0002756
Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3.1 April 2015
PCI Security Standards Council
Contractual Obligation
Free
PCI DSS 3.1 - Testing Procedures
Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures
2015-04-01
0002756
Free
PCI Security Standards Council
Contractual Obligation
PCI DSS 3.1 - Testing Procedures
Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures
2015-04-01
This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3.1 April 2015 that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3.1 April 2015 are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
An Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Monitoring and measurement CC ID 00636 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a testing program. CC ID 00654 | Behavior | Preventive | |
Establish, implement, and maintain a penetration test program. CC ID 01105 | Behavior | Preventive | |
Perform penetration tests, as necessary. CC ID 00655 | Testing | Detective | |
Test the system for insecure configuration management. CC ID 01327 [{insecure protocol} {insecure port} Examine firewall and router configurations to verify that the documented security features are implemented for each insecure service, protocol, and port. 1.1.6.c] | Testing | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a change control program. CC ID 00886 | Establish/Maintain Documentation | Preventive | |
Manage change requests. CC ID 00887 | Business Processes | Preventive | |
Test proposed changes prior to their approval. CC ID 00548 [{approve} Examine documented procedures to verify there is a formal process for testing and approval of all: - Network connections and - Changes to firewall and router configurations 1.1.1.a Identify a sample of actual changes made to firewall and router configurations, compare to the change records, and interview responsible personnel to verify the changes were approved and tested. 1.1.1.c] | Testing | Detective | |
Approve tested change requests. CC ID 11783 [{approve} Examine documented procedures to verify there is a formal process for testing and approval of all: - Network connections and - Changes to firewall and router configurations 1.1.1.a Identify a sample of actual changes made to firewall and router configurations, compare to the change records, and interview responsible personnel to verify the changes were approved and tested. 1.1.1.c] | Data and Information Management | Preventive | |
Validate the system before implementing approved changes. CC ID 01510 | Systems Design, Build, and Implementation | Preventive | |
Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 | Behavior | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
System hardening through configuration management CC ID 00860 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain system hardening procedures. CC ID 12001 | Establish/Maintain Documentation | Preventive | |
Change default configurations, as necessary. CC ID 00877 [Interview personnel and examine supporting documentation to verify that: - All vendor defaults (including default passwords on operating systems, software providing security services, application and system accounts, POS terminals, Simple Network Management Protocol (SNMP) community strings, etc.) are changed before a system is installed on the network. - Unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled before a system is installed on the network. 2.1.c Interview personnel and examine supporting documentation to verify that: - All vendor defaults (including default passwords on operating systems, software providing security services, application and system accounts, POS terminals, Simple Network Management Protocol (SNMP) community strings, etc.) are changed before a system is installed on the network. - Unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled before a system is installed on the network. 2.1.c] | Configuration | Preventive | |
Configure custom security parameters for X-Windows. CC ID 02168 | Configuration | Preventive | |
Configure custom security settings for Lotus Domino. CC ID 02171 | Configuration | Preventive | |
Configure custom security settings for the Automated Security Enhancement Tool. CC ID 02177 | Configuration | Preventive | |
Configure custom Security settings for Sun Answerbook2. CC ID 02178 | Configuration | Preventive | |
Configure custom security settings for Command (PROM) Monitor. CC ID 02180 | Configuration | Preventive | |
Configure and secure each interface for Executive Interfaces. CC ID 02182 | Configuration | Preventive | |
Reconfigure the default settings and configure the system security for Site Management Complex. CC ID 02183 | Configuration | Preventive | |
Configure the unisys executive (GENNED) GEN tags. CC ID 02184 | Configuration | Preventive | |
Reconfigure the default Console Mode privileges. CC ID 02189 | Configuration | Preventive | |
Restrict access to security-related Console Mode key-in groups based on the security profiles. CC ID 02190 | Configuration | Preventive | |
Configure security profiles for the various Console Mode levels. CC ID 02191 | Configuration | Preventive | |
Configure custom access privileges for all mapper files. CC ID 02194 | Configuration | Preventive | |
Configure custom access privileges for the PSERVER configuration file. CC ID 02195 | Configuration | Preventive | |
Configure custom access privileges for the DEPCON configuration file. CC ID 02196 | Configuration | Preventive | |
Disable the default NetWare user web page unless absolutely necessary. CC ID 04447 | Configuration | Preventive | |
Enable and reset the primary administrator names, primary administrator passwords, root names, and root passwords. CC ID 04448 | Configuration | Preventive | |
Remove unnecessary documentation or unprotected documentation from installed applications. CC ID 04452 | Configuration | Preventive | |
Complete the NetWare eGuide configuration. CC ID 04449 | Configuration | Preventive | |
Verify the usr/aset/masters/uid_aliases file exists and contains an appropriate aliases list. CC ID 04902 | Configuration | Preventive | |
Set the low security directory list properly. CC ID 04903 | Configuration | Preventive | |
Set the medium security directory list properly. CC ID 04904 | Configuration | Preventive | |
Set the high security directory list properly. CC ID 04905 | Configuration | Preventive | |
Set the UID aliases pointer properly. CC ID 04906 | Configuration | Preventive | |
Verify users are listed in the ASET userlist file. CC ID 04907 | Technical Security | Preventive | |
Verify Automated Security Enhancement Tool checks the NIS+ tables, as appropriate. CC ID 04908 | Testing | Preventive | |
Reconfigure the encryption keys from their default setting or previous setting. CC ID 06079 | Configuration | Preventive | |
Change the default Service Set Identifier for Wireless Access Points and wireless bridges. CC ID 06086 | Configuration | Preventive | |
Revoke public execute privileges for all processes or applications that allow such privileges. CC ID 06568 | Configuration | Preventive | |
Configure the system's booting configuration. CC ID 10656 | Configuration | Preventive | |
Configure the system to boot directly to the correct Operating System. CC ID 04509 | Configuration | Preventive | |
Verify an appropriate bootloader is used. CC ID 04900 | Configuration | Preventive | |
Configure the ability to boot from USB devices, as appropriate. CC ID 04901 | Configuration | Preventive | |
Configure the system to boot from hardware enforced read-only media. CC ID 10657 | Configuration | Preventive | |
Establish, implement, and maintain authenticators. CC ID 15305 | Technical Security | Preventive | |
Change all default authenticators. CC ID 15309 [Choose a sample of system components, and attempt to log on (with system administrator help) to the devices and applications using default vendor-supplied accounts and passwords, to verify that ALL default passwords (including those on operating systems, software that provides security services, application and system accounts, POS terminals, and Simple Network Management Protocol (SNMP) community strings) have been changed. (Use vendor manuals and sources on the Internet to find vendor-supplied accounts/passwords.) 2.1.a] | Configuration | Preventive | |
Configure the system account settings and the permission settings in accordance with the organizational standards. CC ID 01538 | Configuration | Preventive | |
Configure user accounts. CC ID 07036 | Configuration | Preventive | |
Remove unnecessary default accounts. CC ID 01539 [For the sample of system components, verify that all unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled. 2.1.b Interview personnel and examine supporting documentation to verify that: - All vendor defaults (including default passwords on operating systems, software providing security services, application and system accounts, POS terminals, Simple Network Management Protocol (SNMP) community strings, etc.) are changed before a system is installed on the network. - Unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled before a system is installed on the network. 2.1.c Interview personnel and examine supporting documentation to verify that: - All vendor defaults (including default passwords on operating systems, software providing security services, application and system accounts, POS terminals, Simple Network Management Protocol (SNMP) community strings, etc.) are changed before a system is installed on the network. - Unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled before a system is installed on the network. 2.1.c] | Configuration | Preventive | |
Disable or delete shared User IDs. CC ID 12478 | Configuration | Corrective | |
Verify that no UID 0 accounts exist other than root. CC ID 01585 | Configuration | Detective | |
Disable or delete generic user IDs. CC ID 12479 | Configuration | Corrective | |
Disable all unnecessary user identifiers. CC ID 02185 | Configuration | Preventive | |
Remove unnecessary user credentials. CC ID 16409 | Configuration | Preventive | |
Remove the root user as appropriate. CC ID 01582 | Configuration | Preventive | |
Disable or remove the null account. CC ID 06572 | Configuration | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Technical security CC ID 00508 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain an access control program. CC ID 11702 | Establish/Maintain Documentation | Preventive | |
Include digital identification procedures in the access control program. CC ID 11841 | Technical Security | Preventive | |
Employ unique identifiers. CC ID 01273 [To verify that users are authenticated using unique ID and additional authentication (for example, a password/phrase) for access to the cardholder data environment, perform the following: - Examine documentation describing the authentication method(s) used. - For each type of authentication method used and for each type of system component, observe an authentication to verify authentication is functioning consistent with documented authentication method(s). 8.2] | Testing | Detective | |
Require proper authentication for user identifiers. CC ID 11785 [To verify that users are authenticated using unique ID and additional authentication (for example, a password/phrase) for access to the cardholder data environment, perform the following: - Examine documentation describing the authentication method(s) used. - For each type of authentication method used and for each type of system component, observe an authentication to verify authentication is functioning consistent with documented authentication method(s). 8.2] | Technical Security | Preventive | |
