This blog is part of a blog series on the 12 PCI DSS Requirements. We discuss the common challenges and explain what kind of evidence is needed to comply with the requirement.
5 Tips on System Hardening
Requirement 2 describes the best practices for the implementation of security configuration on your systems and the documentation required by PCI DSS. Let’s explain the main challenges and steps that we must consider:
1) Creating and writing hardening documentation can be described as a difficult task. However, good documentation ensures that the entire IT team follows a set of configurations and knows how to apply this. Assure that these hardening documents are tailored to your system and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardening standards may include, but are not limited to:
These guides are made to make the writing process easier. Use these documents as a guide and verify that the chosen value allows the correct operation of your particular system.
Read HERE for tips on how to write good hardening documentation.
2) Include the specific requirements of PCI DSS, review all the requirements of the standard and compare it with your document, even though many of the configuration suggestions are included in the recommendations of the sites mentioned in the previous point.
3) Once the documentation has been written and checked, it is time to test and implement the hardening guide on all devices in the PCI DSS environment.
4) When the previous step has been successful, you can officialise and distribute the documents within your IT team. This way, everyone is aware of the steps that have to be taken and there is a fixed hardening procedure.
5) The last thing to remember is keeping the hardening guide up-to-date. It is recommended to review these guides when you implement a software upgrade and whenever a vulnerability that involves a configuration change.
The documentation is not only part of the compliance of PCI DSS. They are a big part of the security of the cardholder data and maintaining a secure network. For this reason, it is important to review them regularly and to include new configurations that resolve or prevent the exploitation of vulnerabilities.
Read here about Requirement 3
Read our previous blog about Requirement 1