PCI DSS 1.1.2: Assign Network Security Roles & Responsibilities
Network security doesn't work without clear ownership. PCI DSS 1.1.2 requires your organization to document, assign, and communicate who is responsible for implementing and maintaining network security controls. This foundational control prevents security gaps that attackers exploit.
What this means
Control 1.1.2 mandates that your organization creates documented role descriptions and responsibility assignments for all activities related to PCI DSS Requirement 1 (firewall configuration and network segmentation). Every team member involved in network security must understand their specific duties, accountabilities, and decision-making authority. This clarity ensures no critical security task falls through the cracks and enables management oversight.
How to comply
- 1.Document all roles and responsibilities related to network security and firewall management in your organization
- 2.Create detailed job descriptions or responsibility matrices that clearly define each role's scope and authority
- 3.Assign specific individuals or teams to each documented role with written acknowledgment
- 4.Ensure all assigned personnel understand their responsibilities through training or signed acknowledgment
- 5.Review and update role assignments annually or when organizational changes occur
- 6.Maintain evidence that assignments are understood (sign-offs, training records, or confirmation emails)
Evidence auditors look for
- Documented role and responsibility matrix for network security personnel
- Job descriptions specifying firewall configuration and maintenance duties
- Written role assignments with employee signatures or email confirmations
- Training records showing personnel understand their assigned responsibilities
- Organizational charts clearly showing network security reporting lines
- Annual reviews documenting role updates and reassignments
- Access control records showing role-based system permissions align with documented responsibilities
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates role documentation and maintains a central responsibility matrix, sending automatic reminders when assignments need review—eliminating manual spreadsheets and audit evidence scrambles.
See how GRCWatch handles this control automatically
Start free trial