Assign authenticators to user accounts. CC ID 06855 | Configuration | Preventive | |
Assign authentication mechanisms for user account authentication. CC ID 06856 | Configuration | Preventive | |
Refrain from allowing individuals to share authentication mechanisms. CC ID 11932 | Technical Security | Preventive | |
Establish and maintain a memorized secret list. CC ID 13791 | Establish/Maintain Documentation | Preventive | |
Limit account credential reuse as a part of digital identification procedures. CC ID 12357 | Configuration | Preventive | |
Refrain from assigning authentication mechanisms for shared accounts. CC ID 11910 | Technical Security | Preventive | |
Use biometric authentication for identification and authentication, as necessary. CC ID 06857 | Establish Roles | Preventive | |
Employ live scans to verify biometric authentication. CC ID 06847 | Technical Security | Preventive | |
Identify the user when enrolling them in the biometric system. CC ID 06882 | Testing | Detective | |
Disallow self-enrollment of biometric information. CC ID 11834 | Process or Activity | Preventive | |
Tune the biometric identification equipment, as necessary. CC ID 07077 | Configuration | Corrective | |
Notify a user when an authenticator for a user account is changed. CC ID 13820 | Communicate | Preventive | |
Identify and control all network access controls. CC ID 00529 | Technical Security | Preventive | |
Establish, implement, and maintain a network configuration standard. CC ID 00530 | Establish/Maintain Documentation | Preventive | |
Maintain up-to-date network diagrams. CC ID 00531 [{network diagram} Interview responsible personnel to verify that the diagram is kept current. 1.1.2.b Examine diagram(s) and observe network configurations to verify that a current network diagram exists and that it documents all connections to cardholder data, including any wireless networks. 1.1.2.a] | Establish/Maintain Documentation | Preventive | |
Include the date of the most recent update on the network diagram. CC ID 14319 | Establish/Maintain Documentation | Preventive | |
Include virtual systems in the network diagram. CC ID 16324 | Data and Information Management | Preventive | |
Include the organization's name in the network diagram. CC ID 14318 | Establish/Maintain Documentation | Preventive | |
Use a passive asset inventory discovery tool to identify assets when network mapping. CC ID 13735 | Process or Activity | Detective | |
Include Internet Protocol addresses in the network diagram. CC ID 16244 | Establish/Maintain Documentation | Preventive | |
Include Domain Name System names in the network diagram. CC ID 16240 | Establish/Maintain Documentation | Preventive | |
Accept, by formal signature, the security implications of the network topology. CC ID 12323 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate network diagrams to interested personnel and affected parties. CC ID 13137 | Communicate | Preventive | |
Establish, implement, and maintain a Boundary Defense program. CC ID 00544 | Establish/Maintain Documentation | Preventive | |
Refrain from disclosing private Internet Protocol addresses and routing information, unless necessary. CC ID 11891 [Examine firewall and router configurations to verify that methods are in place to prevent the disclosure of private IP addresses and routing information from internal networks to the Internet. 1.3.8.a] | Technical Security | Preventive | |
Authorize the disclosure of private Internet Protocol addresses and routing information to external entities. CC ID 12034 [Interview personnel and examine documentation to verify that any disclosure of private IP addresses and routing information to external entities is authorized. 1.3.8.b] | Communicate | Preventive | |
Segregate systems in accordance with organizational standards. CC ID 12546 | Technical Security | Preventive | |
Segregate servers that contain restricted data or restricted information from direct public access. CC ID 00533 | Technical Security | Preventive | |
Restrict inbound network traffic into the Demilitarized Zone. CC ID 01285 | Data and Information Management | Preventive | |
Restrict inbound network traffic into the Demilitarized Zone to Internet Protocol addresses within the Demilitarized Zone. CC ID 11998 [Examine firewall and router configurations to verify that inbound Internet traffic is limited to IP addresses within the DMZ. 1.3.2] | Technical Security | Preventive | |
Restrict inbound Internet traffic within the Demilitarized Zone to system components that provide publicly accessible services, protocols, and ports. CC ID 11993 [{inbound Internet traffic} Examine firewall and router configurations to verify that a DMZ is implemented to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports. 1.3.1] | Technical Security | Preventive | |
Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289 [Examine firewall and router configurations to verify that system components that store cardholder data are on an internal network zone, segregated from the DMZ and other untrusted networks. 1.3.7] | Data and Information Management | Preventive | |
Establish, implement, and maintain a network access control standard. CC ID 00546 | Establish/Maintain Documentation | Preventive | |
Include assigned roles and responsibilities in the network access control standard. CC ID 06410 [Verify that firewall and router configuration standards include a description of groups, roles, and responsibilities for management of network components. 1.1.5.a Interview personnel responsible for management of network components to confirm that roles and responsibilities are assigned as documented. 1.1.5.b] | Establish Roles | Preventive | |
Employ firewalls to secure network connections between trusted networks and untrusted networks, as necessary. CC ID 11821 | Technical Security | Preventive | |
Place firewalls between all security domains and between any Demilitarized Zone and internal network zones. CC ID 01274 [Observe network configurations to verify that a firewall is in place at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone, per the documented configuration standards and network diagrams. 1.1.4.c] | Configuration | Preventive | |
Place firewalls between wireless networks and applications or databases that contain restricted data or restricted information. CC ID 01293 [Examine firewall and router configurations to verify that there are perimeter firewalls installed between all wireless networks and the cardholder data environment. 1.2.3.a] | Configuration | Preventive | |
Establish, implement, and maintain a firewall and router configuration standard. CC ID 00541 | Configuration | Preventive | |
Include testing and approving all network connections through the firewall in the firewall and router configuration standard. CC ID 01270 [{approve} Examine documented procedures to verify there is a formal process for testing and approval of all: - Network connections and - Changes to firewall and router configurations 1.1.1.a For a sample of network connections, interview responsible personnel and examine records to verify that network connections were approved and tested. 1.1.1.b] | Process or Activity | Detective | |
Include reviewing the rulesets for firewalls and routers in the firewall and router configuration standard, as necessary. CC ID 11903 [Verify that firewall and router configuration standards require review of firewall and router rule sets at least every six months. 1.1.7.a Examine documentation relating to rule set reviews and interview responsible personnel to verify that the rule sets are reviewed at least every six months. 1.1.7.b Examine documentation relating to rule set reviews and interview responsible personnel to verify that the rule sets are reviewed at least every six months. 1.1.7.b] | Technical Security | Corrective | |
Include restricting inbound network traffic in the firewall and router configuration standard. CC ID 11960 [{inbound Internet traffic} {outbound network traffic} Examine firewall and router configuration standards to verify that they identify inbound and outbound traffic necessary for the cardholder data environment. 1.2.1.a {inbound Internet traffic} {outbound network traffic} Examine firewall and router configurations to verify that inbound and outbound traffic is limited to that which is necessary for the cardholder data environment. 1.2.1.b {direct inbound connection} {direct outbound connection} Examine firewall and router configurations to verify direct connections inbound or outbound are not allowed for traffic between the Internet and the cardholder data environment. 1.3.3] | Establish/Maintain Documentation | Preventive | |
Include restricting outbound network traffic in the firewall and router configuration standard. CC ID 11961 [{inbound Internet traffic} {outbound network traffic} Examine firewall and router configuration standards to verify that they identify inbound and outbound traffic necessary for the cardholder data environment. 1.2.1.a {inbound Internet traffic} {outbound network traffic} Examine firewall and router configurations to verify that inbound and outbound traffic is limited to that which is necessary for the cardholder data environment. 1.2.1.b {direct inbound connection} {direct outbound connection} Examine firewall and router configurations to verify direct connections inbound or outbound are not allowed for traffic between the Internet and the cardholder data environment. 1.3.3] | Establish/Maintain Documentation | Preventive | |
Deny or strictly control wireless traffic to applications or databases that contain restricted data or restricted information. CC ID 11847 [Verify that the firewalls deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment. 1.2.3.b] | Configuration | Preventive | |
Include a protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00537 [Verify that firewall and router configuration standards include a documented list of all services, protocols and ports, including business justification for each—for example, hypertext transfer protocol (HTTP) and Secure Sockets Layer (SSL), Secure Shell (SSH), and Virtual Private Network (VPN) protocols. 1.1.6.a] | Establish/Maintain Documentation | Preventive | |
Configure network ports to organizational standards. CC ID 14007 | Configuration | Preventive | |
Include approval of the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 12547 | Establish/Maintain Documentation | Preventive | |
Include the use of protocols above and beyond common information service protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00539 | Establish/Maintain Documentation | Preventive | |
Include justifying the use of risky protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 01280 [Verify that firewall and router configuration standards include a documented list of all services, protocols and ports, including business justification for each—for example, hypertext transfer protocol (HTTP) and Secure Sockets Layer (SSL), Secure Shell (SSH), and Virtual Private Network (VPN) protocols. 1.1.6.a] | Establish/Maintain Documentation | Preventive | |
Document and implement security features for each identified insecure service, protocol, and port in the protocols, ports, applications, and services list. CC ID 12033 | Establish/Maintain Documentation | Preventive | |
Identify the insecure services, protocols, and ports in the protocols, ports, applications, and services list in the firewall and router configuration. CC ID 12032 | Establish/Maintain Documentation | Preventive | |
Install and configure firewalls to be enabled on all mobile devices, if possible. CC ID 00550 [{mobile device} Examine policies and configuration standards to verify: - Personal firewall software is required for all mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network. - Specific configuration settings are defined for personal firewall software. - Personal firewall software is configured to actively run. - Personal firewall software is configured to not be alterable by users of mobile and/or employee-owned devices. 1.4.a {mobile device} Examine policies and configuration standards to verify: - Personal firewall software is required for all mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network. - Specific configuration settings are defined for personal firewall software. - Personal firewall software is configured to actively run. - Personal firewall software is configured to not be alterable by users of mobile and/or employee-owned devices. 1.4.a {mobile device} Examine policies and configuration standards to verify: - Personal firewall software is required for all mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network. - Specific configuration settings are defined for personal firewall software. - Personal firewall software is configured to actively run. - Personal firewall software is configured to not be alterable by users of mobile and/or employee-owned devices. 1.4.a {mobile device} Inspect a sample of mobile and/or employee-owned devices to verify that: - Personal firewall software is installed and configured per the organization’s specific configuration settings. - Personal firewall software is actively running. - Personal firewall software is not alterable by users of mobile and/or employee-owned devices. 1.4.b {mobile device} Inspect a sample of mobile and/or employee-owned devices to verify that: - Personal firewall software is installed and configured per the organization’s specific configuration settings. - Personal firewall software is actively running. - Personal firewall software is not alterable by users of mobile and/or employee-owned devices. 1.4.b] | Configuration | Preventive | |
Lock personal firewall configurations to prevent them from being disabled or changed by end users. CC ID 06420 [{mobile device} Examine policies and configuration standards to verify: - Personal firewall software is required for all mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network. - Specific configuration settings are defined for personal firewall software. - Personal firewall software is configured to actively run. - Personal firewall software is configured to not be alterable by users of mobile and/or employee-owned devices. 1.4.a {mobile device} Inspect a sample of mobile and/or employee-owned devices to verify that: - Personal firewall software is installed and configured per the organization’s specific configuration settings. - Personal firewall software is actively running. - Personal firewall software is not alterable by users of mobile and/or employee-owned devices. 1.4.b] | Technical Security | Preventive | |
Configure network access and control points to protect restricted data or restricted information. CC ID 01284 | Configuration | Preventive | |
Configure firewalls to deny all traffic by default, except explicitly designated traffic. CC ID 00547 [{inbound Internet traffic} {outbound network traffic} Examine firewall and router configurations to verify that all other inbound and outbound traffic is specifically denied, for example by using an explicit “deny all” or an implicit deny after allow statement. 1.2.1.c] | Configuration | Preventive | |
Allow local program exceptions on the firewall, as necessary. CC ID 01956 | Configuration | Preventive | |
Allow remote administration exceptions on the firewall, as necessary. CC ID 01957 | Configuration | Preventive | |
Allow file sharing exceptions on the firewall, as necessary. CC ID 01958 | Configuration | Preventive | |
Allow printer sharing exceptions on the firewall, as necessary. CC ID 11849 | Configuration | Preventive | |
Allow Internet Control Message Protocol exceptions on the firewall, as necessary. CC ID 01959 | Configuration | Preventive | |
Allow Remote Desktop Connection exceptions on the firewall, as necessary. CC ID 01960 | Configuration | Preventive | |
Allow UPnP framework exceptions on the firewall, as necessary. CC ID 01961 | Configuration | Preventive | |
Allow notification exceptions on the firewall, as necessary. CC ID 01962 | Configuration | Preventive | |
Allow unicast response to multicast or broadcast exceptions on the firewall, as necessary. CC ID 01964 | Configuration | Preventive | |
Allow protocol port exceptions on the firewall, as necessary. CC ID 01965 | Configuration | Preventive | |
Allow local port exceptions on the firewall, as necessary. CC ID 01966 | Configuration | Preventive | |
Configure firewalls to perform dynamic packet filtering. CC ID 01288 [Examine firewall and router configurations to verify that the firewall performs stateful inspection (dynamic packet filtering). (Only established connections should be allowed in, and only if they are associated with a previously established session.) 1.3.6] | Testing | Detective | |
Establish, implement, and maintain packet filtering requirements. CC ID 16362 | Technical Security | Preventive | |
Configure firewall filtering to only permit established connections into the network. CC ID 12482 | Technical Security | Preventive | |
Restrict outbound network traffic from systems that contain restricted data or restricted information. CC ID 01295 | Data and Information Management | Preventive | |
Synchronize and secure all router configuration files. CC ID 01291 [{router configuration files} Examine router configurations to verify they are synchronized—for example, the running (or active) configuration matches the start-up configuration (used when machines are booted). 1.2.2.b] | Configuration | Preventive | |
Manage the use of encryption controls and cryptographic controls. CC ID 00570 | Technical Security | Preventive | |
Establish, implement, and maintain cryptographic key management procedures. CC ID 00571 | Establish/Maintain Documentation | Preventive | |
Store cryptographic keys securely. CC ID 01298 [Verify that key-management procedures specify how to securely store keys. 3.6.3.a] | Data and Information Management | Preventive | |
Restrict access to cryptographic keys. CC ID 01297 | Data and Information Management | Preventive | |
Store cryptographic keys in encrypted format. CC ID 06084 | Data and Information Management | Preventive | |
Store key-encrypting keys and data-encrypting keys in different locations. CC ID 06085 | Technical Security | Preventive |
Each Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Establish, implement, and maintain a testing program. CC ID 00654 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a penetration test program. CC ID 01105 | Monitoring and measurement | Preventive | |
Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Manage change requests. CC ID 00887 | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Notify a user when an authenticator for a user account is changed. CC ID 13820 | Technical security | Preventive | |
Disseminate and communicate network diagrams to interested personnel and affected parties. CC ID 13137 | Technical security | Preventive | |
Authorize the disclosure of private Internet Protocol addresses and routing information to external entities. CC ID 12034 [Interview personnel and examine documentation to verify that any disclosure of private IP addresses and routing information to external entities is authorized. 1.3.8.b] | Technical security | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Assign authenticators to user accounts. CC ID 06855 | Technical security | Preventive | |
Assign authentication mechanisms for user account authentication. CC ID 06856 | Technical security | Preventive | |
Limit account credential reuse as a part of digital identification procedures. CC ID 12357 | Technical security | Preventive | |
Tune the biometric identification equipment, as necessary. CC ID 07077 | Technical security | Corrective | |
Place firewalls between all security domains and between any Demilitarized Zone and internal network zones. CC ID 01274 [Observe network configurations to verify that a firewall is in place at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone, per the documented configuration standards and network diagrams. 1.1.4.c] | Technical security | Preventive | |
Place firewalls between wireless networks and applications or databases that contain restricted data or restricted information. CC ID 01293 [Examine firewall and router configurations to verify that there are perimeter firewalls installed between all wireless networks and the cardholder data environment. 1.2.3.a] | Technical security | Preventive | |
Establish, implement, and maintain a firewall and router configuration standard. CC ID 00541 | Technical security | Preventive | |
Deny or strictly control wireless traffic to applications or databases that contain restricted data or restricted information. CC ID 11847 [Verify that the firewalls deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment. 1.2.3.b] | Technical security | Preventive | |
Configure network ports to organizational standards. CC ID 14007 | Technical security | Preventive | |
Install and configure firewalls to be enabled on all mobile devices, if possible. CC ID 00550 [{mobile device} Examine policies and configuration standards to verify: - Personal firewall software is required for all mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network. - Specific configuration settings are defined for personal firewall software. - Personal firewall software is configured to actively run. - Personal firewall software is configured to not be alterable by users of mobile and/or employee-owned devices. 1.4.a {mobile device} Examine policies and configuration standards to verify: - Personal firewall software is required for all mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network. - Specific configuration settings are defined for personal firewall software. - Personal firewall software is configured to actively run. - Personal firewall software is configured to not be alterable by users of mobile and/or employee-owned devices. 1.4.a {mobile device} Examine policies and configuration standards to verify: - Personal firewall software is required for all mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network. - Specific configuration settings are defined for personal firewall software. - Personal firewall software is configured to actively run. - Personal firewall software is configured to not be alterable by users of mobile and/or employee-owned devices. 1.4.a {mobile device} Inspect a sample of mobile and/or employee-owned devices to verify that: - Personal firewall software is installed and configured per the organization’s specific configuration settings. - Personal firewall software is actively running. - Personal firewall software is not alterable by users of mobile and/or employee-owned devices. 1.4.b {mobile device} Inspect a sample of mobile and/or employee-owned devices to verify that: - Personal firewall software is installed and configured per the organization’s specific configuration settings. - Personal firewall software is actively running. - Personal firewall software is not alterable by users of mobile and/or employee-owned devices. 1.4.b] | Technical security | Preventive | |
Configure network access and control points to protect restricted data or restricted information. CC ID 01284 | Technical security | Preventive | |
