PCI Policies and Procedures
Firewall and Router Security Administration Policy
1.1 Policy Applicability
All Glow Guard Protection LLC owned and operated routers and firewalls are in-scope for this policy. Exemptions may only be authorized with written approval from Glow Guard Protection LLC management or approved Security Officer.
1.1.1 Firewall Configuration Changes
Firewalls are categorized as production systems as they support Glow Guard Protection LLC information systems.
Any and all changes to the firewall must be approved in advance by the Information Security Department. The changes must be thoroughly tested (following production standards) as outlined in the Change Control Policy. Examples of changes include:
- Upgrades or patches to the firewall system.
- Modifications to any firewall software or system.
- Additions, deletions, or modifications to the firewall rules.
1.1.2 – 1.1.6 Device Management Responsibilities
The team responsible for managing Glow Guard Protection LLC firewalls and routers will be comprised of the Information Security Department.
Information Security Department Roles and Responsibilities:
- Ensures that any changes to the firewall hardware, software, or security rules are authorized by the Information Security Department and follow appropriate change control policies.
- Ensures that all router configuration files are synchronized and secure.
- Uses Permitted Network Services and Protocols to document any firewall security rule changes.
- Mitigates security events by coordinating a sufficient response plan with the Information Security Department.
- Reviews and updates network diagrams after any changes are made. The diagrams must accurately describe firewalls, access control systems, anti-virus software, IDS/IPS, and any other connection to confidential or sensitive information.
- Reports any discovered vulnerabilities or security events to the Information Security Department.
- On a daily basis, monitors all logs that capture and report security events.
- Provides the Networks Operation Center read-only access to logs related to security events and the performance of critical systems.
- Keeps track/monitor system alerts related to critical systems. These alerts might include system reboots, firewall daemon failing etc.
- In the event of a security system failure, alerts the appropriate department.
- Assures Glow Guard Protection LLC management that the security rules applying to firewalls are sufficient to protect assets from unauthorized access.
- Assures Glow Guard Protection LLC management that the security rules applying to firewalls are sufficient to prevent internal security threats from exiting the network.
- Mitigates security risks by developing an appropriate response plan with the System Administrator.
- At least every six months, the Information Security Department must perform a thorough review of each firewall rule set. The results must be recorded, and must include the removal of any unnecessary access paths. As a result, any proposed changes must go through the change control process before they are implemented.
- Identifies internal or external threats by actively monitoring firewall security events.
- Performs a thorough review of any proposed firewall and router security rule change. Ensure they meet policy compliance before sending the proposal through the change management process.
- Ensures the proper documentation of all services allowed through the firewall.
- For risky protocols, performs or approve a risk assessment and ensure the protocol has a specific business need