PCI DSS Requirement 1.1.1 | A Formal Process for Network Connections and Changes

Regarding PCI DSS Requirement 1.1.1, "A formal process for approving and testing all network connections and changes to the firewall and router configurations" means just that, having a process that is in place, agreed upon by all major participants involved in the process, documented, and carried out accordingly. I stress "documented" because Requirement 12 of the PCI DSS standards is NOT the only place where you have to develop documented policies, procedures and processes for ensuring PCI DSS compliance. Sprinkled throughout the PCI DSS 1.2 requirements are words and phrases that directly or indirectly relate to having documented policies and procedures in place. PCI DSS Requirement 1.1.1 is no different-you need to have a documented "formal process" in place and accordingly, carried out and acted on.

Furthermore, please keep in mind that PCI DSS Requirement 1.1.1 calls for a formal process for "approving and testing all NETWORK connections and changes to the firewall and router configurations", so do not be confused with that of formal processes typically relating to change management to applications and/or other type of functional system changes; this specific requirement (1.1.1) has to do with network connections and devices (i.e., routers, firewalls, switches, etc.). Many organizations required to become PCI DSS compliant invariably think of their change management policies, procedures and processes for applications, which is incorrect. However, if you have or plan on developing and implementing a change management function that includes network connections and devices, then you should be able to clearly suffice for PCI DSS 1.1.1. If you do not have any type of formalized process for ANY type of change, be it system, application, network, administrative, incident response related, or any other type of change you may undertake, then its time to invest in some type of formalized documented ticketing system, change management application, or internally developed system. Ultimately, the choice is your and what best fits your organization.

And lastly, keep in mind that if your organization, like many others, outsources these network responsibilities to a third party managed services outsourcer, then please ensure that these third party outsourcers have a documented and formalized policy for meeting the requirements of PCI DSS 1.1.1. Remember, the scope of the PCI DSS audit is almost never just limited to the entity that is being required to initially become PCI DSS compliant. Why? Because once you start working with an organization and peeling back the layers of finding out who provides what type of outsourced services to them and in what capacity, the scope invariably grows. To learn more about the Payment Card Industry Data Security Standards and becoming PCI DSS compliant, please contact NDB, Advisory.