2.2.5 If any insecure services, protocols, or daemons are present:

• Business justification is documented.
• Additional security features are documented and implemented that reduce the risk of using insecure services, protocols, or daemons.

Defined Approach Requirements

2.2.5 If any insecure services, protocols, or daemons are present:

• Business justification is documented.
• Additional security features are documented and implemented that reduce the risk of using insecure services, protocols, or daemons.

Defined Approach Testing Procedures

2.2.5.a If any insecure services, protocols, or daemons are present, examine documentation to verify:

• Business justification is documented.
• Additional security features are documented.

2.2.5.b Examine configuration settings to verify that the documented additional security features are implemented.

Purpose

Ensuring that all insecure services, protocols, and daemons have a documented business justification and additional security features implemented reduces the risk associated with use of these services, protocols, and daemons.

Good Practice

Insecure services, protocols, or daemons that are necessary for business should be identified, and the risk of using each service should be understood and accepted by the organization.

Insecure services, protocols, or daemons include, but are not limited to, FTP, Telnet, POP3, IMAP, and SNMP v1 and v2.

Examples of additional security features that reduce the risk of using insecure services, protocols, or daemons include implementing secure tunneling or implementing additional monitoring and logging.