1.2.2 All changes to network connections and to configurations of NSCs are approved and managed in accordance with the change control process defined at Requirement 6.5.1.

Original requirement from PCI DSS v4.0.1

Defined Approach Requirements

Customized Approach Objective

Changes to network connections and NSCs cannot result in misconfiguration, implementation of insecure services, or unauthorized network connections.

Applicability Notes

Changes to network connections include the addition, removal, or modification of a connection. Changes to NSC configurations include those related to the component itself as well as those affecting how it performs its security function.

Defined Approach Testing Procedures

1.2.2.a Examine documented procedures to verify that changes to network connections and configurations of NSCs are included in the formal change control process in accordance with Requirement 6.5.1.

1.2.2.b Examine network configuration settings to identify changes made to network connections. Interview responsible personnel and examine change control records to verify that identified changes to network connections were approved and managed in accordance with Requirement 6.5.1.

1.2.2.c Examine network configuration settings to identify changes made to configuration of NSCs. Interview responsible personnel and examine change control records to verify that identified changes to configurations of NSCs were approved and managed in accordance with Requirement 6.5.1.

Purpose

Following a structured change control process for all changes to NSCs reduces the risk that a change could introduce a security vulnerability.

Good Practice

Changes should be approved by individuals with the appropriate authority and knowledge to understand the impact of the change. Verification should provide reasonable assurance that the change did not adversely impact the security of the network and that the change performs as expected.

To avoid having to address security issues introduced by a change, all changes should be approved prior to being implemented and verified after the change is implemented. Once approved and verified, network documentation should be updated to include the changes to prevent inconsistencies between network documentation and the actual configuration.

purpose

Prevent unauthorized or insecure changes to NSCs.

whats required for compliance

All NSC changes must go through formal change control (see Req. 6.5.1).
Approvals and documentation required for each change.

compliance strategies

Change management system
Dual approval workflows
Post-implementation review

typical policies procedures

Change Management Procedure
Emergency Rollback Plan

common pitfalls failures

Unapproved changes
Lack of documentation

type

Process Control

difficulty

Moderate

key risks

Security gaps from untested changes

product vendor recommendations

Integrate with ITIL systems (ServiceNow)

Eligible SAQ

SAQ-D MERCHANT
SAQ-D SERVICE PROVIDER

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy

Please enable JavaScript to view the comments powered by Disqus.Alternatively, you can view comments at our Disqus forum.