WEBVTT

00:00:00.000 --> 00:00:01.200
In this module,

00:00:01.200 --> 00:00:07.999
we're going to look at the final two sub-requirements of PCI DSS requirement 1.

00:00:08.000 --> 00:00:12.000
I know it's a bit strange splitting a requirement into two modules,

00:00:12.000 --> 00:00:15.000
but requirement 1.4, which looked at personal firewalls,

00:00:15.000 --> 00:00:17.666
really isn't related to requirements 1.1,

00:00:17.666 --> 00:00:23.000
1.2, and 1.3, which are concerned with network firewalls and routers.

00:00:23.000 --> 00:00:24.999
So anyway, here is that rogue requirement,

00:00:25.000 --> 00:00:29.750
requirement 1.4 which wants a personal firewall installed on a

00:00:29.750 --> 00:00:33.777
particular class of portable devices that may bring malware into

00:00:33.777 --> 00:00:36.000
the cardholder data environment.

00:00:36.000 --> 00:00:39.000
So this requirement is just considered with portable devices,

00:00:39.000 --> 00:00:42.363
portable devices that might connect to the cardholder data environment,

00:00:42.363 --> 00:00:46.666
but which also can leave the safety of the CDE and then

00:00:46.666 --> 00:00:49.000
randomly connect to places on the internet,

00:00:49.000 --> 00:00:52.999
like at home, or a coffees shop, or an airport.

00:00:53.000 --> 00:00:56.500
The requirement is for these devices to have personal firewalls

00:00:56.500 --> 00:00:59.999
installed on them and that the personal firewall is working.

00:01:00.000 --> 00:01:02.750
You might call these also host-based firewalls or

00:01:02.750 --> 00:01:05.000
operating system-based firewalls.

00:01:05.000 --> 00:01:08.375
The aim is to prevent these mobile devices being infected with

00:01:08.375 --> 00:01:12.333
malware when they're away from the protection of the office and

00:01:12.333 --> 00:01:14.999
then bring that malware back into the CDE.

00:01:15.000 --> 00:01:18.500
I call it a rogue requirement because frankly it would

00:01:18.500 --> 00:01:20.000
really sit better in requirement 2,

00:01:20.000 --> 00:01:23.666
which is about the configuration of systems rather than this requirement 1,

00:01:23.666 --> 00:01:28.000
which is about firewalls, routers, and networking things.

00:01:28.000 --> 00:01:32.000
The testing requirements of requirement 1.4 are quite extensive.

00:01:32.000 --> 00:01:34.333
And if you're the sort of organization that thinks it's

00:01:34.333 --> 00:01:38.090
actually a good idea to have portable devices wandering out the

00:01:38.090 --> 00:01:40.999
CDE and then coming back into the CDE,

00:01:41.000 --> 00:01:43.500
I recommend you have a really good look at the testing

00:01:43.500 --> 00:01:46.000
requirements because it seems to me that actually this should've

00:01:46.000 --> 00:01:48.000
been put in a separate sub-requirement to 1.4.

00:01:48.000 --> 00:01:50.999
Because the QSA is going to look at three things.

00:01:51.000 --> 00:01:53.000
They're going to look at the policy,

00:01:53.000 --> 00:01:55.333
they're going to look at a sample of devices to make sure the

00:01:55.333 --> 00:01:57.999
firewall is configured in accordance with the policy,

00:01:58.000 --> 00:02:03.000
that the firewall is running, and it can't be disabled by use of the device.

00:02:03.000 --> 00:02:06.999
If I was the QSA making an assessment of this requirement,

00:02:07.000 --> 00:02:07.333
honestly,

00:02:07.333 --> 00:02:12.125
I'd also interview the users of these portable devices to make sure that

00:02:12.125 --> 00:02:14.777
they didn't try and turn them off and they were aware of what they were

00:02:14.777 --> 00:02:22.000
doing and that they knew what was happening.