 Technical security Preventive
    Accept, by formal signature, the security implications of the network topology. CC ID 12323 Technical security Preventive
    Establish, implement, and maintain a Boundary Defense program. CC ID 00544 Technical security Preventive
    Establish, implement, and maintain a network access control standard. CC ID 00546 Technical security Preventive
    Include restricting inbound network traffic in the firewall and router configuration standard. CC ID 11960
    [{inbound Internet traffic} {outbound network traffic} Examine firewall and router configuration standards to verify that they identify inbound and outbound traffic necessary for the cardholder data environment. 1.2.1.a
    {inbound Internet traffic} {outbound network traffic} Examine firewall and router configurations to verify that inbound and outbound traffic is limited to that which is necessary for the cardholder data environment. 1.2.1.b
    {direct inbound connection} {direct outbound connection} Examine firewall and router configurations to verify direct connections inbound or outbound are not allowed for traffic between the Internet and the cardholder data environment. 1.3.3]
    Technical security Preventive
    Include restricting outbound network traffic in the firewall and router configuration standard. CC ID 11961
    [{inbound Internet traffic} {outbound network traffic} Examine firewall and router configuration standards to verify that they identify inbound and outbound traffic necessary for the cardholder data environment. 1.2.1.a
    {inbound Internet traffic} {outbound network traffic} Examine firewall and router configurations to verify that inbound and outbound traffic is limited to that which is necessary for the cardholder data environment. 1.2.1.b
    {direct inbound connection} {direct outbound connection} Examine firewall and router configurations to verify direct connections inbound or outbound are not allowed for traffic between the Internet and the cardholder data environment. 1.3.3]
    Technical security Preventive
    Include a protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00537
    [Verify that firewall and router configuration standards include a documented list of all services, protocols and ports, including business justification for each—for example, hypertext transfer protocol (HTTP) and Secure Sockets Layer (SSL), Secure Shell (SSH), and Virtual Private Network (VPN) protocols. 1.1.6.a]
    Technical security Preventive
    Include approval of the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 12547 Technical security Preventive
    Include the use of protocols above and beyond common information service protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00539 Technical security Preventive
    Include justifying the use of risky protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 01280
    [Verify that firewall and router configuration standards include a documented list of all services, protocols and ports, including business justification for each—for example, hypertext transfer protocol (HTTP) and Secure Sockets Layer (SSL), Secure Shell (SSH), and Virtual Private Network (VPN) protocols. 1.1.6.a]
    Technical security Preventive
    Document and implement security features for each identified insecure service, protocol, and port in the protocols, ports, applications, and services list. CC ID 12033 Technical security Preventive
    Identify the insecure services, protocols, and ports in the protocols, ports, applications, and services list in the firewall and router configuration. CC ID 12032 Technical security Preventive
    Establish, implement, and maintain cryptographic key management procedures. CC ID 00571 Technical security Preventive
    Establish, implement, and maintain a change control program. CC ID 00886 Operational management Preventive
    Establish, implement, and maintain system hardening procedures. CC ID 12001 System hardening through configuration management Preventive
  • IT Impact Zone
    4
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Monitoring and measurement CC ID 00636 Monitoring and measurement IT Impact Zone
    Technical security CC ID 00508 Technical security IT Impact Zone
    Operational management CC ID 00805 Operational management IT Impact Zone
    System hardening through configuration management CC ID 00860 System hardening through configuration management IT Impact Zone
  • Process or Activity
    3
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Disallow self-enrollment of biometric information. CC ID 11834 Technical security Preventive
    Use a passive asset inventory discovery tool to identify assets when network mapping. CC ID 13735 Technical security Detective
    Include testing and approving all network connections through the firewall in the firewall and router configuration standard. CC ID 01270
    [{approve} Examine documented procedures to verify there is a formal process for testing and approval of all: - Network connections and - Changes to firewall and router configurations 1.1.1.a
    For a sample of network connections, interview responsible personnel and examine records to verify that network connections were approved and tested. 1.1.1.b]
    Technical security Detective
  • Systems Design, Build, and Implementation
    1
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Validate the system before implementing approved changes. CC ID 01510 Operational management Preventive
  • Technical Security
    20
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Include digital identification procedures in the access control program. CC ID 11841 Technical security Preventive
    Require proper authentication for user identifiers. CC ID 11785
    [To verify that users are authenticated using unique ID and additional authentication (for example, a password/phrase) for access to the cardholder data environment, perform the following: - Examine documentation describing the authentication method(s) used. - For each type of authentication method used and for each type of system component, observe an authentication to verify authentication is functioning consistent with documented authentication method(s). 8.2]
    Technical security Preventive
    Refrain from allowing individuals to share authentication mechanisms. CC ID 11932 Technical security Preventive
