WithPCI Logo
WithPCI.com

1.2.7 Configurations of NSCs are reviewed at least once every six months to confirm they are relevant and effective.

Original requirement from PCI DSS v4.0.1

Defined Approach Requirements

1.2.7 Configurations of NSCs are reviewed at least once every six months to confirm they are relevant and effective.

Customized Approach Objective

NSC configurations that allow or restrict access to trusted networks are verified periodically to ensure that only authorized connections with a current business justification are permitted.

Defined Approach Testing Procedures

1.2.7.a Examine documentation to verify procedures are defined for reviewing configurations of NSCs at least once every six months.

1.2.7.b Examine documentation of reviews of configurations for NSCs and interview responsible personnel to verify that reviews occur at least once every six months.

1.2.7.c Examine configurations for NSCs to verify that configurations identified as no longer being supported by a business justification are removed or updated.

Purpose

Such a review gives the organization an opportunity to clean up any unneeded, outdated, or incorrect rules and configurations which could be utilized by an unauthorized person. Furthermore, it ensures that all rules and configurations allow only authorized services, protocols, and ports that match the documented business justifications.

Good Practice

This review, which can be implemented using manual, automated, or system-based methods, is intended to confirm that the settings that manage traffic rules, what is allowed in and out of the network, match the approved configurations.

The review should provide confirmation that all permitted access has a justified business reason. Any discrepancies or uncertainties about a rule or configuration should be escalated for resolution.

While this requirement specifies that this review occur at least once every six months, organizations with a high volume of changes to their network configurations may wish to consider performing reviews more frequently to ensure that the configurations continue to meet the needs of the business.

purpose

Ensure NSC configurations remain secure and justified.

whats required for compliance

  • Documented review procedures.
  • Evidence of review at least every 6 months.
  • Remove/update configs no longer justified.

compliance strategies

  • Automated ruleset analysis
  • Review logs
  • Scheduled review calendar

typical policies procedures

  • Ruleset Review Procedure
  • Decommissioning Process

common pitfalls failures

  • Stale rules
  • No cleanup process

type

Process Control

difficulty

Moderate

key risks

  • Unauthorized access via old rules

product vendor recommendations

  • Use ruleset optimization tools (FireMon)

Eligible SAQ

  • SAQ-D MERCHANT
  • SAQ-D SERVICE PROVIDER

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy