[PCI-DSS] 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.
[ul]
[li] 2.2.a Examine the organization’s system configuration standards for all types of system components and verify the system configuration standards are consistent with industry-accepted hardening standards–for example, SysAdmin Audit Network Security (SANS), National Institute of Standards Technology (NIST), and Center for Internet Security (CIS).[/li][li] 2.2.b Verify that system configuration standards include each item below (at 2.2.1 - 2.2.4).[/li][li] 2.2.c Verify that system configuration standards are applied when new systems are configured.[/li][/ul]