    Refrain from assigning authentication mechanisms for shared accounts. CC ID 11910 Technical security Preventive
    Employ live scans to verify biometric authentication. CC ID 06847 Technical security Preventive
    Identify and control all network access controls. CC ID 00529 Technical security Preventive
    Refrain from disclosing private Internet Protocol addresses and routing information, unless necessary. CC ID 11891
    [Examine firewall and router configurations to verify that methods are in place to prevent the disclosure of private IP addresses and routing information from internal networks to the Internet. 1.3.8.a]
    Technical security Preventive
    Segregate systems in accordance with organizational standards. CC ID 12546 Technical security Preventive
    Segregate servers that contain restricted data or restricted information from direct public access. CC ID 00533 Technical security Preventive
    Restrict inbound network traffic into the Demilitarized Zone to Internet Protocol addresses within the Demilitarized Zone. CC ID 11998
    [Examine firewall and router configurations to verify that inbound Internet traffic is limited to IP addresses within the DMZ. 1.3.2]
    Technical security Preventive
    Restrict inbound Internet traffic within the Demilitarized Zone to system components that provide publicly accessible services, protocols, and ports. CC ID 11993
    [{inbound Internet traffic} Examine firewall and router configurations to verify that a DMZ is implemented to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports. 1.3.1]
    Technical security Preventive
    Employ firewalls to secure network connections between trusted networks and untrusted networks, as necessary. CC ID 11821 Technical security Preventive
    Include reviewing the rulesets for firewalls and routers in the firewall and router configuration standard, as necessary. CC ID 11903
    [Verify that firewall and router configuration standards require review of firewall and router rule sets at least every six months. 1.1.7.a
    Examine documentation relating to rule set reviews and interview responsible personnel to verify that the rule sets are reviewed at least every six months. 1.1.7.b
    Examine documentation relating to rule set reviews and interview responsible personnel to verify that the rule sets are reviewed at least every six months. 1.1.7.b]
    Technical security Corrective
    Lock personal firewall configurations to prevent them from being disabled or changed by end users. CC ID 06420
    [{mobile device} Examine policies and configuration standards to verify: - Personal firewall software is required for all mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network. - Specific configuration settings are defined for personal firewall software. - Personal firewall software is configured to actively run. - Personal firewall software is configured to not be alterable by users of mobile and/or employee-owned devices. 1.4.a
    {mobile device} Inspect a sample of mobile and/or employee-owned devices to verify that: - Personal firewall software is installed and configured per the organization’s specific configuration settings. - Personal firewall software is actively running. - Personal firewall software is not alterable by users of mobile and/or employee-owned devices. 1.4.b]
    Technical security Preventive
    Establish, implement, and maintain packet filtering requirements. CC ID 16362 Technical security Preventive
    Configure firewall filtering to only permit established connections into the network. CC ID 12482 Technical security Preventive
    Manage the use of encryption controls and cryptographic controls. CC ID 00570 Technical security Preventive
    Store key-encrypting keys and data-encrypting keys in different locations. CC ID 06085 Technical security Preventive
    Verify users are listed in the ASET userlist file. CC ID 04907 System hardening through configuration management Preventive
    Establish, implement, and maintain authenticators. CC ID 15305 System hardening through configuration management Preventive
  • Testing
    7
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Perform penetration tests, as necessary. CC ID 00655 Monitoring and measurement Detective
    Test the system for insecure configuration management. CC ID 01327
    [{insecure protocol} {insecure port} Examine firewall and router configurations to verify that the documented security features are implemented for each insecure service, protocol, and port. 1.1.6.c]
    Monitoring and measurement Detective
    Employ unique identifiers. CC ID 01273
    [To verify that users are authenticated using unique ID and additional authentication (for example, a password/phrase) for access to the cardholder data environment, perform the following: - Examine documentation describing the authentication method(s) used. - For each type of authentication method used and for each type of system component, observe an authentication to verify authentication is functioning consistent with documented authentication method(s). 8.2]
    Technical security Detective
    Identify the user when enrolling them in the biometric system. CC ID 06882 Technical security Detective
    Configure firewalls to perform dynamic packet filtering. CC ID 01288
    [Examine firewall and router configurations to verify that the firewall performs stateful inspection (dynamic packet filtering). (Only established connections should be allowed in, and only if they are associated with a previously established session.) 1.3.6]
    Technical security Detective
    Test proposed changes prior to their approval. CC ID 00548
    [{approve} Examine documented procedures to verify there is a formal process for testing and approval of all: - Network connections and - Changes to firewall and router configurations 1.1.1.a
    Identify a sample of actual changes made to firewall and router configurations, compare to the change records, and interview responsible personnel to verify the changes were approved and tested. 1.1.1.c]
    Operational management Detective
    Verify Automated Security Enhancement Tool checks the NIS+ tables, as appropriate. CC ID 04908 System hardening through configuration management Preventive
Common Controls and
mandates by Classification
30 Mandated Controls - bold    
27 Implied Controls - italic     84 Implementation

There are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.

Number of Controls
141 Total
  • Corrective
    4
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Tune the biometric identification equipment, as necessary. CC ID 07077 Technical security Configuration
    Include reviewing the rulesets for firewalls and routers in the firewall and router configuration standard, as necessary. CC ID 11903
    [Verify that firewall and router configuration standards require review of firewall and router rule sets at least every six months. 1.1.7.a
    Examine documentation relating to rule set reviews and interview responsible personnel to verify that the rule sets are reviewed at least every six months. 1.1.7.b
    Examine documentation relating to rule set reviews and interview responsible personnel to verify that the rule sets are reviewed at least every six months. 1.1.7.b]
    Technical security Technical Security
    Disable or delete shared User IDs. CC ID 12478 System hardening through configuration management Configuration
    Disable or delete generic user IDs. CC ID 12479 System hardening through configuration management Configuration
  • Detective
    9
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Perform penetration tests, as necessary. CC ID 00655 Monitoring and measurement Testing
    Test the system for insecure configuration management. CC ID 01327
    [{insecure protocol} {insecure port} Examine firewall and router configurations to verify that the documented security features are implemented for each insecure service, protocol, and port. 1.1.6.c]
    Monitoring and measurement Testing
    Employ unique identifiers. CC ID 01273
    [To verify that users are authenticated using unique ID and additional authentication (for example, a password/phrase) for access to the cardholder data environment, perform the following: - Examine documentation describing the authentication method(s) used. - For each type of authentication method used and for each type of system component, observe an authentication to verify authentication is functioning consistent with documented authentication method(s). 8.2]
    Technical security Testing
    Identify the user when enrolling them in the biometric system. CC ID 06882 Technical security Testing
    Use a passive asset inventory discovery tool to identify assets when network mapping. CC ID 13735 Technical security Process or Activity
    Include testing and approving all network connections through the firewall in the firewall and router configuration standard. CC ID 01270
    [{approve} Examine documented procedures to verify there is a formal process for testing and approval of all: - Network connections and - Changes to firewall and router configurations 1.1.1.a
    For a sample of network connections, interview responsible personnel and examine records to verify that network connections were approved and tested. 1.1.1.b]
    Technical security Process or Activity
    Configure firewalls to perform dynamic packet filtering. CC ID 01288
    [Examine firewall and router configurations to verify that the firewall performs stateful inspection (dynamic packet filtering). (Only established connections should be allowed in, and only if they are associated with a previously established session.) 1.3.6]
    Technical security Testing
    Test proposed changes prior to their approval. CC ID 00548
    [{approve} Examine documented procedures to verify there is a formal process for testing and approval of all: - Network connections and - Changes to firewall and router configurations 1.1.1.a
    Identify a sample of actual changes made to firewall and router configurations, compare to the change records, and interview responsible personnel to verify the changes were approved and tested. 1.1.1.c]
    Operational management Testing
    Verify that no UID 0 accounts exist other than root. CC ID 01585 System hardening through configuration management Configuration
  • IT Impact Zone
    4
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Monitoring and measurement CC ID 00636 Monitoring and measurement IT Impact Zone
    Technical security CC ID 00508 Technical security IT Impact Zone
    Operational management CC ID 00805 Operational management IT Impact Zone
    System hardening through configuration management CC ID 00860 System hardening through configuration management IT Impact Zone
  • Preventive
    124
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Establish, implement, and maintain a testing program. CC ID 00654 Monitoring and measurement Behavior
    Establish, implement, and maintain a penetration test program. CC ID 01105 Monitoring and measurement Behavior
    Establish, implement, and maintain an access control program. CC ID 11702 Technical security Establish/Maintain Documentation
    Include digital identification procedures in the access control program. CC ID 11841 Technical security Technical Security
    Require proper authentication for user identifiers. CC ID 11785
    [To verify that users are authenticated using unique ID and additional authentication (for example, a password/phrase) for access to the cardholder data environment, perform the following: - Examine documentation describing the authentication method(s) used. - For each type of authentication method used and for each type of system component, observe an authentication to verify authentication is functioning consistent with documented authentication method(s). 8.2]
