The goal
|
The goal of PCI DSS Key Requirement 7 is to maintain a reliable and sustainable capability to prevent unauthorized access to account data and systems across the CDE by effectively restricting access to system components and CHD by business “need to know,” and the capability to detect and respond to access control violations.
This goal includes complete integration with all related PCI DSS Key Requirements for the establishment of an effective, integrated series of control systems, and the development and ongoing improvement of all related capabilities, processes, documentation, tools and training needed to achieve < Quantitatively managed/Optimized > maturity of this key requirement by < insert date >.
|
Goal applicability and scope considerations
|
- IT components: All system components within the CDE, including related security system components that support access control to and from the CDE. The most common role-based access control (RBAC) is Windows® Active Directory® and Lightweight Directory Access Protocol (LDAP)
- People: All employees (such as IT and security staff, accountants, support staff, call center agents, and executives), contractors, consultants, and internal and external vendors and other third parties that provide support or maintenance services, and any individual that should access CHD or any system component within the CDE (any component that processes, stores and/or transmits account data, and also components that directly connect to or support such components)
- Documentation: Detailed documented standards and procedure for the configuration of all administrator and user accounts, including procedures to define, identify and assign different roles and responsibilities, access to data resources, required privilege levels, formal approval of access requests, and periodic internal audits for review and reconciliation between expected access privileges and actual system configurations
|
Goal requirements:
Some of the primary conditions necessary to achieve the goal
|
- Competence: Document an RBAC standard and procedures to restrict account data access to only those who need it to perform their job, to prevent all unauthorized exposure of account data
- Capability—process: Maintain the capability for the reliable, sustainable and effective access management process that covers all components within the CDE
- Capability—automation: Implement and maintain the use of automated tools to support the monitoring and frequent review of access privileges according to the “least privilege” principle. This should include the and periodic auditing and evaluation of access control systems to review consistency and effectiveness
- Documentation and processes: Maintain effective standard operating procedures, with clearly articulated standards. Regularly train and educate staff on how to follow the documented procedures
|
Strong dependencies and integration with other key requirements
|
- Requirement 8: Strong dependency and integration with user identity and authentication
- Requirement 10: Integration with logging and monitoring
- Requirement 2: Security configuration of system components
- Requirement 9: Integration with physical security controls
- Requirement 1: Integration with network security controls
|
Short-term objectives
|
- Standardization: Identify and document all access control mechanisms to ensure that all components across the CDE conform to authorized and approved access control systems, standards and procedures
- Automation and integration: Implement or update and integrate an automated RBAC system for centralized management and oversight of access control configurations across the CDE
- Internal audit: Identify all inactive users on in-scope systems and either permanently disable or delete them; identify and remove all group or shared usernames and passwords
- Hardening: Properly harden and configure network security components to protect the RBAC system from compromise
|
Long-term objectives
|
- Maturity: Achieve and maintain high-performance maturity on access control management by further improving IT system capabilities and the level of automation, and refining configurations and support processes, documentation and user training. Improve the detection and response to access control nonconformities and violations
|
Common constraints
|
- Capacity and cost: The level of effort and cost to implement an RBAC system, and maintain an up-to-date list of users and roles within large environments
- Capability: Lack of awareness, communication and coordination, often due to siloed internal organizational structures
- Competency: The ability to manage complex architecture and infrastructure environments and deal with legacy systems or third-party systems that cannot be integrated
|