The goal
|
The goal of PCI DSS Key Requirement 1 is to maintain reliable and sustainable operation and management of network security controls across the in-scope environment, delivering consistent and effective network and application access control to and from the CDE by restricting access to authorized users and systems only, and to support ongoing monitoring and detection of security events and response to incidents.
This goal includes complete integration with all related PCI DSS Key Requirements for the establishment of an effective, integrated series of control systems and the development and ongoing improvement of all related capabilities, processes, documentation, tools and training needed to achieve < Quantitatively managed/Optimized > maturity of this key requirement by < insert date >.
|
Goal applicability and scope considerations
|
This goal applies to all people (internal and external) involved in the evaluation, implementation, operation and management of any in-scope network security component, i.e., all logical (IT) and physical security control components required to restrict network access to and from the CDE.
|
Goal requirements:
Some of the primary conditions necessary to achieve the goal
|
- Capacity: Maintain the capacity needed for qualified security administrators to proactively and correctly configure, monitor and maintain the security controls in accordance with the intent of the related PCI DSS control objectives
- Competence: Maintain the competency to evaluate, install and maintain all network security controls across the in-scope environment in an effective, reliable and sustainable manner
- Capability: Test and measure the consistency and effectiveness of the ongoing restriction of network access to and from the CDE, to limit access to authorized users and systems only, to support monitoring and detection of security events and response to incidents (the team capability)
- Technology: Maintain modern, up-to-date hardware and software components, and replace outdated technologies across the control environment; automation of change control
- Documentation and processes: Maintain effective standard operating procedures, with clearly articulated standards, roles and responsibilities. Regularly train and educate staff on how to follow the documented procedures. Frequent internal monitoring and reporting of adherence to standards and procedures
|
Strong dependencies and integration with other key requirements
|
- Requirement 10: Logging and monitoring of network security control components
- Requirement 2: Secure configuration of network security controls
- Requirement 6: Hardening of network security components
- Requirement 11: Testing of network security components
|
Short-term objectives
|
- Scope: Install and maintain access control equipment that covers the entire CDE in accordance with documented standards and procedures. Validate the sufficiency (accuracy and completeness) of the scope
- Update: Replace or update IT components that lack the functionality and capability to provide effective network security control
- Change control: Enhance automation of configuration deployment and change control management
|
Long-term objectives
|
- Improve: Improve and refine configurations and support processes, integration, documentation and training
- Maturity: Achieve and maintain high-capability maturity and performance on all security control operations, with low deviation from configuration standards and high capability for the rapid detection and correction of configuration deviations across the CDE
|
Common constraints
|
- Capacity: Insufficient capacity of security control administration personnel to manage security component deployment, configuration, monitoring and maintenance tasks with sufficient performance
- Cost: Lack of budget to update outdated technology and/or increase staff capacity
- Competency: Lack of staff qualified to configure, operate and manage network security components
|