    Technical security Technical Security
    Assign authenticators to user accounts. CC ID 06855 Technical security Configuration
    Assign authentication mechanisms for user account authentication. CC ID 06856 Technical security Configuration
    Refrain from allowing individuals to share authentication mechanisms. CC ID 11932 Technical security Technical Security
    Establish and maintain a memorized secret list. CC ID 13791 Technical security Establish/Maintain Documentation
    Limit account credential reuse as a part of digital identification procedures. CC ID 12357 Technical security Configuration
    Refrain from assigning authentication mechanisms for shared accounts. CC ID 11910 Technical security Technical Security
    Use biometric authentication for identification and authentication, as necessary. CC ID 06857 Technical security Establish Roles
    Employ live scans to verify biometric authentication. CC ID 06847 Technical security Technical Security
    Disallow self-enrollment of biometric information. CC ID 11834 Technical security Process or Activity
    Notify a user when an authenticator for a user account is changed. CC ID 13820 Technical security Communicate
    Identify and control all network access controls. CC ID 00529 Technical security Technical Security
    Establish, implement, and maintain a network configuration standard. CC ID 00530 Technical security Establish/Maintain Documentation
    Maintain up-to-date network diagrams. CC ID 00531
    [{network diagram} Interview responsible personnel to verify that the diagram is kept current. 1.1.2.b
    Examine diagram(s) and observe network configurations to verify that a current network diagram exists and that it documents all connections to cardholder data, including any wireless networks. 1.1.2.a]
    Technical security Establish/Maintain Documentation
    Include the date of the most recent update on the network diagram. CC ID 14319 Technical security Establish/Maintain Documentation
    Include virtual systems in the network diagram. CC ID 16324 Technical security Data and Information Management
    Include the organization's name in the network diagram. CC ID 14318 Technical security Establish/Maintain Documentation
    Include Internet Protocol addresses in the network diagram. CC ID 16244 Technical security Establish/Maintain Documentation
    Include Domain Name System names in the network diagram. CC ID 16240 Technical security Establish/Maintain Documentation
    Accept, by formal signature, the security implications of the network topology. CC ID 12323 Technical security Establish/Maintain Documentation
    Disseminate and communicate network diagrams to interested personnel and affected parties. CC ID 13137 Technical security Communicate
    Establish, implement, and maintain a Boundary Defense program. CC ID 00544 Technical security Establish/Maintain Documentation
    Refrain from disclosing private Internet Protocol addresses and routing information, unless necessary. CC ID 11891
    [Examine firewall and router configurations to verify that methods are in place to prevent the disclosure of private IP addresses and routing information from internal networks to the Internet. 1.3.8.a]
    Technical security Technical Security
    Authorize the disclosure of private Internet Protocol addresses and routing information to external entities. CC ID 12034
    [Interview personnel and examine documentation to verify that any disclosure of private IP addresses and routing information to external entities is authorized. 1.3.8.b]
    Technical security Communicate
    Segregate systems in accordance with organizational standards. CC ID 12546 Technical security Technical Security
    Segregate servers that contain restricted data or restricted information from direct public access. CC ID 00533 Technical security Technical Security
    Restrict inbound network traffic into the Demilitarized Zone. CC ID 01285 Technical security Data and Information Management
    Restrict inbound network traffic into the Demilitarized Zone to Internet Protocol addresses within the Demilitarized Zone. CC ID 11998
    [Examine firewall and router configurations to verify that inbound Internet traffic is limited to IP addresses within the DMZ. 1.3.2]
    Technical security Technical Security
    Restrict inbound Internet traffic within the Demilitarized Zone to system components that provide publicly accessible services, protocols, and ports. CC ID 11993
    [{inbound Internet traffic} Examine firewall and router configurations to verify that a DMZ is implemented to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports. 1.3.1]
    Technical security Technical Security
    Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289
    [Examine firewall and router configurations to verify that system components that store cardholder data are on an internal network zone, segregated from the DMZ and other untrusted networks. 1.3.7]
    Technical security Data and Information Management
    Establish, implement, and maintain a network access control standard. CC ID 00546 Technical security Establish/Maintain Documentation
    Include assigned roles and responsibilities in the network access control standard. CC ID 06410
    [Verify that firewall and router configuration standards include a description of groups, roles, and responsibilities for management of network components. 1.1.5.a
    Interview personnel responsible for management of network components to confirm that roles and responsibilities are assigned as documented. 1.1.5.b]
    Technical security Establish Roles
    Employ firewalls to secure network connections between trusted networks and untrusted networks, as necessary. CC ID 11821 Technical security Technical Security
    Place firewalls between all security domains and between any Demilitarized Zone and internal network zones. CC ID 01274
    [Observe network configurations to verify that a firewall is in place at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone, per the documented configuration standards and network diagrams. 1.1.4.c]
    Technical security Configuration
    Place firewalls between wireless networks and applications or databases that contain restricted data or restricted information. CC ID 01293
    [Examine firewall and router configurations to verify that there are perimeter firewalls installed between all wireless networks and the cardholder data environment. 1.2.3.a]
    Technical security Configuration
    Establish, implement, and maintain a firewall and router configuration standard. CC ID 00541 Technical security Configuration
    Include restricting inbound network traffic in the firewall and router configuration standard. CC ID 11960
    [{inbound Internet traffic} {outbound network traffic} Examine firewall and router configuration standards to verify that they identify inbound and outbound traffic necessary for the cardholder data environment. 1.2.1.a
    {inbound Internet traffic} {outbound network traffic} Examine firewall and router configurations to verify that inbound and outbound traffic is limited to that which is necessary for the cardholder data environment. 1.2.1.b
    {direct inbound connection} {direct outbound connection} Examine firewall and router configurations to verify direct connections inbound or outbound are not allowed for traffic between the Internet and the cardholder data environment. 1.3.3]
    Technical security Establish/Maintain Documentation
    Include restricting outbound network traffic in the firewall and router configuration standard. CC ID 11961
    [{inbound Internet traffic} {outbound network traffic} Examine firewall and router configuration standards to verify that they identify inbound and outbound traffic necessary for the cardholder data environment. 1.2.1.a
    {inbound Internet traffic} {outbound network traffic} Examine firewall and router configurations to verify that inbound and outbound traffic is limited to that which is necessary for the cardholder data environment. 1.2.1.b
    {direct inbound connection} {direct outbound connection} Examine firewall and router configurations to verify direct connections inbound or outbound are not allowed for traffic between the Internet and the cardholder data environment. 1.3.3]
    Technical security Establish/Maintain Documentation
    Deny or strictly control wireless traffic to applications or databases that contain restricted data or restricted information. CC ID 11847
    [Verify that the firewalls deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment. 1.2.3.b]
    Technical security Configuration
    Include a protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00537
    [Verify that firewall and router configuration standards include a documented list of all services, protocols and ports, including business justification for each—for example, hypertext transfer protocol (HTTP) and Secure Sockets Layer (SSL), Secure Shell (SSH), and Virtual Private Network (VPN) protocols. 1.1.6.a]
    Technical security Establish/Maintain Documentation
    Configure network ports to organizational standards. CC ID 14007 Technical security Configuration
    Include approval of the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 12547 Technical security Establish/Maintain Documentation
    Include the use of protocols above and beyond common information service protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00539 Technical security Establish/Maintain Documentation
    Include justifying the use of risky protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 01280
    [Verify that firewall and router configuration standards include a documented list of all services, protocols and ports, including business justification for each—for example, hypertext transfer protocol (HTTP) and Secure Sockets Layer (SSL), Secure Shell (SSH), and Virtual Private Network (VPN) protocols. 1.1.6.a]
    Technical security Establish/Maintain Documentation
    Document and implement security features for each identified insecure service, protocol, and port in the protocols, ports, applications, and services list. CC ID 12033 Technical security Establish/Maintain Documentation
    Identify the insecure services, protocols, and ports in the protocols, ports, applications, and services list in the firewall and router configuration. CC ID 12032 Technical security Establish/Maintain Documentation
    Install and configure firewalls to be enabled on all mobile devices, if possible. CC ID 00550
