With 12 chapters and more than 170 individual requirements, planning for compliance with the DSS requirements is a challenge. Automating the change control and configuration process eases the burden of the network manager by providing a structured approach to implementation of the DSS. It should offer advice and best practices documentation in the context of the individual DSS requirements, making it easy for managers to determine which steps need to be taken to ensure compliance with the standard.
Change control processes should be documented and stored so that engineers and managers can access the process documentation on a daily basis. An automated, change control solution can facilitate this, providing the network manager with the ability to include the company’s established policies alongside the individual PCI requirements and vendor best practice documentation.
For example, qualified personal should have the means to easily access the current – not static – status, and supporting documentation, of PCI DSS requirements in one consolidated view. This view should contain:
- PCI DSS Requirement Definition
- 2.1 - Always change vendor supply defaults before installing a system on the network.
- Reports and Links
- Credential and Usage Reports
- Communication Mechanism Reports
- Each Compliance Item and Status:
- Default Password
- Cisco Routers
- 3,772 compliant
- 43 non compliant
- Review Comments
- 05/30/07 - Matt Clark, Updated default passwords policy to include PWs from latest IOS.
One of the largest cost savings provided by having a PCI solution based on automated change and compliance control is the assistance in reducing the scope of the audit. Qualified security assessors (QSAs) are required to set the scope of the audit to the devices that protect, hold, or transmit cardholder data. While it’s incumbent upon network engineers to design the network so that it is properly segmented, a PCI solution can assist in proving this segmentation to the auditor. The solution should provide logical containers to manage each network domain, and change and compliance reporting should highlight the association between the PCI-compliant processes and the in-scope devices to the auditor.
In order to keep up with the changing demands of the business, enterprise networks can absorb multiple changes per day. Engineers were once able to accomplish change management with a battery of scripts and FTP servers, but with today’s heterogeneous networks and heavier audit requirements, this method does not scale to meet current challenges. Full change and compliance control cannot be achieved without a high degree of automation, which is perhaps the largest benefit of a PCI compliance solution.