Configure firewalls to deny all traffic by default, except explicitly designated traffic. CC ID 00547 [{inbound Internet traffic} {outbound network traffic} Examine firewall and router configurations to verify that all other inbound and outbound traffic is specifically denied, for example by using an explicit “deny all” or an implicit deny after allow statement. 1.2.1.c] | Technical security | Preventive | |
Allow local program exceptions on the firewall, as necessary. CC ID 01956 | Technical security | Preventive | |
Allow remote administration exceptions on the firewall, as necessary. CC ID 01957 | Technical security | Preventive | |
Allow file sharing exceptions on the firewall, as necessary. CC ID 01958 | Technical security | Preventive | |
Allow printer sharing exceptions on the firewall, as necessary. CC ID 11849 | Technical security | Preventive | |
Allow Internet Control Message Protocol exceptions on the firewall, as necessary. CC ID 01959 | Technical security | Preventive | |
Allow Remote Desktop Connection exceptions on the firewall, as necessary. CC ID 01960 | Technical security | Preventive | |
Allow UPnP framework exceptions on the firewall, as necessary. CC ID 01961 | Technical security | Preventive | |
Allow notification exceptions on the firewall, as necessary. CC ID 01962 | Technical security | Preventive | |
Allow unicast response to multicast or broadcast exceptions on the firewall, as necessary. CC ID 01964 | Technical security | Preventive | |
Allow protocol port exceptions on the firewall, as necessary. CC ID 01965 | Technical security | Preventive | |
Allow local port exceptions on the firewall, as necessary. CC ID 01966 | Technical security | Preventive | |
Synchronize and secure all router configuration files. CC ID 01291 [{router configuration files} Examine router configurations to verify they are synchronized—for example, the running (or active) configuration matches the start-up configuration (used when machines are booted). 1.2.2.b] | Technical security | Preventive | |
Change default configurations, as necessary. CC ID 00877 [Interview personnel and examine supporting documentation to verify that: - All vendor defaults (including default passwords on operating systems, software providing security services, application and system accounts, POS terminals, Simple Network Management Protocol (SNMP) community strings, etc.) are changed before a system is installed on the network. - Unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled before a system is installed on the network. 2.1.c Interview personnel and examine supporting documentation to verify that: - All vendor defaults (including default passwords on operating systems, software providing security services, application and system accounts, POS terminals, Simple Network Management Protocol (SNMP) community strings, etc.) are changed before a system is installed on the network. - Unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled before a system is installed on the network. 2.1.c] | System hardening through configuration management | Preventive | |
Configure custom security parameters for X-Windows. CC ID 02168 | System hardening through configuration management | Preventive | |
Configure custom security settings for Lotus Domino. CC ID 02171 | System hardening through configuration management | Preventive | |
Configure custom security settings for the Automated Security Enhancement Tool. CC ID 02177 | System hardening through configuration management | Preventive | |
Configure custom Security settings for Sun Answerbook2. CC ID 02178 | System hardening through configuration management | Preventive | |
Configure custom security settings for Command (PROM) Monitor. CC ID 02180 | System hardening through configuration management | Preventive | |
Configure and secure each interface for Executive Interfaces. CC ID 02182 | System hardening through configuration management | Preventive | |
Reconfigure the default settings and configure the system security for Site Management Complex. CC ID 02183 | System hardening through configuration management | Preventive | |
Configure the unisys executive (GENNED) GEN tags. CC ID 02184 | System hardening through configuration management | Preventive | |
Reconfigure the default Console Mode privileges. CC ID 02189 | System hardening through configuration management | Preventive | |
Restrict access to security-related Console Mode key-in groups based on the security profiles. CC ID 02190 | System hardening through configuration management | Preventive | |
Configure security profiles for the various Console Mode levels. CC ID 02191 | System hardening through configuration management | Preventive | |
Configure custom access privileges for all mapper files. CC ID 02194 | System hardening through configuration management | Preventive | |
Configure custom access privileges for the PSERVER configuration file. CC ID 02195 | System hardening through configuration management | Preventive | |
Configure custom access privileges for the DEPCON configuration file. CC ID 02196 | System hardening through configuration management | Preventive | |
Disable the default NetWare user web page unless absolutely necessary. CC ID 04447 | System hardening through configuration management | Preventive | |
Enable and reset the primary administrator names, primary administrator passwords, root names, and root passwords. CC ID 04448 | System hardening through configuration management | Preventive | |
Remove unnecessary documentation or unprotected documentation from installed applications. CC ID 04452 | System hardening through configuration management | Preventive | |
Complete the NetWare eGuide configuration. CC ID 04449 | System hardening through configuration management | Preventive | |
Verify the usr/aset/masters/uid_aliases file exists and contains an appropriate aliases list. CC ID 04902 | System hardening through configuration management | Preventive | |
Set the low security directory list properly. CC ID 04903 | System hardening through configuration management | Preventive | |
Set the medium security directory list properly. CC ID 04904 | System hardening through configuration management | Preventive | |
Set the high security directory list properly. CC ID 04905 | System hardening through configuration management | Preventive | |
Set the UID aliases pointer properly. CC ID 04906 | System hardening through configuration management | Preventive | |
Reconfigure the encryption keys from their default setting or previous setting. CC ID 06079 | System hardening through configuration management | Preventive | |
Change the default Service Set Identifier for Wireless Access Points and wireless bridges. CC ID 06086 | System hardening through configuration management | Preventive | |
Revoke public execute privileges for all processes or applications that allow such privileges. CC ID 06568 | System hardening through configuration management | Preventive | |
Configure the system's booting configuration. CC ID 10656 | System hardening through configuration management | Preventive | |
Configure the system to boot directly to the correct Operating System. CC ID 04509 | System hardening through configuration management | Preventive | |
Verify an appropriate bootloader is used. CC ID 04900 | System hardening through configuration management | Preventive | |
Configure the ability to boot from USB devices, as appropriate. CC ID 04901 | System hardening through configuration management | Preventive | |
Configure the system to boot from hardware enforced read-only media. CC ID 10657 | System hardening through configuration management | Preventive | |
Change all default authenticators. CC ID 15309 [Choose a sample of system components, and attempt to log on (with system administrator help) to the devices and applications using default vendor-supplied accounts and passwords, to verify that ALL default passwords (including those on operating systems, software that provides security services, application and system accounts, POS terminals, and Simple Network Management Protocol (SNMP) community strings) have been changed. (Use vendor manuals and sources on the Internet to find vendor-supplied accounts/passwords.) 2.1.a] | System hardening through configuration management | Preventive | |
Configure the system account settings and the permission settings in accordance with the organizational standards. CC ID 01538 | System hardening through configuration management | Preventive | |
Configure user accounts. CC ID 07036 | System hardening through configuration management | Preventive | |
Remove unnecessary default accounts. CC ID 01539 [For the sample of system components, verify that all unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled. 2.1.b Interview personnel and examine supporting documentation to verify that: - All vendor defaults (including default passwords on operating systems, software providing security services, application and system accounts, POS terminals, Simple Network Management Protocol (SNMP) community strings, etc.) are changed before a system is installed on the network. - Unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled before a system is installed on the network. 2.1.c Interview personnel and examine supporting documentation to verify that: - All vendor defaults (including default passwords on operating systems, software providing security services, application and system accounts, POS terminals, Simple Network Management Protocol (SNMP) community strings, etc.) are changed before a system is installed on the network. - Unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled before a system is installed on the network. 2.1.c] | System hardening through configuration management | Preventive | |
Disable or delete shared User IDs. CC ID 12478 | System hardening through configuration management | Corrective | |
Verify that no UID 0 accounts exist other than root. CC ID 01585 | System hardening through configuration management | Detective | |
Disable or delete generic user IDs. CC ID 12479 | System hardening through configuration management | Corrective | |
Disable all unnecessary user identifiers. CC ID 02185 | System hardening through configuration management | Preventive | |
Remove unnecessary user credentials. CC ID 16409 | System hardening through configuration management | Preventive | |
Remove the root user as appropriate. CC ID 01582 | System hardening through configuration management | Preventive | |
Disable or remove the null account. CC ID 06572 | System hardening through configuration management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Include virtual systems in the network diagram. CC ID 16324 | Technical security | Preventive | |
Restrict inbound network traffic into the Demilitarized Zone. CC ID 01285 | Technical security | Preventive | |
Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289 [Examine firewall and router configurations to verify that system components that store cardholder data are on an internal network zone, segregated from the DMZ and other untrusted networks. 1.3.7] | Technical security | Preventive | |
Restrict outbound network traffic from systems that contain restricted data or restricted information. CC ID 01295 | Technical security | Preventive | |
Store cryptographic keys securely. CC ID 01298 [Verify that key-management procedures specify how to securely store keys. 3.6.3.a] | Technical security | Preventive | |
Restrict access to cryptographic keys. CC ID 01297 | Technical security | Preventive | |
Store cryptographic keys in encrypted format. CC ID 06084 | Technical security | Preventive | |
