This blog is part of a blog series on the 12 PCI DSS Requirements. We discuss the common challenges and explain what kind of evidence is needed to comply with the requirement.
5 Tips on System Hardening
Requirement 2 describes the best practices for the implementation of security configuration on your systems and the documentation required by PCI DSS. Let’s explain the main challenges and steps that we must consider:
1) Creating and writing hardening documentation can be described as a difficult task. However, good documentation ensures that the entire IT team follows a set of configurations and knows how to apply this. Assure that these hardening documents are tailored to your system and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardening standards may include, but are not limited to:
These guides are made to make the writing process easier. Use these documents as a guide and verify that the chosen value allows the correct operation of your particular system.
Read HERE for tips on how to write good hardening documentation.
2) Include the specific requirements of PCI DSS, review all the requirements of the standard and compare it with your document, even though many of the configuration suggestions are included in the recommendations of the sites mentioned in the previous point.
3) Once the documentation has been written and checked, it is time to test and implement the hardening guide on all devices in the PCI DSS environment.
4) When the previous step has been successful, you can officialise and distribute the documents within your IT team. This way, everyone is aware of the steps that have to be taken and there is a fixed hardening procedure.
5) The last thing to remember is keeping the hardening guide up-to-date. It is recommended to review these guides when you implement a software upgrade and whenever a vulnerability that involves a configuration change.
The documentation is not only part of the compliance of PCI DSS. They are a big part of the security of the cardholder data and maintaining a secure network. For this reason, it is important to review them regularly and to include new configurations that resolve or prevent the exploitation of vulnerabilities.
Read more about:
PCI DSS requirement 1: Protect cardholder data environment
PCI DSS requirement 3: Don’t store cardholder data
PCI DSS requirement 4: Encryption
PCI DSS requirement 5: Update and Scan
PCI DSS requirement 6: Develop and maintain secure systems and applications
PCI DSS requirement 7: Restrict access to CHD
PCI DSS requirement 8: Identify, Authenticate, and Authorize
PCI DSS requirement 9: Restrict physical access to Cardholder data
PCI DSS requirement 10: Track and monitor to network resources and cardholder