PCI DSS Provisioning and HardeningChecklists & Forms1

Table of Contents1.Firewall Provisioning and Hardening Checklists (Overview)32.Cisco PIX Firewall Provisioning and Hardening Checklist43.CISCO PIX Firewall Business Needs Checklist84.CISCO PIX Firewall Review and Audit Checklist95.Cisco ASA Firewall Provisioning and Hardening Checklist106.CISCO ASA Firewall Business Needs Checklist157.CISCO ASA Firewall Review and Audit Checklist168.Juniper Networks NetScreen & SSG Firewall Provisioning and Hardening Checklist179.Juniper Networks NetScreen & SSG Firewall Business Needs Checklist2210. Juniper Networks NetScreen & SSG Firewall Review and Audit Checklist2311. Linux Iptables Firewall Provisioning and Hardening Checklist2412. Linux Iptables Firewall Business Needs Checklist2913. Linux Iptables Firewall Review and Audit Checklist3014. SonicWALL Firewall Provisioning and Hardening Checklist3115. SonicWALL Firewall Business Needs Checklist3616. SonicWALL Firewall Review and Audit Checklist3717. Fortinet FortiGate Firewall Provisioning and Hardening Checklist3818. Fortinet FortiGate Firewall Business Needs Checklist4419. Fortinet FortiGate Firewall Review and Audit Checklist4520. Palo Alto Firewall Provisioning and Hardening Checklist4621. Palo Alto Firewall Business Needs Checklist5322. Palo Alto Firewall Review and Audit Checklist5423. Checkpoint Firewall Provisioning and Hardening Checklist5524. Checkpoint Firewall Business Needs Checklist6225. Checkpoint Firewall Review and Audit Checklist6326. Barracuda Web Filter Firewall Provisioning and Hardening Checklist6427. Barracuda Web Filter Firewall Business Needs Checklist7128. Barracuda Web Filter Firewall Review and Audit Checklist7229. Microsoft Windows Server Provisioning and Hardening Checklists (Overview)7330. Windows Server 2003 (WIN2K3) Provisioning and Hardening Checklist7431. Windows Server 2008 (WIN2K8) Provisioning and Hardening Checklist8332. Windows Server 2008 R2 (WIN2K8 R2) Provisioning and Hardening Checklist9533. UNIX Server Provisioning and Hardening Checklists (Overview)10834. SOLARIS Provisioning and Hardening Checklist10935. HP‐UX 11I Provisioning and Hardening Checklist11636. LINUX Distributions Provisioning and Hardening Checklist12437. Red Hat Enterprise LINUX (RHEL) 5 Provisioning and Hardening Checklist13438. Red Hat Enterprise LINUX (RHEL) 6 Provisioning and Hardening Checklist13939. Web Server Provisioning and Hardening Checklists (Overview)14840. Apache (Version 2.2) LINUX Web Server Provisioning and Hardening Checklist14941. Apache (Version 2.2) Windows Web Server Provisioning and Hardening Checklist154i

42. Microsoft Internet Information Services (IIS) Web Server Provisioning and Hardening Checklist16043. Apache Tomcat Web Server Provisioning and Hardening Checklist16644. Database Provisioning and Hardening Checklists (Overview)17145. Oracle 11 Database Provisioning and Hardening Checklists17246. MySQL 5 Database Provisioning and Hardening Checklists17847. Microsoft (MS) SQL Server 2005 Provisioning and Hardening Checklist18348. Microsoft (MS) SQL Server 2008 Provisioning and Hardening Checklist18949. Microsoft (MS) SQL Server 2008 R2 Provisioning and Hardening Checklist19650. Microsoft (MS) SQL Server 2012 Provisioning and Hardening Checklist203ii

