Requirement 1 Flashcards

1
Q

What is requirement 1 in PCI DSS 3.2.1?

A

Install and maintain a firewall configuration to protect cardholder data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which sub-requirement reads, “Establish and implement firewall and router configuration standards that include the following:”?

A

Requirement 1.1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which sub-requirement reads, “Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment”?

A

Requirement 1.2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which sub-requirement reads, “Prohibit direct public access between the Internet and any system component in the cardholder data environment.”?

A

Requirement 1.3

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which sub-requirement reads, “Install personal firewall software or equivalent functionality on any portable computing devices (including company and/or employee-owned) that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the CDE. Firewall (or equivalent) configurations include:
Specific configuration settings are defined
Personal firewall (or equivalent functionality) is actively running
Personal firewall (or equivalent functionality) is not alterable by users of the portable computing devices”?

A

Requirement 1.4

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which sub-requirement reads, “Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties”?

A

Requirement 1.5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is sub-requirement 1.1?

A

Establish and implement firewall and router configuration standards that include the following:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is sub-requirement 1.2?

A

Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is sub-requirement 1.3?

A

Prohibit direct public access between the Internet and any system component in the cardholder data environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is sub-requirement 1.4?

A

Install personal firewall software or equivalent functionality on any portable computing devices (including company and/or employee-owned) that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the CDE. Firewall (or equivalent) configurations include:
Specific configuration settings are defined
Personal firewall (or equivalent functionality) is actively running
Personal firewall (or equivalent functionality) is not alterable by users of the portable computing devices”?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is sub-requirement 1.5?

A

Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which sub-sub-requirement reads, “A formal process for approving and testing all network connections and changes to the firewall and router configurations”?

A

1.1.1

The three testing procedures are:
1.1.1.a - Examine documented procedures to verify there is a formal process for testing and approval of all network connections and changes to firewall and router configurations
1.1.1.b - For a sample of network connections, interview responsible personnel and examine records to verify that network connections were approved and tested.
1.1.1.c - Identify a sample of actual changes made to firewall and router configurations, compare to the change records, and interview responsible personnel to verify the changes were approved and tested.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which sub-sub-requirement reads, “Current network diagram that identifies all connections between the cardholder data environment and other networks, including any wireless networks”?

A

1.1.2

The two testing procedures are:
1.1.2.a - Examine diagram(s) and observe network configurations to verify that a current network diagram exists and that it documents all connections to cardholder data, including any wireless networks.
1.1.2.b - Interview responsible personnel to verify that the diagram is kept current.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which sub-sub-requirement reads, “Current diagram that shows all cardholder data flows across systems and networks.”?

A

1.1.3

The testing procedure is:
1.1.3.a - Examine data-flow diagram and interview personnel to verify the diagram:
- shows all cardholder data flows across systems and networks
- is kept current and updated as needed upon changes to the environment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which sub-sub-requirement reads, “Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the
internal network zone.”?

A

1.1.4

The three testing procedures are:
1.1.4.a - Examine the firewall configuration standards and verify that they include requirements for a firewall at each internet connection and between any DMZ and the internal network zone
1.1.4.b - Verify that the current network diagram is consistent with the firewall configuration standards.
1.1.4.c - Observe network configurations to verify that a firewall is in place at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone, per the documented configuration standards and network diagrams

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which sub-sub-requirement reads, “ Description of groups, roles, and responsibilities for management of network components.”?

A

1.1.5

The two testing procedures are:
1.1.5.a - Verify that firewall and router configuration standards include a description of groups, roles, and responsibilities for management of network components.
1.1.5.b - Interview personnel responsible for management of network components to confirm that roles and responsibilities are assigned as documented

17
Q

Which sub-sub-requirement reads, “Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.”?

A

1.1.6

The three testing procedures are:
1.1.6.a - Verify that firewall and router configuration standards include a documented list of all services, protocols and ports, including business justification and approval for each.
1.1.6.b - Identify insecure services, protocols, and ports allowed; and verify that security features are documented for each service
1.1.6.c - Examine firewall and router configurations to verify that the documented security features are implemented for each insecure service, protocol, and port

18
Q

Which sub-sub-requirement reads, “Requirements to review firewall and router rulesets at least every six (6) months.”?

