PCI Best Practices

Below are suggestions to help you best utilize the PCI Report and other PCI-related activities used by Security Manager.

• To FireMon, DMZ refers to the Cardholder Data DMZ segment, so you need to separate your PCI DMZs from your non-PCI DMZs. The suggestion is to create a new Compliance Zone (FireMon Objects > Compliance Zones) called non-PCI DMZ.
• 'PCI_Management' is typically networks with management access to firewalls, routers and switches in the PCI-Networks (including the DMZ). It could also include out-of-band (lights-out management) access to servers.
• Ensure that every rule on the firewalls protecting PCI zones have the following:
  • A comment
  • Logging enabled
  • A set Source, Destination and Service, instead of using "Any"
  • Rule Documentation fields (for example, business justification, owner and application name) are complete
• Ensure that every network change has a complete audit trail with the who, what, when, and why.
• Schedule the Unused Rules Report and Removable Rules Report to review any problematic rules for cleanup of policy inconsistencies.
• Review the service groups (FireMon Objects > Service Groups) for all PCI related services (use 'PCI' as the filter criteria)
• Create a firewall group (Device > Device Groups) for all firewalls in scope with PCI compliance.
• Assign the assessment to the firewall group ( Compliance > Assessments > PCI-DSS > Assignment). Once assigned, the Compliance Dashboard in Security Manager will begin to track your compliance daily.
• Review these compliance topics
  • Assessments and Controls
  • Zone Matrix