PCI DSS Requirement 1.2.2: Secure and Synchronize Router Configuration Files

by KirkpatrickPrice / April 18th, 2017

What is PCI Requirement 1.2.2?

PCI DSS Requirement 1.2.2 states, “Secure and synchronize router configuration files.” This requirement focuses on enforcing the security and controls surrounding your organization’s firewall and router configurations. Before your PCI DSS assessment, your organization needs to determine, “Are our router and configuration files secured from unauthorized access?”

There is a significant amount of information located within those configuration files; authentication information, certificates, keys, etc. This sensitive information, if fallen into the wrong hands, could lead to a detrimental compromise. Requirement 1.2.2 is so important, and your assessor needs to ensure that wherever your firewall and router configurations are located – offsite or in backups – that these files are maintained securely. Your assessor must also ensure that the configurations within the devices themselves are maintained securely. Ask your organization the following questions:

  • Do you back-up your firewall and router configurations?
  • Where are they kept?
  • How are they kept?
  • Who has access to them?
  • What are the controls around them?

In order to follow Requirement 1.2.2, assessors will also expect you to have reviewed your organization’s configuration standards and examined the files and configurations prior to your PCI DSS assessment.

PCI DSS Requirement 1.2.2

When we look at the actual firewall and router configs, there’s an incredible amount of information in those that lend to being hacked if they fell into the wrong hands. There’s authentication information, there’s certificates, there’s keys, there’s all sorts of good, sensitive information in there that could lend itself into a compromise if it fell into the wrong hands.

We need to make sure that where you have your firewall and router configurations – if you’re storing them offsite, if you’re backing them up – that these particular files are going to be maintained securely. We also want to make sure that the configs within the devices themselves are maintained securely.

So as assessors, we’re going to ask you: Do you back-up your firewall and router configs? If you do, where are they kept? How are they kept? Who has access to them? What are the controls around them? We’re also going to have those same types of conversations about the physical devices and the ability to console into those and gain access to that configuration information.

Share Tweet Share Email

Related Posts