Requirement 2.1.1 is about effectively managing and maintaining the various policies and procedures specified throughout Requirement 2. While it is important to define the specific policies or procedures called out in Requirement 2, it is equally important to ensure they are properly documented, maintained, and disseminated.
It is important to update policies and procedures as needed to address changes in processes, technologies, and business objectives. For these reasons, consider updating these documents as soon as possible after a change occurs and not only on a periodic cycle.
Security policies define the entity's security objectives and principles. Operational procedures describe how to perform activities, and define the controls, methods, and processes that are followed to achieve the desired result in a consistent manner and in accordance with policy objectives.
If roles and responsibilities are not formally assigned, personnel may not be aware of their day-to-day responsibilities and critical activities may not occur.
Roles and responsibilities may be documented within policies and procedures or maintained within separate documents. As part of communicating roles and responsibilities, entities can consider having personnel acknowledge their acceptance and understanding of their assigned roles and responsibilities.
A method to document roles and responsibilities is a responsibility assignment matrix that includes who is responsible, accountable, consulted, and informed (also called a RACI matrix).
Requirement 2.1.1 is about effectively managing and maintaining the various policies and procedures specified throughout Requirement 2. While it is important to define the specific policies or procedures called out in Requirement 2, it is equally important to ensure they are properly documented, maintained, and disseminated.
It is important to update policies and procedures as needed to address changes in processes, technologies, and business objectives. For these reasons, consider updating these documents as soon as possible after a change occurs and not only on a periodic cycle.
Security policies define the entity's security objectives and principles. Operational procedures describe how to perform activities, and define the controls, methods, and processes that are followed to achieve the desired result in a consistent manner and in accordance with policy objectives.
If roles and responsibilities are not formally assigned, personnel may not be aware of their day-to-day responsibilities and critical activities may not occur.
Roles and responsibilities may be documented within policies and procedures or maintained within separate documents. As part of communicating roles and responsibilities, entities can consider having personnel acknowledge their acceptance and understanding of their assigned roles and responsibilities.
A method to document roles and responsibilities is a responsibility assignment matrix that includes who is responsible, accountable, consulted, and informed (also called a RACI matrix).
Configuration standards provide the foundation for securely configuring system components. Without defined standards, systems may be deployed with insecure default settings or inconsistent configurations that create vulnerabilities.
Configuration standards should be developed for all types of system components in the environment, including servers, network devices, applications, and databases. Standards should be based on industry-accepted hardening guidelines and should be updated as new vulnerabilities and best practices emerge.
Sources of industry-accepted hardening guidelines include CIS Benchmarks, NIST guidelines, vendor security recommendations, and SANS hardening guides.
Vendor default accounts and passwords are well known and are frequently targeted by attackers. If these defaults are not changed or disabled, systems can be easily compromised.
All vendor-supplied default passwords should be changed before a system is deployed in the environment. Default accounts that are not needed should be removed or disabled. If a default account must be retained, the password should be changed to a strong, unique value.
Systems that perform multiple functions (such as a server acting as both a web server and a database server) increase complexity and risk. If one function is compromised, the attacker may gain access to the other functions and the data they handle.
Each server should perform only one primary function. When virtualization is used, each virtual system component should also have only one primary function. Critical system components should not share resources with less secure systems.
Only necessary services, protocols, daemons, and functions should be enabled on system components. Unnecessary services increase the attack surface and provide more potential targets for attackers.
Systems should be hardened by removing or disabling all unnecessary services, protocols, and functionality. Each enabled service should have a documented business justification and should be configured with appropriate security features.
Insecure services, protocols, or daemons can introduce vulnerabilities. If they must be used, additional security features should be implemented to reduce the risk.
Where insecure services cannot be replaced, document the business justification and implement additional security controls such as encryption or enhanced authentication to mitigate the associated risks.
Examples of security features that can be applied to insecure services include using SSH instead of Telnet, SFTP instead of FTP, or wrapping insecure protocols in encrypted tunnels.
Misconfigured system security parameters can create vulnerabilities that attackers can exploit. Properly configuring security parameters helps ensure systems are protected against known attack vectors.
Security parameters should be configured according to industry best practices and organizational security policies. Parameters should be reviewed regularly to ensure they remain appropriate as threats evolve.
Non-console administrative access transmits sensitive administrative credentials over the network. If this traffic is not encrypted, an attacker could intercept the credentials and use them to gain administrative access to the system.
All non-console administrative access should use strong cryptography to encrypt communications. Technologies such as SSH, TLS, or VPN should be used instead of unencrypted protocols like Telnet or HTTP for administrative access.
Configuration standards provide the foundation for securely configuring system components. Without defined standards, systems may be deployed with insecure default settings or inconsistent configurations that create vulnerabilities.
Configuration standards should be developed for all types of system components in the environment, including servers, network devices, applications, and databases. Standards should be based on industry-accepted hardening guidelines and should be updated as new vulnerabilities and best practices emerge.
Sources of industry-accepted hardening guidelines include CIS Benchmarks, NIST guidelines, vendor security recommendations, and SANS hardening guides.
Vendor default accounts and passwords are well known and are frequently targeted by attackers. If these defaults are not changed or disabled, systems can be easily compromised.
All vendor-supplied default passwords should be changed before a system is deployed in the environment. Default accounts that are not needed should be removed or disabled. If a default account must be retained, the password should be changed to a strong, unique value.
Systems that perform multiple functions (such as a server acting as both a web server and a database server) increase complexity and risk. If one function is compromised, the attacker may gain access to the other functions and the data they handle.
Each server should perform only one primary function. When virtualization is used, each virtual system component should also have only one primary function. Critical system components should not share resources with less secure systems.
Only necessary services, protocols, daemons, and functions should be enabled on system components. Unnecessary services increase the attack surface and provide more potential targets for attackers.
Systems should be hardened by removing or disabling all unnecessary services, protocols, and functionality. Each enabled service should have a documented business justification and should be configured with appropriate security features.
Insecure services, protocols, or daemons can introduce vulnerabilities. If they must be used, additional security features should be implemented to reduce the risk.
Where insecure services cannot be replaced, document the business justification and implement additional security controls such as encryption or enhanced authentication to mitigate the associated risks.
Examples of security features that can be applied to insecure services include using SSH instead of Telnet, SFTP instead of FTP, or wrapping insecure protocols in encrypted tunnels.
Misconfigured system security parameters can create vulnerabilities that attackers can exploit. Properly configuring security parameters helps ensure systems are protected against known attack vectors.
Security parameters should be configured according to industry best practices and organizational security policies. Parameters should be reviewed regularly to ensure they remain appropriate as threats evolve.
Non-console administrative access transmits sensitive administrative credentials over the network. If this traffic is not encrypted, an attacker could intercept the credentials and use them to gain administrative access to the system.
All non-console administrative access should use strong cryptography to encrypt communications. Technologies such as SSH, TLS, or VPN should be used instead of unencrypted protocols like Telnet or HTTP for administrative access.
Configuration standards provide the foundation for securely configuring system components. Without defined standards, systems may be deployed with insecure default settings or inconsistent configurations that create vulnerabilities.
Configuration standards should be developed for all types of system components in the environment, including servers, network devices, applications, and databases. Standards should be based on industry-accepted hardening guidelines and should be updated as new vulnerabilities and best practices emerge.
Sources of industry-accepted hardening guidelines include CIS Benchmarks, NIST guidelines, vendor security recommendations, and SANS hardening guides.
Vendor default accounts and passwords are well known and are frequently targeted by attackers. If these defaults are not changed or disabled, systems can be easily compromised.
All vendor-supplied default passwords should be changed before a system is deployed in the environment. Default accounts that are not needed should be removed or disabled. If a default account must be retained, the password should be changed to a strong, unique value.
Systems that perform multiple functions (such as a server acting as both a web server and a database server) increase complexity and risk. If one function is compromised, the attacker may gain access to the other functions and the data they handle.
Each server should perform only one primary function. When virtualization is used, each virtual system component should also have only one primary function. Critical system components should not share resources with less secure systems.
Only necessary services, protocols, daemons, and functions should be enabled on system components. Unnecessary services increase the attack surface and provide more potential targets for attackers.
Systems should be hardened by removing or disabling all unnecessary services, protocols, and functionality. Each enabled service should have a documented business justification and should be configured with appropriate security features.
Insecure services, protocols, or daemons can introduce vulnerabilities. If they must be used, additional security features should be implemented to reduce the risk.
Where insecure services cannot be replaced, document the business justification and implement additional security controls such as encryption or enhanced authentication to mitigate the associated risks.
Examples of security features that can be applied to insecure services include using SSH instead of Telnet, SFTP instead of FTP, or wrapping insecure protocols in encrypted tunnels.
Misconfigured system security parameters can create vulnerabilities that attackers can exploit. Properly configuring security parameters helps ensure systems are protected against known attack vectors.
Security parameters should be configured according to industry best practices and organizational security policies. Parameters should be reviewed regularly to ensure they remain appropriate as threats evolve.
Non-console administrative access transmits sensitive administrative credentials over the network. If this traffic is not encrypted, an attacker could intercept the credentials and use them to gain administrative access to the system.
All non-console administrative access should use strong cryptography to encrypt communications. Technologies such as SSH, TLS, or VPN should be used instead of unencrypted protocols like Telnet or HTTP for administrative access.
Configuration standards provide the foundation for securely configuring system components. Without defined standards, systems may be deployed with insecure default settings or inconsistent configurations that create vulnerabilities.
Configuration standards should be developed for all types of system components in the environment, including servers, network devices, applications, and databases. Standards should be based on industry-accepted hardening guidelines and should be updated as new vulnerabilities and best practices emerge.
Sources of industry-accepted hardening guidelines include CIS Benchmarks, NIST guidelines, vendor security recommendations, and SANS hardening guides.
Vendor default accounts and passwords are well known and are frequently targeted by attackers. If these defaults are not changed or disabled, systems can be easily compromised.
All vendor-supplied default passwords should be changed before a system is deployed in the environment. Default accounts that are not needed should be removed or disabled. If a default account must be retained, the password should be changed to a strong, unique value.
Systems that perform multiple functions (such as a server acting as both a web server and a database server) increase complexity and risk. If one function is compromised, the attacker may gain access to the other functions and the data they handle.
Each server should perform only one primary function. When virtualization is used, each virtual system component should also have only one primary function. Critical system components should not share resources with less secure systems.
Only necessary services, protocols, daemons, and functions should be enabled on system components. Unnecessary services increase the attack surface and provide more potential targets for attackers.
Systems should be hardened by removing or disabling all unnecessary services, protocols, and functionality. Each enabled service should have a documented business justification and should be configured with appropriate security features.
Insecure services, protocols, or daemons can introduce vulnerabilities. If they must be used, additional security features should be implemented to reduce the risk.
Where insecure services cannot be replaced, document the business justification and implement additional security controls such as encryption or enhanced authentication to mitigate the associated risks.
Examples of security features that can be applied to insecure services include using SSH instead of Telnet, SFTP instead of FTP, or wrapping insecure protocols in encrypted tunnels.
Misconfigured system security parameters can create vulnerabilities that attackers can exploit. Properly configuring security parameters helps ensure systems are protected against known attack vectors.
Security parameters should be configured according to industry best practices and organizational security policies. Parameters should be reviewed regularly to ensure they remain appropriate as threats evolve.
Non-console administrative access transmits sensitive administrative credentials over the network. If this traffic is not encrypted, an attacker could intercept the credentials and use them to gain administrative access to the system.
All non-console administrative access should use strong cryptography to encrypt communications. Technologies such as SSH, TLS, or VPN should be used instead of unencrypted protocols like Telnet or HTTP for administrative access.
Configuration standards provide the foundation for securely configuring system components. Without defined standards, systems may be deployed with insecure default settings or inconsistent configurations that create vulnerabilities.
Configuration standards should be developed for all types of system components in the environment, including servers, network devices, applications, and databases. Standards should be based on industry-accepted hardening guidelines and should be updated as new vulnerabilities and best practices emerge.
Sources of industry-accepted hardening guidelines include CIS Benchmarks, NIST guidelines, vendor security recommendations, and SANS hardening guides.
Vendor default accounts and passwords are well known and are frequently targeted by attackers. If these defaults are not changed or disabled, systems can be easily compromised.
All vendor-supplied default passwords should be changed before a system is deployed in the environment. Default accounts that are not needed should be removed or disabled. If a default account must be retained, the password should be changed to a strong, unique value.