A

1.1.7

The two testing procedures are:
1.1.7.a - Verify that firewall and router configuration standards require review of firewall and router rule sets at least every six months
1.1.7.b - Examine documentation relating to rule set reviews and interview responsible personnel to verify that the rule sets are reviewed at least every six months

19
Q

Which sub-sub-requirement reads,”Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.”?

A

1.2.1

The three testing procedures are:
1.2.1.a - Examine firewall and router configuration standards to verify that they identify inbound and outbound traffic necessary for the cardholder data environment
1.2.1.b - Examine the firewall and router configurations to verify that inbound and outbound traffic is limited to that which is necessary for the CDE
1.2.1.c - Examine firewall and router configurations to verify that all other inbound and outbound traffic is specifically denied, for example by using an explicit “deny all” or implicit deny after allow statement

20
Q

Which sub-sub-requirement reads, “Secure and synchronize router configuration files.”?

A

1.2.2

The two testing procedures are:
1.2.2.a - Examine router configuration files to verify they are secured from unauthorized access
1.2.2.b - Examine router configurations to verify they are synchronized – for example, the running (or active) configuration matches the start-up configuration (used when machines are booted)

21
Q

Which sub-sub-requirement reads, “Install perimeter firewalls between all wireless networks and the cardholder data environment, and
configure these firewalls to deny or, if traffic is necessary for business
purposes, permit only authorized traffic between the wireless environment and the cardholder data environment.”?

A

1.2.3

The two testing procedures are:
1.2.3.a - Examine firewall and router configurations to verify that there are perimeter firewalls installed between all wireless networks and the CDE.
1.2.3.b - Verify that the firewalls deny or, if traffic is necessary for business purpose, permit only authorized traffic between the wireless environment and the CDE.

22
Q

Which sub-sub-requirement reads, “Implement a DMZ to limit inbound traffic to only system components that provide authorized
publicly accessible services, protocols, and ports.”?

A

1.3.1

The testing procedure is:
1.3.1.a - Examine firewall and router configurations to verify that a DMZ is implemented to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports

23
Q

Which sub-sub-requirement reads,”Limit inbound internet traffic to IP addresses within the DMZ.”?

A

1.3.2

The testing procedure is:
1.3.2.a - Examine firewall and router configurations to verify that inbound internet traffic is limited to IP addresses within the DMZ

24
Q

Which sub-sub-requirement reads, “Implement anti-spoofing measures to detect and block forged source IP addresses from entering the network.”?

A

1.3.3

The testing procedure is:
1.3.3.a - Examine firewall and router configurations to verify that anti-spoofing measure are implemented, for example internal addresses cannot pass from the internet into the DMZ

25
Q

Which sub-sub-requirement reads,”Do not allow unauthorized outbound traffic from the cardholder data environment to the internet.”?

A

1.3.4

The testing procedure is:
1.3.4.a - Examine firewall and router configurations to verify that outbound traffic from the CDE to the internet is explicitly authorized

26
Q

Which sub-sub-requirement reads, “Permit only ‘established’ connections into the network.”?

A

1.3.5

The testing procedure is:
1.3.5.a - Examine firewall and router configurations to verify that the firewall permits only established connections into the internal network and denies any inbound connections not associated with a previously established session.

27
Q

Which sub-sub-requirement reads, “Place system components that store cardholder data in an internal network zone, segregated from the DMZ and other untrusted networks.”?

A

1.3.6

The testing procedure is:
1.3.6.a - Examine firewall and router configurations to verify that system components that store cardholder data are on an internal network zone, segregated from the DMZ and other untrusted networks.

28
Q

Which sub-sub-requirement reads, “Do not disclose private IP addresses and routing information to unauthorized parties.”?

A

1.3.7

The two testing procedures are:
1.3.7.a - Examine firewall and router configurations to verify that methods are in place to prevent the disclosure of private IP addresses and routing information from the internal networks to the internet.