1.1 Establish firewall and router configuration standards that include the following:
[li] 1.1.1 A formal process for approving and testing all network connections and changes to the firewall and router configurations[/li][li] 1.1.2 Current network diagram with all connections to cardholder data, including any wireless networks[/li][li]1.1.3 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone[/li][li] 1.1.4 Description of groups, roles, and responsibilities for logical management of network components[/li][li] 1.1.5 Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure[/li][/ul]
Pull out all of section 1, put it into a Word document, and structure a policy, procedure and configuration standards that address all points.
A ‘standard’ will be unique for each organisation - it will say ‘our firewall of choice is Cisco PIX (for example) and we set it up like this…’. Just make sure it addresses all points in section 1, otherwise it’s not going to meet the standard
According to Requirement 1 of PCI DSS -
One should Interview network and security operations staff to check for basic security measures that are taken during network setup and subsequent changes.
So what kind of questions should you be asking??
Can someone explain why system availability a PCI concern? Meaning, if a system becomes unavailable due to a denial of service attack, how can that result in the compromise of card holder data. What are the security threats and attack vectors here?
At the very least you will probably have to fill out Self-Assessment Questionaire A (SAQ-A) for PCI-DSS. SAQ-A is only 13 questions and much easier to complete than any other PCI compliance requirement.
To qualify for SAQ-A: Your website shopping cart must be linked to PayPal for capturing CC information and the subsequent processing and payment settlement; also you cannot be capturing or storing any credit card authorization data (CC#, Expiry date, CVC) on your webserver