Systems that perform multiple functions (such as a server acting as both a web server and a database server) increase complexity and risk. If one function is compromised, the attacker may gain access to the other functions and the data they handle.
Each server should perform only one primary function. When virtualization is used, each virtual system component should also have only one primary function. Critical system components should not share resources with less secure systems.
Only necessary services, protocols, daemons, and functions should be enabled on system components. Unnecessary services increase the attack surface and provide more potential targets for attackers.
Systems should be hardened by removing or disabling all unnecessary services, protocols, and functionality. Each enabled service should have a documented business justification and should be configured with appropriate security features.
Insecure services, protocols, or daemons can introduce vulnerabilities. If they must be used, additional security features should be implemented to reduce the risk.
Where insecure services cannot be replaced, document the business justification and implement additional security controls such as encryption or enhanced authentication to mitigate the associated risks.
Examples of security features that can be applied to insecure services include using SSH instead of Telnet, SFTP instead of FTP, or wrapping insecure protocols in encrypted tunnels.
Misconfigured system security parameters can create vulnerabilities that attackers can exploit. Properly configuring security parameters helps ensure systems are protected against known attack vectors.
Security parameters should be configured according to industry best practices and organizational security policies. Parameters should be reviewed regularly to ensure they remain appropriate as threats evolve.
Non-console administrative access transmits sensitive administrative credentials over the network. If this traffic is not encrypted, an attacker could intercept the credentials and use them to gain administrative access to the system.
All non-console administrative access should use strong cryptography to encrypt communications. Technologies such as SSH, TLS, or VPN should be used instead of unencrypted protocols like Telnet or HTTP for administrative access.
Configuration standards provide the foundation for securely configuring system components. Without defined standards, systems may be deployed with insecure default settings or inconsistent configurations that create vulnerabilities.
Configuration standards should be developed for all types of system components in the environment, including servers, network devices, applications, and databases. Standards should be based on industry-accepted hardening guidelines and should be updated as new vulnerabilities and best practices emerge.
Sources of industry-accepted hardening guidelines include CIS Benchmarks, NIST guidelines, vendor security recommendations, and SANS hardening guides.
Vendor default accounts and passwords are well known and are frequently targeted by attackers. If these defaults are not changed or disabled, systems can be easily compromised.
All vendor-supplied default passwords should be changed before a system is deployed in the environment. Default accounts that are not needed should be removed or disabled. If a default account must be retained, the password should be changed to a strong, unique value.
Systems that perform multiple functions (such as a server acting as both a web server and a database server) increase complexity and risk. If one function is compromised, the attacker may gain access to the other functions and the data they handle.
Each server should perform only one primary function. When virtualization is used, each virtual system component should also have only one primary function. Critical system components should not share resources with less secure systems.
Only necessary services, protocols, daemons, and functions should be enabled on system components. Unnecessary services increase the attack surface and provide more potential targets for attackers.
Systems should be hardened by removing or disabling all unnecessary services, protocols, and functionality. Each enabled service should have a documented business justification and should be configured with appropriate security features.
Insecure services, protocols, or daemons can introduce vulnerabilities. If they must be used, additional security features should be implemented to reduce the risk.
Where insecure services cannot be replaced, document the business justification and implement additional security controls such as encryption or enhanced authentication to mitigate the associated risks.
Examples of security features that can be applied to insecure services include using SSH instead of Telnet, SFTP instead of FTP, or wrapping insecure protocols in encrypted tunnels.
Misconfigured system security parameters can create vulnerabilities that attackers can exploit. Properly configuring security parameters helps ensure systems are protected against known attack vectors.
Security parameters should be configured according to industry best practices and organizational security policies. Parameters should be reviewed regularly to ensure they remain appropriate as threats evolve.
Non-console administrative access transmits sensitive administrative credentials over the network. If this traffic is not encrypted, an attacker could intercept the credentials and use them to gain administrative access to the system.
All non-console administrative access should use strong cryptography to encrypt communications. Technologies such as SSH, TLS, or VPN should be used instead of unencrypted protocols like Telnet or HTTP for administrative access.
Configuration standards provide the foundation for securely configuring system components. Without defined standards, systems may be deployed with insecure default settings or inconsistent configurations that create vulnerabilities.
Configuration standards should be developed for all types of system components in the environment, including servers, network devices, applications, and databases. Standards should be based on industry-accepted hardening guidelines and should be updated as new vulnerabilities and best practices emerge.
Sources of industry-accepted hardening guidelines include CIS Benchmarks, NIST guidelines, vendor security recommendations, and SANS hardening guides.
Vendor default accounts and passwords are well known and are frequently targeted by attackers. If these defaults are not changed or disabled, systems can be easily compromised.
All vendor-supplied default passwords should be changed before a system is deployed in the environment. Default accounts that are not needed should be removed or disabled. If a default account must be retained, the password should be changed to a strong, unique value.
Systems that perform multiple functions (such as a server acting as both a web server and a database server) increase complexity and risk. If one function is compromised, the attacker may gain access to the other functions and the data they handle.
Each server should perform only one primary function. When virtualization is used, each virtual system component should also have only one primary function. Critical system components should not share resources with less secure systems.
Only necessary services, protocols, daemons, and functions should be enabled on system components. Unnecessary services increase the attack surface and provide more potential targets for attackers.
Systems should be hardened by removing or disabling all unnecessary services, protocols, and functionality. Each enabled service should have a documented business justification and should be configured with appropriate security features.
Insecure services, protocols, or daemons can introduce vulnerabilities. If they must be used, additional security features should be implemented to reduce the risk.
Where insecure services cannot be replaced, document the business justification and implement additional security controls such as encryption or enhanced authentication to mitigate the associated risks.
Examples of security features that can be applied to insecure services include using SSH instead of Telnet, SFTP instead of FTP, or wrapping insecure protocols in encrypted tunnels.
Misconfigured system security parameters can create vulnerabilities that attackers can exploit. Properly configuring security parameters helps ensure systems are protected against known attack vectors.
Security parameters should be configured according to industry best practices and organizational security policies. Parameters should be reviewed regularly to ensure they remain appropriate as threats evolve.
Non-console administrative access transmits sensitive administrative credentials over the network. If this traffic is not encrypted, an attacker could intercept the credentials and use them to gain administrative access to the system.
All non-console administrative access should use strong cryptography to encrypt communications. Technologies such as SSH, TLS, or VPN should be used instead of unencrypted protocols like Telnet or HTTP for administrative access.
Wireless vendor defaults are well known and frequently used by attackers to compromise wireless networks. Changing or confirming the security of all wireless vendor defaults at installation helps prevent unauthorized access to wireless networks that connect to the CDE or transmit account data.
All default wireless settings should be changed, including default SSIDs, passwords, encryption keys, and SNMP community strings. Wireless networks should use strong encryption (WPA2 or WPA3) and strong authentication mechanisms.
Wireless vendor defaults that should be changed include default SSIDs, default administrative passwords, default encryption keys, default SNMP community strings, and default security settings.
If wireless encryption keys are known to personnel who have left the organization or who no longer need access, the wireless network remains vulnerable. Changing encryption keys when there is a personnel change or when keys are suspected of being compromised helps maintain the security of the wireless network.
Encryption keys should be changed whenever personnel with knowledge of the keys leave the organization or change roles. Keys should also be changed whenever compromise is suspected. Key management procedures should be documented and followed consistently.
Wireless vendor defaults are well known and frequently used by attackers to compromise wireless networks. Changing or confirming the security of all wireless vendor defaults at installation helps prevent unauthorized access to wireless networks that connect to the CDE or transmit account data.
All default wireless settings should be changed, including default SSIDs, passwords, encryption keys, and SNMP community strings. Wireless networks should use strong encryption (WPA2 or WPA3) and strong authentication mechanisms.
Wireless vendor defaults that should be changed include default SSIDs, default administrative passwords, default encryption keys, default SNMP community strings, and default security settings.
If wireless encryption keys are known to personnel who have left the organization or who no longer need access, the wireless network remains vulnerable. Changing encryption keys when there is a personnel change or when keys are suspected of being compromised helps maintain the security of the wireless network.
Encryption keys should be changed whenever personnel with knowledge of the keys leave the organization or change roles. Keys should also be changed whenever compromise is suspected. Key management procedures should be documented and followed consistently.