License AgreementThe document you have purchased contains an electronic watermark, which is a unique identifier appliedto every document originating from The use of this document is limitedexclusively to a one‐time usage license for any individual or organization seeking to comply with thePayment Card Industry Data Security Standards (PCI DSS) requirements. Any redistribution of thisdocument to another individual or organization is strictly prohibited and is punishable by law.Common examples of the redistribution of this document include but are not limited to the following: the sharing of this document to assist other individuals or organizations in PCI DSS compliance orfor any other reasonthe knowing dissemination of this document to another individual or organization without thesaid individual or organization having purchased the one‐time usage license fromwww.pcipolicyportal.comAny attempt to reproduce, publish, license, create derivative works from, transfer, post on any network,broadcast in any media or sell any information, software, products or services obtained from the thisdocument, unless explicitly permitted by, is prohibited and is subject to severelegal ramifications.1

About this DocumentCongratulations, you have just purchased the most in‐depth and comprehensive set of informationsecurity provisioning and hardening documents found anywhere today. Additionally, these helpful formsand checklists can be utilized for any compliance mandate – or best practices – for ensuring all criticalsystem are adequately provisioned, hardened, secured, and locked‐down as needed.2

Firewall Provisioning and Hardening Checklists(Overview)The below referenced documents are an excellent resource for properly provisioning,hardening, securing, and locking‐down all system components in accordance with themandated PCI DSS requirements.3

PCI DSS Requirement 12.1 InformationSecurity Policy Table of Contents OverviewPurposesScopePolicyRoles and Responsibilitieso Chief Technology Officer Chief Information Officero Director of Information Technology Senior Information Security Officero Network Engineer Systems Administratoro Software Developers Coderso Change Management Change Control Personnelo End Userso Vendors, Contractors, Other Third-Party EntitiesInformation Security SolutionsDefense-in-DepthLayered SecurityCyber SecurityCloud ComputingEmail Guidelines, Responsibilities and Acceptable UseThe CAN-SPAM ACTInternet Guidelines, Responsibilities and Acceptable UseNetwork Guidelines, Responsibilities and Acceptable UseSocial Media Guidelines, Responsibilities and Acceptable UseIdentity TheftSecuring Your Home NetworkOnline Security and Mobile ComputingOnline ShoppingOther Important Security ConsiderationsHelpful Security ResourcesSecurity UpdatesWorkstation SecurityLaptop SecuritySoftware Licensing and UsageInternal ThreatsClean Desk PolicyData Security BreachesData and Information ClassificationSecurity CategorizationAsset InventoryPersonally Identifiable Information (PII)Protected Health Information (PHI)Personally Identifiable Financial Information (PIFI)Physical Security and Environmental 363738394041424243444445

PersonnelSecurity Awareness TrainingProvisioning and HardeningReference MaterialTime SynchronizationAccess RightsMethods of AuthenticationPassword ParametersDe-Provisioning Off-boarding ProcessRemote AccessWireless SecurityMalwareChange Control Change ManagementSoftware Development Life Cycle (SDLC)Patch ManagementVulnerability ManagementConfiguration ManagementVendor ManagementBackup and StorageEncryptionEvent MonitoringConfiguration and Change MonitoringPerformance and Utilization MonitoringLogging and ReportingData Retention and DisposalIncident ResponsePerformance and Security TestingDisaster RecoveryAuthorization Form for User Access New EmployeesAuthorization Form for User Access VendorsAuthorization Form for User Access GuestsUser De-provisioning Off-boarding Form All Users (Employee, Guest, Vendor, Other)Employee Separation FormChange Management Request Form (CMRF)Change Management Logging System (CMLS)Remote Access Request FormIncident Response Plan FormSecurity Awareness Training Instructional GuideWireless Security 16162626363646467717579828587889192101PCI DSS Requirement 12.1 InformationSecurity Policy and Procedures1.0 OverviewIn accordance with mandated organizational security requirements set forth and approved by management,[company name] has established a formal set of information security policy and supporting procedures.

This comprehensive policy document is to be implemented immediately along with all relevant andapplicable procedures. Additionally, this policy is to be evaluated on a(n) [annual, semi-annual, quarterly]basis for ensuring its adequacy and relevancy regarding [company name]'s needs and goals.1.0 PurposeThis policy and supporting procedures are designed to provide [company name] with a documented andformalized information security policy in accordance with Requirement 12.1 of the PCI DSS standards.Additionally, this policy also serves as the organization’s primary, enterprise-wide information securitymanual. Compliance with the stated policy and supporting procedures helps ensure the safety and securityof all [company name] system components within the cardholder data environment and any otherenvironments deemed applicable.1.0 ScopeThis policy and supporting procedures encompasses all system components within the cardholder dataenvironment that are owned, operated, maintained, and controlled by [company name] and all other systemcomponents, both internally and externally, that interact with these systems, and all other relevant systems. Internal system components are those owned, operated, maintained, and controlled by [companyname] and include all network devices (firewalls, routers, switches, load balancers, other networkdevices), servers (both physical and virtual servers, along with the operating systems andapplications that reside on them) and any other system components deemed in scope. External system components are those owned, operated, maintained, and controlled by any entityother than [company name], but for which these very resources may impact the confidentiality,integrity, and availability (CIA) and overall security of the cardholder data environment and anyother environments deemed applicable. Please note that when referencing the term "system component(s)" or “system resource(s)” itimplies the following: Any network component, server, or application included in or connected tothe cardholder data environment (Source: glossary) or any other relevantenvironment deemed in-scope for purposes of information security.1.0 Policy[Company name] is to ensure that the information security policy adheres to the following conditions forpurposes of complying with the mandated organizational security requirements set forth and approved bymanagement:Roles and ResponsibilitiesThe following roles and responsibilities are to be developed and subsequently assigned to authorizedpersonnel within [company name] regarding information security practices: Chief Technology Officer (CTO) Chief Information Officer (CIO): Responsibilities includeproviding overall direction, guidance, leadership and support for the entire information systemsenvironment, while also assisting other applicable personnel in their day-to-day operations. TheCTO CIO is to report to other members of senior management on a regular basis regarding allaspects of the organization’s information systems posture.

Director of Information Technology Senior Information Security Officer: Responsibilitiesinclude also providing overall direction, guidance, leadership and support for the entire informationsystems environment, while also assisting other applicable personnel in their day-to-day operations,along with researching and developing information security standards for the organization as awhole. This will require extensive identification of industry benchmarks, standards, andframeworks that can be effectively utilized by the organization for provisioning, hardening,securing, and locking-down critical system components. Subsequent to the researching of suchstandards, the senior security officer is to then oversee the establishment of a series of baselineconfiguration standards to include, but limited to, the following system components: networkdevices, operating systems, applications, internally developed software and systems, and otherrelevant hardware and software platforms. Because baseline configuration can and will change,this authorized individual is to also update the applicable configurations, documenting allmodifications and enhancements as required. Additional duties of the Director of InformationTechnology Senior Information Security Officer include the following:ooooooo Responsible for all major facets of information technology throughout the organization,such as management, recommendations as necessaryProviding leadership, direction and guidance for current and existing projectsOverseeing the development of all applicable operational, business specific, andinformation security policies, procedures, forms, checklists, templates, provisioning andhardening documents and other necessary material.Overseeing initiative for developing internal Requests for Proposals (RFPs), along withanswering RFP's for services from the organization.Assistance in developing annual information technology budget.Displaying integrity, honesty, and independence at all times.Supporting the Director of Information Technology Senior Information Security Officerand other members of senior management as necessary.Network Engineer Systems Administrator: Responsibilities include actually implementing thebaseline configuration standards for all in-scope system components. This requires obtaining acurrent and accurate asset inventory of all such systems, assessing their initial posture with thestated baseline, and the undertaking the necessary configurations. Because of the complexities anddepth often involved with such activities, numerous personnel designated as Network Engineers System Administrators are often involved in such activities.Furthermore, these individuals are also responsible for monitoring compliance with the statedbaseline configuration standards, reporting to senior management all instances of non-compliance