    [{mobile device} Examine policies and configuration standards to verify: - Personal firewall software is required for all mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network. - Specific configuration settings are defined for personal firewall software. - Personal firewall software is configured to actively run. - Personal firewall software is configured to not be alterable by users of mobile and/or employee-owned devices. 1.4.a
    {mobile device} Examine policies and configuration standards to verify: - Personal firewall software is required for all mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network. - Specific configuration settings are defined for personal firewall software. - Personal firewall software is configured to actively run. - Personal firewall software is configured to not be alterable by users of mobile and/or employee-owned devices. 1.4.a
    {mobile device} Examine policies and configuration standards to verify: - Personal firewall software is required for all mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network. - Specific configuration settings are defined for personal firewall software. - Personal firewall software is configured to actively run. - Personal firewall software is configured to not be alterable by users of mobile and/or employee-owned devices. 1.4.a
    {mobile device} Inspect a sample of mobile and/or employee-owned devices to verify that: - Personal firewall software is installed and configured per the organization’s specific configuration settings. - Personal firewall software is actively running. - Personal firewall software is not alterable by users of mobile and/or employee-owned devices. 1.4.b
    {mobile device} Inspect a sample of mobile and/or employee-owned devices to verify that: - Personal firewall software is installed and configured per the organization’s specific configuration settings. - Personal firewall software is actively running. - Personal firewall software is not alterable by users of mobile and/or employee-owned devices. 1.4.b]
    Technical security Configuration
    Lock personal firewall configurations to prevent them from being disabled or changed by end users. CC ID 06420
    [{mobile device} Examine policies and configuration standards to verify: - Personal firewall software is required for all mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network. - Specific configuration settings are defined for personal firewall software. - Personal firewall software is configured to actively run. - Personal firewall software is configured to not be alterable by users of mobile and/or employee-owned devices. 1.4.a
    {mobile device} Inspect a sample of mobile and/or employee-owned devices to verify that: - Personal firewall software is installed and configured per the organization’s specific configuration settings. - Personal firewall software is actively running. - Personal firewall software is not alterable by users of mobile and/or employee-owned devices. 1.4.b]
    Technical security Technical Security
    Configure network access and control points to protect restricted data or restricted information. CC ID 01284 Technical security Configuration
    Configure firewalls to deny all traffic by default, except explicitly designated traffic. CC ID 00547
    [{inbound Internet traffic} {outbound network traffic} Examine firewall and router configurations to verify that all other inbound and outbound traffic is specifically denied, for example by using an explicit “deny all” or an implicit deny after allow statement. 1.2.1.c]
    Technical security Configuration
    Allow local program exceptions on the firewall, as necessary. CC ID 01956 Technical security Configuration
    Allow remote administration exceptions on the firewall, as necessary. CC ID 01957 Technical security Configuration
    Allow file sharing exceptions on the firewall, as necessary. CC ID 01958 Technical security Configuration
    Allow printer sharing exceptions on the firewall, as necessary. CC ID 11849 Technical security Configuration
    Allow Internet Control Message Protocol exceptions on the firewall, as necessary. CC ID 01959 Technical security Configuration
    Allow Remote Desktop Connection exceptions on the firewall, as necessary. CC ID 01960 Technical security Configuration
    Allow UPnP framework exceptions on the firewall, as necessary. CC ID 01961 Technical security Configuration
    Allow notification exceptions on the firewall, as necessary. CC ID 01962 Technical security Configuration
    Allow unicast response to multicast or broadcast exceptions on the firewall, as necessary. CC ID 01964 Technical security Configuration
    Allow protocol port exceptions on the firewall, as necessary. CC ID 01965 Technical security Configuration
    Allow local port exceptions on the firewall, as necessary. CC ID 01966 Technical security Configuration
    Establish, implement, and maintain packet filtering requirements. CC ID 16362 Technical security Technical Security
    Configure firewall filtering to only permit established connections into the network. CC ID 12482 Technical security Technical Security
    Restrict outbound network traffic from systems that contain restricted data or restricted information. CC ID 01295 Technical security Data and Information Management
    Synchronize and secure all router configuration files. CC ID 01291