Approve tested change requests. CC ID 11783 [{approve} Examine documented procedures to verify there is a formal process for testing and approval of all: - Network connections and - Changes to firewall and router configurations 1.1.1.a Identify a sample of actual changes made to firewall and router configurations, compare to the change records, and interview responsible personnel to verify the changes were approved and tested. 1.1.1.c] | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Use biometric authentication for identification and authentication, as necessary. CC ID 06857 | Technical security | Preventive | |
Include assigned roles and responsibilities in the network access control standard. CC ID 06410 [Verify that firewall and router configuration standards include a description of groups, roles, and responsibilities for management of network components. 1.1.5.a Interview personnel responsible for management of network components to confirm that roles and responsibilities are assigned as documented. 1.1.5.b] | Technical security | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Establish, implement, and maintain an access control program. CC ID 11702 | Technical security | Preventive | |
Establish and maintain a memorized secret list. CC ID 13791 | Technical security | Preventive | |
Establish, implement, and maintain a network configuration standard. CC ID 00530 | Technical security | Preventive | |
Maintain up-to-date network diagrams. CC ID 00531 [{network diagram} Interview responsible personnel to verify that the diagram is kept current. 1.1.2.b Examine diagram(s) and observe network configurations to verify that a current network diagram exists and that it documents all connections to cardholder data, including any wireless networks. 1.1.2.a] | Technical security | Preventive | |
Include the date of the most recent update on the network diagram. CC ID 14319 | Technical security | Preventive | |
Include the organization's name in the network diagram. CC ID 14318 | Technical security | Preventive | |
Include Internet Protocol addresses in the network diagram. CC ID 16244 | Technical security | Preventive | |
Include Domain Name System names in the network diagram. CC ID 16240 | Technical security | Preventive | |
Accept, by formal signature, the security implications of the network topology. CC ID 12323 | Technical security | Preventive | |
Establish, implement, and maintain a Boundary Defense program. CC ID 00544 | Technical security | Preventive | |
Establish, implement, and maintain a network access control standard. CC ID 00546 | Technical security | Preventive | |
Include restricting inbound network traffic in the firewall and router configuration standard. CC ID 11960 [{inbound Internet traffic} {outbound network traffic} Examine firewall and router configuration standards to verify that they identify inbound and outbound traffic necessary for the cardholder data environment. 1.2.1.a {inbound Internet traffic} {outbound network traffic} Examine firewall and router configurations to verify that inbound and outbound traffic is limited to that which is necessary for the cardholder data environment. 1.2.1.b {direct inbound connection} {direct outbound connection} Examine firewall and router configurations to verify direct connections inbound or outbound are not allowed for traffic between the Internet and the cardholder data environment. 1.3.3] | Technical security | Preventive | |
Include restricting outbound network traffic in the firewall and router configuration standard. CC ID 11961 [{inbound Internet traffic} {outbound network traffic} Examine firewall and router configuration standards to verify that they identify inbound and outbound traffic necessary for the cardholder data environment. 1.2.1.a {inbound Internet traffic} {outbound network traffic} Examine firewall and router configurations to verify that inbound and outbound traffic is limited to that which is necessary for the cardholder data environment. 1.2.1.b {direct inbound connection} {direct outbound connection} Examine firewall and router configurations to verify direct connections inbound or outbound are not allowed for traffic between the Internet and the cardholder data environment. 1.3.3] | Technical security | Preventive | |
Include a protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00537 [Verify that firewall and router configuration standards include a documented list of all services, protocols and ports, including business justification for each—for example, hypertext transfer protocol (HTTP) and Secure Sockets Layer (SSL), Secure Shell (SSH), and Virtual Private Network (VPN) protocols. 1.1.6.a] | Technical security | Preventive | |
Include approval of the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 12547 | Technical security | Preventive | |
Include the use of protocols above and beyond common information service protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00539 | Technical security | Preventive | |
Include justifying the use of risky protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 01280 [Verify that firewall and router configuration standards include a documented list of all services, protocols and ports, including business justification for each—for example, hypertext transfer protocol (HTTP) and Secure Sockets Layer (SSL), Secure Shell (SSH), and Virtual Private Network (VPN) protocols. 1.1.6.a] | Technical security | Preventive | |
Document and implement security features for each identified insecure service, protocol, and port in the protocols, ports, applications, and services list. CC ID 12033 | Technical security | Preventive | |
Identify the insecure services, protocols, and ports in the protocols, ports, applications, and services list in the firewall and router configuration. CC ID 12032 | Technical security | Preventive | |
Establish, implement, and maintain cryptographic key management procedures. CC ID 00571 | Technical security | Preventive | |
Establish, implement, and maintain a change control program. CC ID 00886 | Operational management | Preventive | |
Establish, implement, and maintain system hardening procedures. CC ID 12001 | System hardening through configuration management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
Technical security CC ID 00508 | Technical security | IT Impact Zone | |
Operational management CC ID 00805 | Operational management | IT Impact Zone | |
System hardening through configuration management CC ID 00860 | System hardening through configuration management | IT Impact Zone |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Disallow self-enrollment of biometric information. CC ID 11834 | Technical security | Preventive | |
Use a passive asset inventory discovery tool to identify assets when network mapping. CC ID 13735 | Technical security | Detective | |
Include testing and approving all network connections through the firewall in the firewall and router configuration standard. CC ID 01270 [{approve} Examine documented procedures to verify there is a formal process for testing and approval of all: - Network connections and - Changes to firewall and router configurations 1.1.1.a For a sample of network connections, interview responsible personnel and examine records to verify that network connections were approved and tested. 1.1.1.b] | Technical security | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Validate the system before implementing approved changes. CC ID 01510 | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Include digital identification procedures in the access control program. CC ID 11841 | Technical security | Preventive | |
Require proper authentication for user identifiers. CC ID 11785 [To verify that users are authenticated using unique ID and additional authentication (for example, a password/phrase) for access to the cardholder data environment, perform the following: - Examine documentation describing the authentication method(s) used. - For each type of authentication method used and for each type of system component, observe an authentication to verify authentication is functioning consistent with documented authentication method(s). 8.2] | Technical security | Preventive | |
Refrain from allowing individuals to share authentication mechanisms. CC ID 11932 | Technical security | Preventive | |
Refrain from assigning authentication mechanisms for shared accounts. CC ID 11910 | Technical security | Preventive | |
Employ live scans to verify biometric authentication. CC ID 06847 | Technical security | Preventive | |
Identify and control all network access controls. CC ID 00529 | Technical security | Preventive | |
Refrain from disclosing private Internet Protocol addresses and routing information, unless necessary. CC ID 11891 [Examine firewall and router configurations to verify that methods are in place to prevent the disclosure of private IP addresses and routing information from internal networks to the Internet. 1.3.8.a] | Technical security | Preventive | |
Segregate systems in accordance with organizational standards. CC ID 12546 | Technical security | Preventive | |
Segregate servers that contain restricted data or restricted information from direct public access. CC ID 00533 | Technical security | Preventive | |
Restrict inbound network traffic into the Demilitarized Zone to Internet Protocol addresses within the Demilitarized Zone. CC ID 11998 [Examine firewall and router configurations to verify that inbound Internet traffic is limited to IP addresses within the DMZ. 1.3.2] | Technical security | Preventive | |
Restrict inbound Internet traffic within the Demilitarized Zone to system components that provide publicly accessible services, protocols, and ports. CC ID 11993 [{inbound Internet traffic} Examine firewall and router configurations to verify that a DMZ is implemented to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports. 1.3.1] | Technical security | Preventive | |
Employ firewalls to secure network connections between trusted networks and untrusted networks, as necessary. CC ID 11821 | Technical security | Preventive | |
Include reviewing the rulesets for firewalls and routers in the firewall and router configuration standard, as necessary. CC ID 11903 [Verify that firewall and router configuration standards require review of firewall and router rule sets at least every six months. 1.1.7.a Examine documentation relating to rule set reviews and interview responsible personnel to verify that the rule sets are reviewed at least every six months. 1.1.7.b Examine documentation relating to rule set reviews and interview responsible personnel to verify that the rule sets are reviewed at least every six months. 1.1.7.b] | Technical security | Corrective | |
Lock personal firewall configurations to prevent them from being disabled or changed by end users. CC ID 06420 [{mobile device} Examine policies and configuration standards to verify: - Personal firewall software is required for all mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network. - Specific configuration settings are defined for personal firewall software. - Personal firewall software is configured to actively run. - Personal firewall software is configured to not be alterable by users of mobile and/or employee-owned devices. 1.4.a {mobile device} Inspect a sample of mobile and/or employee-owned devices to verify that: - Personal firewall software is installed and configured per the organization’s specific configuration settings. - Personal firewall software is actively running. - Personal firewall software is not alterable by users of mobile and/or employee-owned devices. 1.4.b] | Technical security | Preventive | |
Establish, implement, and maintain packet filtering requirements. CC ID 16362 | Technical security | Preventive | |
Configure firewall filtering to only permit established connections into the network. CC ID 12482 | Technical security | Preventive | |
Manage the use of encryption controls and cryptographic controls. CC ID 00570 | Technical security | Preventive | |
Store key-encrypting keys and data-encrypting keys in different locations. CC ID 06085 | Technical security | Preventive | |
Verify users are listed in the ASET userlist file. CC ID 04907 | System hardening through configuration management | Preventive | |
Establish, implement, and maintain authenticators. CC ID 15305 | System hardening through configuration management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Perform penetration tests, as necessary. CC ID 00655 | Monitoring and measurement | Detective | |
Test the system for insecure configuration management. CC ID 01327 [{insecure protocol} {insecure port} Examine firewall and router configurations to verify that the documented security features are implemented for each insecure service, protocol, and port. 1.1.6.c] | Monitoring and measurement | Detective | |
Employ unique identifiers. CC ID 01273 [To verify that users are authenticated using unique ID and additional authentication (for example, a password/phrase) for access to the cardholder data environment, perform the following: - Examine documentation describing the authentication method(s) used. - For each type of authentication method used and for each type of system component, observe an authentication to verify authentication is functioning consistent with documented authentication method(s). 8.2] | Technical security | Detective | |
Identify the user when enrolling them in the biometric system. CC ID 06882 | Technical security | Detective | |
Configure firewalls to perform dynamic packet filtering. CC ID 01288 [Examine firewall and router configurations to verify that the firewall performs stateful inspection (dynamic packet filtering). (Only established connections should be allowed in, and only if they are associated with a previously established session.) 1.3.6] | Technical security | Detective | |
Test proposed changes prior to their approval. CC ID 00548 [{approve} Examine documented procedures to verify there is a formal process for testing and approval of all: - Network connections and - Changes to firewall and router configurations 1.1.1.a Identify a sample of actual changes made to firewall and router configurations, compare to the change records, and interview responsible personnel to verify the changes were approved and tested. 1.1.1.c] | Operational management | Detective | |
Verify Automated Security Enhancement Tool checks the NIS+ tables, as appropriate. CC ID 04908 | System hardening through configuration management | Preventive |
There are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Tune the biometric identification equipment, as necessary. CC ID 07077 | Technical security | Configuration | |
Include reviewing the rulesets for firewalls and routers in the firewall and router configuration standard, as necessary. CC ID 11903 [Verify that firewall and router configuration standards require review of firewall and router rule sets at least every six months. 1.1.7.a Examine documentation relating to rule set reviews and interview responsible personnel to verify that the rule sets are reviewed at least every six months. 1.1.7.b Examine documentation relating to rule set reviews and interview responsible personnel to verify that the rule sets are reviewed at least every six months. 1.1.7.b] | Technical security | Technical Security | |
Disable or delete shared User IDs. CC ID 12478 | System hardening through configuration management | Configuration | |
Disable or delete generic user IDs. CC ID 12479 | System hardening through configuration management | Configuration |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Perform penetration tests, as necessary. CC ID 00655 | Monitoring and measurement | Testing | |
Test the system for insecure configuration management. CC ID 01327 [{insecure protocol} {insecure port} Examine firewall and router configurations to verify that the documented security features are implemented for each insecure service, protocol, and port. 1.1.6.c] | Monitoring and measurement | Testing | |
Employ unique identifiers. CC ID 01273 [To verify that users are authenticated using unique ID and additional authentication (for example, a password/phrase) for access to the cardholder data environment, perform the following: - Examine documentation describing the authentication method(s) used. - For each type of authentication method used and for each type of system component, observe an authentication to verify authentication is functioning consistent with documented authentication method(s). 8.2] | Technical security | Testing | |
Identify the user when enrolling them in the biometric system. CC ID 06882 | Technical security | Testing | |
Use a passive asset inventory discovery tool to identify assets when network mapping. CC ID 13735 | Technical security | Process or Activity | |
Include testing and approving all network connections through the firewall in the firewall and router configuration standard. CC ID 01270 [{approve} Examine documented procedures to verify there is a formal process for testing and approval of all: - Network connections and - Changes to firewall and router configurations 1.1.1.a For a sample of network connections, interview responsible personnel and examine records to verify that network connections were approved and tested. 1.1.1.b] | Technical security | Process or Activity | |
Configure firewalls to perform dynamic packet filtering. CC ID 01288 [Examine firewall and router configurations to verify that the firewall performs stateful inspection (dynamic packet filtering). (Only established connections should be allowed in, and only if they are associated with a previously established session.) 1.3.6] | Technical security | Testing | |
Test proposed changes prior to their approval. CC ID 00548 [{approve} Examine documented procedures to verify there is a formal process for testing and approval of all: - Network connections and - Changes to firewall and router configurations 1.1.1.a Identify a sample of actual changes made to firewall and router configurations, compare to the change records, and interview responsible personnel to verify the changes were approved and tested. 1.1.1.c] | Operational management | Testing | |
Verify that no UID 0 accounts exist other than root. CC ID 01585 | System hardening through configuration management | Configuration |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
Technical security CC ID 00508 | Technical security | IT Impact Zone | |
Operational management CC ID 00805 | Operational management | IT Impact Zone | |
System hardening through configuration management CC ID 00860 | System hardening through configuration management | IT Impact Zone |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Establish, implement, and maintain a testing program. CC ID 00654 | Monitoring and measurement | Behavior | |
Establish, implement, and maintain a penetration test program. CC ID 01105 | Monitoring and measurement | Behavior | |
Establish, implement, and maintain an access control program. CC ID 11702 | Technical security | Establish/Maintain Documentation | |
Include digital identification procedures in the access control program. CC ID 11841 | Technical security | Technical Security | |
Require proper authentication for user identifiers. CC ID 11785 [To verify that users are authenticated using unique ID and additional authentication (for example, a password/phrase) for access to the cardholder data environment, perform the following: - Examine documentation describing the authentication method(s) used. - For each type of authentication method used and for each type of system component, observe an authentication to verify authentication is functioning consistent with documented authentication method(s). 8.2] | Technical security | Technical Security | |
Assign authenticators to user accounts. CC ID 06855 | Technical security | Configuration | |
Assign authentication mechanisms for user account authentication. CC ID 06856 | Technical security | Configuration | |
Refrain from allowing individuals to share authentication mechanisms. CC ID 11932 | Technical security | Technical Security | |
Establish and maintain a memorized secret list. CC ID 13791 | Technical security | Establish/Maintain Documentation | |
Limit account credential reuse as a part of digital identification procedures. CC ID 12357 | Technical security | Configuration | |
Refrain from assigning authentication mechanisms for shared accounts. CC ID 11910 | Technical security | Technical Security | |
Use biometric authentication for identification and authentication, as necessary. CC ID 06857 | Technical security | Establish Roles | |
Employ live scans to verify biometric authentication. CC ID 06847 | Technical security | Technical Security | |
Disallow self-enrollment of biometric information. CC ID 11834 | Technical security | Process or Activity | |
Notify a user when an authenticator for a user account is changed. CC ID 13820 | Technical security | Communicate | |
Identify and control all network access controls. CC ID 00529 | Technical security | Technical Security | |
Establish, implement, and maintain a network configuration standard. CC ID 00530 | Technical security | Establish/Maintain Documentation | |
Maintain up-to-date network diagrams. CC ID 00531 [{network diagram} Interview responsible personnel to verify that the diagram is kept current. 1.1.2.b Examine diagram(s) and observe network configurations to verify that a current network diagram exists and that it documents all connections to cardholder data, including any wireless networks. 1.1.2.a] | Technical security | Establish/Maintain Documentation | |
Include the date of the most recent update on the network diagram. CC ID 14319 | Technical security | Establish/Maintain Documentation | |
Include virtual systems in the network diagram. CC ID 16324 | Technical security | Data and Information Management | |
Include the organization's name in the network diagram. CC ID 14318 | Technical security | Establish/Maintain Documentation | |
Include Internet Protocol addresses in the network diagram. CC ID 16244 | Technical security | Establish/Maintain Documentation | |
Include Domain Name System names in the network diagram. CC ID 16240 | Technical security | Establish/Maintain Documentation | |
Accept, by formal signature, the security implications of the network topology. CC ID 12323 | Technical security | Establish/Maintain Documentation | |
Disseminate and communicate network diagrams to interested personnel and affected parties. CC ID 13137 | Technical security | Communicate | |
Establish, implement, and maintain a Boundary Defense program. CC ID 00544 | Technical security | Establish/Maintain Documentation | |
Refrain from disclosing private Internet Protocol addresses and routing information, unless necessary. CC ID 11891 [Examine firewall and router configurations to verify that methods are in place to prevent the disclosure of private IP addresses and routing information from internal networks to the Internet. 1.3.8.a] | Technical security | Technical Security | |
Authorize the disclosure of private Internet Protocol addresses and routing information to external entities. CC ID 12034 [Interview personnel and examine documentation to verify that any disclosure of private IP addresses and routing information to external entities is authorized. 1.3.8.b] | Technical security | Communicate | |
