2.2.6 System security parameters are configured to prevent misuse.

Original requirement from PCI DSS v4.0.1

Defined Approach Requirements

Customized Approach Objective

System security parameters cannot be modified to bypass security controls or otherwise misused.

Defined Approach Testing Procedures

2.2.6.a Examine system configuration standards to verify they require that system security parameters are set to prevent misuse.

2.2.6.b Examine system configurations to verify that system security parameters are set to prevent misuse.

Purpose

Incorrectly configured security parameters may result in system vulnerabilities, which could allow intentional or unintentional misuse of system resources.

Good Practice

System configuration standards should address security settings and parameters that have been identified as potential security vulnerabilities.

Security parameters are those that affect the level of security for the system component, the sensitivity of data that the system component holds, and the functions the system component performs. Security parameters include registry settings and settings for other system components that affect security settings such as firewalls, routers, and anti-virus.

purpose

Implement only necessary accounts, with least privileges.

whats required for compliance

Remove/disable unnecessary user and system accounts
Assign least privileges for all accounts

compliance strategies

Periodic account reviews
Automated account provisioning/deprovisioning
Least privilege enforcement

typical policies procedures

User Account Management Policy
Access Review Procedure

common pitfalls failures

Orphaned accounts
Excessive privileges

type

Technical Control

difficulty

Moderate

key risks

Privilege escalation attacks

product vendor recommendations

IAM solutions (SailPoint, Okta)
Automated provisioning tools

Eligible SAQ

SAQ-A
SAQ-A-EP
SAQ-B-IP
SAQ-C
SAQ-C-VT
SAQ-D MERCHANT
SAQ-D SERVICE PROVIDER