[PCI DSS 3.0] 1.4 Install personal firewall software on any mobile and/or employee-owned devices that connect to t

[READ-ONLY] Archives [RETIRED] PCI DSS v3.0 Questions and Answers Forum Build and Maintain a Secure Network and Systems (R
1

1.4 Install personal firewall software on
any mobile and/or employee-owned
devices that connect to the Internet
when outside the network (for example,
laptops used by employees), and which
are also used to access the network.
Firewall configurations include:

 Specific configuration settings are
defined for personal firewall
software.
 Personal firewall software is actively
running.
 Personal firewall software is not
alterable by users of mobile and/or
employee-owned devices.

1.4.a Examine policies and configuration standards to verify:
 Personal firewall software is required for all mobile and/or
employee-owned devices that connect to the Internet (for
example, laptops used by employees) when outside the
network, and which are also used to access the network.
 Specific configuration settings are defined for personal
firewall software.
 Personal firewall software is configured to actively run.
 Personal firewall software is configured to not be alterable
by users of mobile and/or employee-owned devices.

1.4.b Inspect a sample of mobile and/or employee-owned
devices to verify that:
 Personal firewall software is installed and configured per the
organization’s specific configuration settings.
 Personal firewall software is actively running.
 Personal firewall software is not alterable by users of mobile
and/or employee-owned devices

Portable computing devices that are allowed to
connect to the Internet from outside the corporate
firewall are more vulnerable to Internet-based
threats. Use of a personal firewall helps to protect
devices from Internet-based attacks, which could
use the device to gain access the organization’s
systems and data once the device is re-connected
to the network.

The specific firewall configuration settings are
determined by the organization.
Note: The intent of this requirement applies to
employee-owned and company-owned
computers. Systems that cannot be managed by
corporate policy introduce weaknesses to the
perimeter and provide opportunities that malicious
individuals may exploit. Allowing untrusted
systems to connect to an organization’s network
could result in access being granted to attackers
and other malicious users.