Segregate systems in accordance with organizational standards. CC ID 12546 | Technical security | Technical Security | |
Segregate servers that contain restricted data or restricted information from direct public access. CC ID 00533 | Technical security | Technical Security | |
Restrict inbound network traffic into the Demilitarized Zone. CC ID 01285 | Technical security | Data and Information Management | |
Restrict inbound network traffic into the Demilitarized Zone to Internet Protocol addresses within the Demilitarized Zone. CC ID 11998 [Examine firewall and router configurations to verify that inbound Internet traffic is limited to IP addresses within the DMZ. 1.3.2] | Technical security | Technical Security | |
Restrict inbound Internet traffic within the Demilitarized Zone to system components that provide publicly accessible services, protocols, and ports. CC ID 11993 [{inbound Internet traffic} Examine firewall and router configurations to verify that a DMZ is implemented to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports. 1.3.1] | Technical security | Technical Security | |
Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289 [Examine firewall and router configurations to verify that system components that store cardholder data are on an internal network zone, segregated from the DMZ and other untrusted networks. 1.3.7] | Technical security | Data and Information Management | |
Establish, implement, and maintain a network access control standard. CC ID 00546 | Technical security | Establish/Maintain Documentation | |
Include assigned roles and responsibilities in the network access control standard. CC ID 06410 [Verify that firewall and router configuration standards include a description of groups, roles, and responsibilities for management of network components. 1.1.5.a Interview personnel responsible for management of network components to confirm that roles and responsibilities are assigned as documented. 1.1.5.b] | Technical security | Establish Roles | |
Employ firewalls to secure network connections between trusted networks and untrusted networks, as necessary. CC ID 11821 | Technical security | Technical Security | |
Place firewalls between all security domains and between any Demilitarized Zone and internal network zones. CC ID 01274 [Observe network configurations to verify that a firewall is in place at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone, per the documented configuration standards and network diagrams. 1.1.4.c] | Technical security | Configuration | |
Place firewalls between wireless networks and applications or databases that contain restricted data or restricted information. CC ID 01293 [Examine firewall and router configurations to verify that there are perimeter firewalls installed between all wireless networks and the cardholder data environment. 1.2.3.a] | Technical security | Configuration | |
Establish, implement, and maintain a firewall and router configuration standard. CC ID 00541 | Technical security | Configuration | |
Include restricting inbound network traffic in the firewall and router configuration standard. CC ID 11960 [{inbound Internet traffic} {outbound network traffic} Examine firewall and router configuration standards to verify that they identify inbound and outbound traffic necessary for the cardholder data environment. 1.2.1.a {inbound Internet traffic} {outbound network traffic} Examine firewall and router configurations to verify that inbound and outbound traffic is limited to that which is necessary for the cardholder data environment. 1.2.1.b {direct inbound connection} {direct outbound connection} Examine firewall and router configurations to verify direct connections inbound or outbound are not allowed for traffic between the Internet and the cardholder data environment. 1.3.3] | Technical security | Establish/Maintain Documentation | |
Include restricting outbound network traffic in the firewall and router configuration standard. CC ID 11961 [{inbound Internet traffic} {outbound network traffic} Examine firewall and router configuration standards to verify that they identify inbound and outbound traffic necessary for the cardholder data environment. 1.2.1.a {inbound Internet traffic} {outbound network traffic} Examine firewall and router configurations to verify that inbound and outbound traffic is limited to that which is necessary for the cardholder data environment. 1.2.1.b {direct inbound connection} {direct outbound connection} Examine firewall and router configurations to verify direct connections inbound or outbound are not allowed for traffic between the Internet and the cardholder data environment. 1.3.3] | Technical security | Establish/Maintain Documentation | |
Deny or strictly control wireless traffic to applications or databases that contain restricted data or restricted information. CC ID 11847 [Verify that the firewalls deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment. 1.2.3.b] | Technical security | Configuration | |
Include a protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00537 [Verify that firewall and router configuration standards include a documented list of all services, protocols and ports, including business justification for each—for example, hypertext transfer protocol (HTTP) and Secure Sockets Layer (SSL), Secure Shell (SSH), and Virtual Private Network (VPN) protocols. 1.1.6.a] | Technical security | Establish/Maintain Documentation | |
Configure network ports to organizational standards. CC ID 14007 | Technical security | Configuration | |
Include approval of the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 12547 | Technical security | Establish/Maintain Documentation | |
Include the use of protocols above and beyond common information service protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00539 | Technical security | Establish/Maintain Documentation | |
Include justifying the use of risky protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 01280 [Verify that firewall and router configuration standards include a documented list of all services, protocols and ports, including business justification for each—for example, hypertext transfer protocol (HTTP) and Secure Sockets Layer (SSL), Secure Shell (SSH), and Virtual Private Network (VPN) protocols. 1.1.6.a] | Technical security | Establish/Maintain Documentation | |
Document and implement security features for each identified insecure service, protocol, and port in the protocols, ports, applications, and services list. CC ID 12033 | Technical security | Establish/Maintain Documentation | |
Identify the insecure services, protocols, and ports in the protocols, ports, applications, and services list in the firewall and router configuration. CC ID 12032 | Technical security | Establish/Maintain Documentation | |
Install and configure firewalls to be enabled on all mobile devices, if possible. CC ID 00550 [{mobile device} Examine policies and configuration standards to verify: - Personal firewall software is required for all mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network. - Specific configuration settings are defined for personal firewall software. - Personal firewall software is configured to actively run. - Personal firewall software is configured to not be alterable by users of mobile and/or employee-owned devices. 1.4.a {mobile device} Examine policies and configuration standards to verify: - Personal firewall software is required for all mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network. - Specific configuration settings are defined for personal firewall software. - Personal firewall software is configured to actively run. - Personal firewall software is configured to not be alterable by users of mobile and/or employee-owned devices. 1.4.a {mobile device} Examine policies and configuration standards to verify: - Personal firewall software is required for all mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network. - Specific configuration settings are defined for personal firewall software. - Personal firewall software is configured to actively run. - Personal firewall software is configured to not be alterable by users of mobile and/or employee-owned devices. 1.4.a {mobile device} Inspect a sample of mobile and/or employee-owned devices to verify that: - Personal firewall software is installed and configured per the organization’s specific configuration settings. - Personal firewall software is actively running. - Personal firewall software is not alterable by users of mobile and/or employee-owned devices. 1.4.b {mobile device} Inspect a sample of mobile and/or employee-owned devices to verify that: - Personal firewall software is installed and configured per the organization’s specific configuration settings. - Personal firewall software is actively running. - Personal firewall software is not alterable by users of mobile and/or employee-owned devices. 1.4.b] | Technical security | Configuration | |
Lock personal firewall configurations to prevent them from being disabled or changed by end users. CC ID 06420 [{mobile device} Examine policies and configuration standards to verify: - Personal firewall software is required for all mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network. - Specific configuration settings are defined for personal firewall software. - Personal firewall software is configured to actively run. - Personal firewall software is configured to not be alterable by users of mobile and/or employee-owned devices. 1.4.a {mobile device} Inspect a sample of mobile and/or employee-owned devices to verify that: - Personal firewall software is installed and configured per the organization’s specific configuration settings. - Personal firewall software is actively running. - Personal firewall software is not alterable by users of mobile and/or employee-owned devices. 1.4.b] | Technical security | Technical Security | |
Configure network access and control points to protect restricted data or restricted information. CC ID 01284 | Technical security | Configuration | |
Configure firewalls to deny all traffic by default, except explicitly designated traffic. CC ID 00547 [{inbound Internet traffic} {outbound network traffic} Examine firewall and router configurations to verify that all other inbound and outbound traffic is specifically denied, for example by using an explicit “deny all” or an implicit deny after allow statement. 1.2.1.c] | Technical security | Configuration | |
Allow local program exceptions on the firewall, as necessary. CC ID 01956 | Technical security | Configuration | |
Allow remote administration exceptions on the firewall, as necessary. CC ID 01957 | Technical security | Configuration | |
Allow file sharing exceptions on the firewall, as necessary. CC ID 01958 | Technical security | Configuration | |
Allow printer sharing exceptions on the firewall, as necessary. CC ID 11849 | Technical security | Configuration | |
Allow Internet Control Message Protocol exceptions on the firewall, as necessary. CC ID 01959 | Technical security | Configuration | |
Allow Remote Desktop Connection exceptions on the firewall, as necessary. CC ID 01960 | Technical security | Configuration | |
Allow UPnP framework exceptions on the firewall, as necessary. CC ID 01961 | Technical security | Configuration | |
Allow notification exceptions on the firewall, as necessary. CC ID 01962 | Technical security | Configuration | |
Allow unicast response to multicast or broadcast exceptions on the firewall, as necessary. CC ID 01964 | Technical security | Configuration | |
