1.1.7 Requirement to review firewall
and router rule sets at least every six
months
1.1.7.a Verify that firewall and router configuration standards
require review of firewall and router rule sets at least every six
months.
1.1.7.b Examine documentation relating to rule set reviews
and interview responsible personnel to verify that the rule sets
are reviewed at least every six months.
This review gives the organization an opportunity
at least every six months to clean up any
unneeded, outdated, or incorrect rules, and
ensure that all rule sets allow only authorized
services and ports that match the documented
business justifications.
Organizations with a high volume of changes to
firewall and router rule sets may wish to consider
performing reviews more frequently, to ensure
that the rule sets continue to meet the needs of
the business.