The goal
|
The goal of PCI DSS Key Requirement 2 is to develop, apply and maintain an effective, secure configuration management capability to all in-scope system components, reducing the means available to an attacker to ensure the CDE is not susceptible to attack.
This goal includes complete integration with all related PCI DSS Key Requirements for the establishment of an effective, integrated series of control systems, and the development and ongoing improvement of all related capabilities, processes, documentation, tools and training needed to achieve < Quantitatively managed/Optimized > maturity of this key requirement by < insert date >.
|
Goal applicability and scope considerations
|
This goal applies to all in-scope system components, i.e., all applicable hardware and software applications, including wireless network components and components hosted in cloud environments, individuals and teams responsible for implementing and maintaining security configurations, and third parties that support IT system components.
|
Goal requirements:
Some of the primary conditions necessary to achieve the goal
|
- Capability—scope control: Create the capacity and ability for effective and sustainable ongoing identification of all in-scope digital assets and system components included in the security configuration management program
- Capability—change control: Develop an ability for effective, ongoing monitoring, recording, detection and response to configuration changes made to any in-scope component, and include discernment between authorized vs unauthorized modifications
- Effective communication: Maintain a complete set of documented configuration and system hardening policies, standards and procedures—with detailed change control standards and procedures for applying hardening standards that cover all types of system components and address all known security vulnerabilities. This should include procedures for removing unnecessary functionality from hardware and software applications, changing vendor defaults and commonly known default credentials or security parameters, and securing administrative access removed to avoid system components to ensure that they are not susceptible to attack upon implementation or after making any updates or changes
- Operating procedures: Maintain effective, clearly articulated standard operating procedures, regular training and staff education for meeting security change-configuration program performance standards
- Ongoing commitment: Include the formal assignment of roles and responsibilities to implement and adhere to policies, standards and procedures; measurement, reporting and improvement of security configuration management performance; and ongoing education and training of system administrators
|
Strong dependencies and integration with other key requirements
|
- Requirement 6: Integration with system hardening requirements
- Requirement 1: Secure configuration of security network control components
- Requirement 11: Testing if changes to configurations resulted in or solved vulnerabilities
- Requirement 10: Logging and monitoring of network security control components
|
Short-term objectives
|
- Scope and automation: Implement and maintain a configuration management system for the effective, automatic identification and status synchronization and reporting of all in-scope components across the entire CDE
- Communication: Document and effectively communicate configuration standards and implementation, management and monitoring procedures for all system components across the CDE
|
Long-term objectives
|
- Improvement: Improve and refine configurations and support processes, integration, documentation and training
- Maturity: Achieve and maintain high-capability maturity and performance on all secure configuration operations, with low deviation from configuration standards and high capability for the rapid detection and correction of configuration nonconformities across the CDE
|
Common constraints
|
- Capacity: Not having sufficient capacity of personnel to staff the secure configuration management team. Lack of proper identification of components due to lack of time and automation tools
- Cost: Lack of budget to procure the tools needed to automate the configuration management functions
- Competency: Lack of staff qualified to effectively apply secure configuration management tasks
|