Allow protocol port exceptions on the firewall, as necessary. CC ID 01965 | Technical security | Configuration | |
Allow local port exceptions on the firewall, as necessary. CC ID 01966 | Technical security | Configuration | |
Establish, implement, and maintain packet filtering requirements. CC ID 16362 | Technical security | Technical Security | |
Configure firewall filtering to only permit established connections into the network. CC ID 12482 | Technical security | Technical Security | |
Restrict outbound network traffic from systems that contain restricted data or restricted information. CC ID 01295 | Technical security | Data and Information Management | |
Synchronize and secure all router configuration files. CC ID 01291 [{router configuration files} Examine router configurations to verify they are synchronized—for example, the running (or active) configuration matches the start-up configuration (used when machines are booted). 1.2.2.b] | Technical security | Configuration | |
Manage the use of encryption controls and cryptographic controls. CC ID 00570 | Technical security | Technical Security | |
Establish, implement, and maintain cryptographic key management procedures. CC ID 00571 | Technical security | Establish/Maintain Documentation | |
Store cryptographic keys securely. CC ID 01298 [Verify that key-management procedures specify how to securely store keys. 3.6.3.a] | Technical security | Data and Information Management | |
Restrict access to cryptographic keys. CC ID 01297 | Technical security | Data and Information Management | |
Store cryptographic keys in encrypted format. CC ID 06084 | Technical security | Data and Information Management | |
Store key-encrypting keys and data-encrypting keys in different locations. CC ID 06085 | Technical security | Technical Security | |
Establish, implement, and maintain a change control program. CC ID 00886 | Operational management | Establish/Maintain Documentation | |
Manage change requests. CC ID 00887 | Operational management | Business Processes | |
Approve tested change requests. CC ID 11783 [{approve} Examine documented procedures to verify there is a formal process for testing and approval of all: - Network connections and - Changes to firewall and router configurations 1.1.1.a Identify a sample of actual changes made to firewall and router configurations, compare to the change records, and interview responsible personnel to verify the changes were approved and tested. 1.1.1.c] | Operational management | Data and Information Management | |
Validate the system before implementing approved changes. CC ID 01510 | Operational management | Systems Design, Build, and Implementation | |
Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 | Operational management | Behavior | |
Establish, implement, and maintain system hardening procedures. CC ID 12001 | System hardening through configuration management | Establish/Maintain Documentation | |
Change default configurations, as necessary. CC ID 00877 [Interview personnel and examine supporting documentation to verify that: - All vendor defaults (including default passwords on operating systems, software providing security services, application and system accounts, POS terminals, Simple Network Management Protocol (SNMP) community strings, etc.) are changed before a system is installed on the network. - Unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled before a system is installed on the network. 2.1.c Interview personnel and examine supporting documentation to verify that: - All vendor defaults (including default passwords on operating systems, software providing security services, application and system accounts, POS terminals, Simple Network Management Protocol (SNMP) community strings, etc.) are changed before a system is installed on the network. - Unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled before a system is installed on the network. 2.1.c] | System hardening through configuration management | Configuration | |
Configure custom security parameters for X-Windows. CC ID 02168 | System hardening through configuration management | Configuration | |
Configure custom security settings for Lotus Domino. CC ID 02171 | System hardening through configuration management | Configuration | |
Configure custom security settings for the Automated Security Enhancement Tool. CC ID 02177 | System hardening through configuration management | Configuration | |
Configure custom Security settings for Sun Answerbook2. CC ID 02178 | System hardening through configuration management | Configuration | |
Configure custom security settings for Command (PROM) Monitor. CC ID 02180 | System hardening through configuration management | Configuration | |
Configure and secure each interface for Executive Interfaces. CC ID 02182 | System hardening through configuration management | Configuration | |
Reconfigure the default settings and configure the system security for Site Management Complex. CC ID 02183 | System hardening through configuration management | Configuration | |
Configure the unisys executive (GENNED) GEN tags. CC ID 02184 | System hardening through configuration management | Configuration | |
Reconfigure the default Console Mode privileges. CC ID 02189 | System hardening through configuration management | Configuration | |
Restrict access to security-related Console Mode key-in groups based on the security profiles. CC ID 02190 | System hardening through configuration management | Configuration | |
Configure security profiles for the various Console Mode levels. CC ID 02191 | System hardening through configuration management | Configuration | |
Configure custom access privileges for all mapper files. CC ID 02194 | System hardening through configuration management | Configuration | |
Configure custom access privileges for the PSERVER configuration file. CC ID 02195 | System hardening through configuration management | Configuration | |
Configure custom access privileges for the DEPCON configuration file. CC ID 02196 | System hardening through configuration management | Configuration | |
Disable the default NetWare user web page unless absolutely necessary. CC ID 04447 | System hardening through configuration management | Configuration | |
Enable and reset the primary administrator names, primary administrator passwords, root names, and root passwords. CC ID 04448 | System hardening through configuration management | Configuration | |
Remove unnecessary documentation or unprotected documentation from installed applications. CC ID 04452 | System hardening through configuration management | Configuration | |
Complete the NetWare eGuide configuration. CC ID 04449 | System hardening through configuration management | Configuration | |
Verify the usr/aset/masters/uid_aliases file exists and contains an appropriate aliases list. CC ID 04902 | System hardening through configuration management | Configuration | |
Set the low security directory list properly. CC ID 04903 | System hardening through configuration management | Configuration | |
Set the medium security directory list properly. CC ID 04904 | System hardening through configuration management | Configuration | |
Set the high security directory list properly. CC ID 04905 | System hardening through configuration management | Configuration | |
Set the UID aliases pointer properly. CC ID 04906 | System hardening through configuration management | Configuration | |
Verify users are listed in the ASET userlist file. CC ID 04907 | System hardening through configuration management | Technical Security | |
Verify Automated Security Enhancement Tool checks the NIS+ tables, as appropriate. CC ID 04908 | System hardening through configuration management | Testing | |
Reconfigure the encryption keys from their default setting or previous setting. CC ID 06079 | System hardening through configuration management | Configuration | |
Change the default Service Set Identifier for Wireless Access Points and wireless bridges. CC ID 06086 | System hardening through configuration management | Configuration | |
Revoke public execute privileges for all processes or applications that allow such privileges. CC ID 06568 | System hardening through configuration management | Configuration | |
Configure the system's booting configuration. CC ID 10656 | System hardening through configuration management | Configuration | |
Configure the system to boot directly to the correct Operating System. CC ID 04509 | System hardening through configuration management | Configuration | |
Verify an appropriate bootloader is used. CC ID 04900 | System hardening through configuration management | Configuration | |
Configure the ability to boot from USB devices, as appropriate. CC ID 04901 | System hardening through configuration management | Configuration | |
Configure the system to boot from hardware enforced read-only media. CC ID 10657 | System hardening through configuration management | Configuration | |
Establish, implement, and maintain authenticators. CC ID 15305 | System hardening through configuration management | Technical Security | |
Change all default authenticators. CC ID 15309 [Choose a sample of system components, and attempt to log on (with system administrator help) to the devices and applications using default vendor-supplied accounts and passwords, to verify that ALL default passwords (including those on operating systems, software that provides security services, application and system accounts, POS terminals, and Simple Network Management Protocol (SNMP) community strings) have been changed. (Use vendor manuals and sources on the Internet to find vendor-supplied accounts/passwords.) 2.1.a] | System hardening through configuration management | Configuration | |
Configure the system account settings and the permission settings in accordance with the organizational standards. CC ID 01538 | System hardening through configuration management | Configuration | |
Configure user accounts. CC ID 07036 | System hardening through configuration management | Configuration | |
Remove unnecessary default accounts. CC ID 01539 [For the sample of system components, verify that all unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled. 2.1.b Interview personnel and examine supporting documentation to verify that: - All vendor defaults (including default passwords on operating systems, software providing security services, application and system accounts, POS terminals, Simple Network Management Protocol (SNMP) community strings, etc.) are changed before a system is installed on the network. - Unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled before a system is installed on the network. 2.1.c Interview personnel and examine supporting documentation to verify that: - All vendor defaults (including default passwords on operating systems, software providing security services, application and system accounts, POS terminals, Simple Network Management Protocol (SNMP) community strings, etc.) are changed before a system is installed on the network. - Unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled before a system is installed on the network. 2.1.c] | System hardening through configuration management | Configuration | |
Disable all unnecessary user identifiers. CC ID 02185 | System hardening through configuration management | Configuration | |
Remove unnecessary user credentials. CC ID 16409 | System hardening through configuration management | Configuration | |
Remove the root user as appropriate. CC ID 01582 | System hardening through configuration management | Configuration | |
Disable or remove the null account. CC ID 06572 | System hardening through configuration management | Configuration |