    [{router configuration files} Examine router configurations to verify they are synchronized—for example, the running (or active) configuration matches the start-up configuration (used when machines are booted). 1.2.2.b]
    Technical security Configuration
    Manage the use of encryption controls and cryptographic controls. CC ID 00570 Technical security Technical Security
    Establish, implement, and maintain cryptographic key management procedures. CC ID 00571 Technical security Establish/Maintain Documentation
    Store cryptographic keys securely. CC ID 01298
    [Verify that key-management procedures specify how to securely store keys. 3.6.3.a]
    Technical security Data and Information Management
    Restrict access to cryptographic keys. CC ID 01297 Technical security Data and Information Management
    Store cryptographic keys in encrypted format. CC ID 06084 Technical security Data and Information Management
    Store key-encrypting keys and data-encrypting keys in different locations. CC ID 06085 Technical security Technical Security
    Establish, implement, and maintain a change control program. CC ID 00886 Operational management Establish/Maintain Documentation
    Manage change requests. CC ID 00887 Operational management Business Processes
    Approve tested change requests. CC ID 11783
    [{approve} Examine documented procedures to verify there is a formal process for testing and approval of all: - Network connections and - Changes to firewall and router configurations 1.1.1.a
    Identify a sample of actual changes made to firewall and router configurations, compare to the change records, and interview responsible personnel to verify the changes were approved and tested. 1.1.1.c]
    Operational management Data and Information Management
    Validate the system before implementing approved changes. CC ID 01510 Operational management Systems Design, Build, and Implementation
    Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 Operational management Behavior
    Establish, implement, and maintain system hardening procedures. CC ID 12001 System hardening through configuration management Establish/Maintain Documentation
    Change default configurations, as necessary. CC ID 00877
    [Interview personnel and examine supporting documentation to verify that: - All vendor defaults (including default passwords on operating systems, software providing security services, application and system accounts, POS terminals, Simple Network Management Protocol (SNMP) community strings, etc.) are changed before a system is installed on the network. - Unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled before a system is installed on the network. 2.1.c
    Interview personnel and examine supporting documentation to verify that: - All vendor defaults (including default passwords on operating systems, software providing security services, application and system accounts, POS terminals, Simple Network Management Protocol (SNMP) community strings, etc.) are changed before a system is installed on the network. - Unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled before a system is installed on the network. 2.1.c]
    System hardening through configuration management Configuration
    Configure custom security parameters for X-Windows. CC ID 02168 System hardening through configuration management Configuration
    Configure custom security settings for Lotus Domino. CC ID 02171 System hardening through configuration management Configuration
    Configure custom security settings for the Automated Security Enhancement Tool. CC ID 02177 System hardening through configuration management Configuration
    Configure custom Security settings for Sun Answerbook2. CC ID 02178 System hardening through configuration management Configuration
    Configure custom security settings for Command (PROM) Monitor. CC ID 02180 System hardening through configuration management Configuration
    Configure and secure each interface for Executive Interfaces. CC ID 02182 System hardening through configuration management Configuration
    Reconfigure the default settings and configure the system security for Site Management Complex. CC ID 02183 System hardening through configuration management Configuration
    Configure the unisys executive (GENNED) GEN tags. CC ID 02184 System hardening through configuration management Configuration
    Reconfigure the default Console Mode privileges. CC ID 02189 System hardening through configuration management Configuration
    Restrict access to security-related Console Mode key-in groups based on the security profiles. CC ID 02190 System hardening through configuration management Configuration
    Configure security profiles for the various Console Mode levels. CC ID 02191 System hardening through configuration management Configuration
    Configure custom access privileges for all mapper files. CC ID 02194 System hardening through configuration management Configuration
    Configure custom access privileges for the PSERVER configuration file. CC ID 02195 System hardening through configuration management Configuration
    Configure custom access privileges for the DEPCON configuration file. CC ID 02196 System hardening through configuration management Configuration
    Disable the default NetWare user web page unless absolutely necessary. CC ID 04447 System hardening through configuration management Configuration
