PCI DSS 1.2.1: Define NSC Configuration Standards
Network Security Configuration (NSC) standards form the backbone of PCI DSS requirement 1.2.1, ensuring firewall rulesets are defined, implemented, and actively maintained. Without documented configuration standards, your organization risks inconsistent security controls and audit failures. This control is foundational to demonstrating that your network architecture protects cardholder data environments.
What this means
PCI DSS 1.2.1 requires you to establish and document formal configuration standards for all Network Security Components (NSCs), including firewalls and routers. These standards must define baseline configurations, approved ruleset parameters, and change management procedures. Implementation means applying these standards consistently across all NSCs, and maintenance involves regular reviews to ensure configurations remain aligned with current business requirements and security policies.
How to comply
- 1.Document NSC configuration standards that specify baseline settings, security parameters, and ruleset requirements for firewalls and routers
- 2.Define authorized service ports, protocols, and traffic flows required for business operations
- 3.Establish a change management process requiring approval and testing before implementing configuration modifications
- 4.Implement version control and audit logging to track all NSC configuration changes
- 5.Conduct quarterly reviews of NSC configurations to verify compliance with documented standards
- 6.Maintain configuration baselines and remediate any deviations identified during reviews
- 7.Distribute and train relevant personnel on NSC configuration standards and change procedures
Evidence auditors look for
- Configuration standard documentation detailing firewall ruleset requirements and baseline settings
- Firewall configuration files showing implementation of documented standards
- Change management log entries approving NSC configuration modifications
- Configuration audit reports confirming alignment with established standards
- Training records for network and security personnel on configuration standards
- Quarterly configuration review documentation with sign-off
- Network topology diagrams reflecting NSC configurations per standards
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically monitors NSC configurations against your defined standards, detects drift in real-time, and generates audit-ready evidence—eliminating manual quarterly reviews and configuration audits.
See how GRCWatch handles this control automatically
Start free trial