One of the most tedious Payment Card Industry Data Security Standard (PCI DSS) requirements is Requirement 2.2. It involves system hardening, which ensures system components are strengthened as much as possible before network implementation. A hardening document is part of this requirement.
We see sometimes that companies applying for compliancy use example hardening documents downloaded from the Internet. But we strongly advise to always write your own document about configuring your systems. Every company has it’s own system infrastructure and therefore using templates is asking for trouble during a PCI audit.
Your QSA auditor wants to know and see that you did your research, and have applied appropriate settings for each system. The auditor compares the hardening document with the current configuration on the system. Any difference between the document and the configuration will result in non-compliance with PCI-DSS.
How do I generate a good hardening document that meets PCI DSS requirements?
When preparing for a PCI audit, keep these tips in mind:
1. Be specific
Make sure you write a document about how your specific technology is implemented in your PCI-DSS environment. Include all commands configured in your system with their specific valor.
2. Be prepared
Have knowledge of all best practices of industry-accepted system hardening standards like Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS) Institute, National Institute of Standards Technology (NIST). Also include the recommendation of all technology providers.
3. Use references
When choosing the valor of each command, think about all PCI-DSS requirements. It’s useful to put a reference to the PCI-DSS requirement, especially for future document updates.
4. Think big
Do not limit the document to the PCI-DSS standard only. Think of a document that is useful to get your systems in top condition.
5. Use correct data
Last but not least, include the following data in your hardening document: Name and version, date, change control, responsible, modify by, review by, approve by, date of change and scope.
PCI compliant, Stay compliant!
Documentation is key to system hardening. Make sure you update the document when changes are made on your original blueprint. It’s important to keep track of why you chose certain hardening standards and the hardening checklists you’ve completed. If you decide to change an aspect of your environment and already have the documentation for existing systems, you’ve cut out hours of time-consuming research.
About the author:
Natalia Morando is a security professional in PCI and has over 12 years of experience.