    Enable and reset the primary administrator names, primary administrator passwords, root names, and root passwords. CC ID 04448 System hardening through configuration management Configuration
    Remove unnecessary documentation or unprotected documentation from installed applications. CC ID 04452 System hardening through configuration management Configuration
    Complete the NetWare eGuide configuration. CC ID 04449 System hardening through configuration management Configuration
    Verify the usr/aset/masters/uid_aliases file exists and contains an appropriate aliases list. CC ID 04902 System hardening through configuration management Configuration
    Set the low security directory list properly. CC ID 04903 System hardening through configuration management Configuration
    Set the medium security directory list properly. CC ID 04904 System hardening through configuration management Configuration
    Set the high security directory list properly. CC ID 04905 System hardening through configuration management Configuration
    Set the UID aliases pointer properly. CC ID 04906 System hardening through configuration management Configuration
    Verify users are listed in the ASET userlist file. CC ID 04907 System hardening through configuration management Technical Security
    Verify Automated Security Enhancement Tool checks the NIS+ tables, as appropriate. CC ID 04908 System hardening through configuration management Testing
    Reconfigure the encryption keys from their default setting or previous setting. CC ID 06079 System hardening through configuration management Configuration
    Change the default Service Set Identifier for Wireless Access Points and wireless bridges. CC ID 06086 System hardening through configuration management Configuration
    Revoke public execute privileges for all processes or applications that allow such privileges. CC ID 06568 System hardening through configuration management Configuration
    Configure the system's booting configuration. CC ID 10656 System hardening through configuration management Configuration
    Configure the system to boot directly to the correct Operating System. CC ID 04509 System hardening through configuration management Configuration
    Verify an appropriate bootloader is used. CC ID 04900 System hardening through configuration management Configuration
    Configure the ability to boot from USB devices, as appropriate. CC ID 04901 System hardening through configuration management Configuration
    Configure the system to boot from hardware enforced read-only media. CC ID 10657 System hardening through configuration management Configuration
    Establish, implement, and maintain authenticators. CC ID 15305 System hardening through configuration management Technical Security
    Change all default authenticators. CC ID 15309
    [Choose a sample of system components, and attempt to log on (with system administrator help) to the devices and applications using default vendor-supplied accounts and passwords, to verify that ALL default passwords (including those on operating systems, software that provides security services, application and system accounts, POS terminals, and Simple Network Management Protocol (SNMP) community strings) have been changed. (Use vendor manuals and sources on the Internet to find vendor-supplied accounts/passwords.) 2.1.a]
    System hardening through configuration management Configuration
    Configure the system account settings and the permission settings in accordance with the organizational standards. CC ID 01538 System hardening through configuration management Configuration
    Configure user accounts. CC ID 07036 System hardening through configuration management Configuration
    Remove unnecessary default accounts. CC ID 01539
    [For the sample of system components, verify that all unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled. 2.1.b
    Interview personnel and examine supporting documentation to verify that: - All vendor defaults (including default passwords on operating systems, software providing security services, application and system accounts, POS terminals, Simple Network Management Protocol (SNMP) community strings, etc.) are changed before a system is installed on the network. - Unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled before a system is installed on the network. 2.1.c
    Interview personnel and examine supporting documentation to verify that: - All vendor defaults (including default passwords on operating systems, software providing security services, application and system accounts, POS terminals, Simple Network Management Protocol (SNMP) community strings, etc.) are changed before a system is installed on the network. - Unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled before a system is installed on the network. 2.1.c]
    System hardening through configuration management Configuration
    Disable all unnecessary user identifiers. CC ID 02185 System hardening through configuration management Configuration
    Remove unnecessary user credentials. CC ID 16409 System hardening through configuration management Configuration
    Remove the root user as appropriate. CC ID 01582 System hardening through configuration management Configuration
    Disable or remove the null account. CC ID 06572 System hardening through configuration management Configuration