thePCI Portal

Functionality testing to verify that the change does not adversely impact the security of the system

What are Assessor’s thoughts on requirement 6.4.5.3?

6.4.5.3 Functionality testing to verify that the change does not adversely impact the security of the system.
6.4.5.3.a For each sampled change, verify that functionality testing is performed to verify that the change does not adversely impact the security of the system.
Thorough testing should be performed to verify that the security of the environment is not reduced by implementing a change. Testing should validate that all existing security controls remain in place, are replaced with equally strong controls, or are strengthened after any change to the environment.

Analysis of the Wording

Thorough testing?  OK.  Thorough is a relative term.

Validate that ALL existing security controls remain in place?  Wow.  So, thats like an onsite assessment after every change at worst case.  Or maybe a better interpretation is ALL existing security controls that could be impacted by the change.

Generic ideas to meet the control

  • When deploying new hosts to production, a vulnerability scan is part of the standard process.
  • Confirm the data is still encrypted in transport and at rest.
  • Access controls are still working.
  • Logs arent populating with cardholder data.
  • Error messages are not verbose.

For other changes:

  • TripWire is continuously monitoring hosts (windows and linux) and network devices (Cisco routers, switches and firewalls) against CIS benchmarks.
  • Continuous internal vulnerability scans – as configured for the quarterly internal vulnerability scans.
  • Is there a standard test that an entity can develop to do after every change?

Maybe the Best Answer

Would a specific test developed for the specific change make more sense?  (even if it did not validate ALL existing security controls?)

ALL existing security controls that could be impacted by the change.

  • a segmentation test after making firewall policy change
  • a crypto negotiation test after deploying a new certificate
  • The firewall UTM still has a IDS module licensed and running after upgrading the OS.

Ad below this line:

Leave a Reply