Strategies for success -- PCI DSS Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Is the perimeter 'dead?' Mike Chapple explains why border firewalls and network perimeter defenses are still essential security tools. Visit SearchSecurity.com's Network Firewalls Resource Center.

How to pass PCI Requirement 1
Organizations need to thoroughly review firewall configurations and the policies that control the traffic flowing into and out of a network. Many firewalls go untouched for quite some time after their initial network installation. Because business application needs and customer requirements change over time, many rules are adjusted to allow for additional ports and services to be initiated, allowing open communication between trusted and untrusted segments.

All changes on these devices must be approved, accurately documented and reviewed on an ongoing basis to make sure that they are hardened and only allow secure information to flow between network segments. Documented configuration standards for these protections are mandatory along with specific documentation that justifies your network practices.

Finally, do not forget that configurations must provide security for assets that store, transmit or process cardholder data, which includes the appropriate network segmentation of information from wireless and mobile devices.

A GUIDE TO PASSING PCI'S FIVE TOUGHEST REQUIREMENTS

  Requirement 3: Protecting stored data
  Requirement 11: Regularly test security systems and processes
  Requirement 8: Assign a unique ID to users
  Requirement 10: Monitor access to network resources and data
  Requirement 1: Install and maintain a firewall configuration
  Conclusion

ABOUT THE AUTHOR:

Craig Norris, CISSP, CISA, G7799, MCSE, Security+, CAPM, TICSA, is a Regional Engagement Manager at an IT consulting firm in Dallas. He has been involved with information technology and security for over 12 years. He can be contacted via canvip@yahoo.com.

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT PCI Data Security Standard Would QSAs normally write up a PCI DSS report on compliance (ROC) and submit it to all issuing card brands? WEP to WPA: Wireless encryption in the wake of PCI DSS 1.2 PCI is about eliminating data, not securing it, former QSA says Security of customer data, IP sustains security budgets PCI version 1.2 clarifications: How to get an early start on compliance audits Version 1.2 of Payment Card Industry (PCI) Data Security Standard answers questions, raises others Security visualization helps make log files work The Little Black Book of Computer Security, 2nd Edition Data breach discovery, disclosure outpaces 2007 PCI groups to focus on wireless, pre-authorization changes Security Audit Richard Mackey: Building a framework-based compliance program Screencast: How Tor improves Web surfing privacy and security audits IT security pros focus on internal threats during tough economy Would QSAs normally write up a PCI DSS report on compliance (ROC) and submit it to all issuing card brands? IRS faulted for lax security controls, dangerous data risks IT security pros face challenge during economic crisis Screencast: How to use Nipper to create network security reports PCI version 1.2 clarifications: How to get an early start on compliance audits Version 1.2 of Payment Card Industry (PCI) Data Security Standard answers questions, raises others What's the latest on efforts to develop a common logging and audit standard?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI DSS (Payment Card Industry Data Security Standard )  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary