Your company must have the best procedures to monitor any changes inside and outside of your PCI environment. There may be conflicts between network documentation and actual configuration settings in the absence of records of changes, formal approval, and testing of changes.
If you are going to upgrade hardware, make improvements, or software changes to your network environment, these improvements should be well known and accepted by management. The company needs comprehensive Change Control Management to approve these changes.
Most, if not all, security systems allow you to have some form of Change Management System. PCI DSS Requirement 6.4 states that control processes and procedures must be followed for all system feature adjustments. Your company should have appropriate methods for tracking changes in and outside of your PCI environment.
PCI DSS requirement 6.4 states that Change Control Management for your company must include a registered take back plan, a testing process, management approval, and updated documentation. Without records of changes, security features can be intentionally or unintentionally overlooked or rendered inoperable.
Also, processing errors can occur without change controls in your PCI environment, or malicious code can be logged appropriately and forcibly modified.
What is a change management system, and how does it affect PCI Compliance?
The first step of Change Control Management is to provide information to the authorities responsible for change control. Includes change information, an overview of the transition will be, research materials, and take-back procedures.
Management will see what checks have or will be carried out by collecting the change data to ensure that the change does not adversely affect the safety of the PCI environment.
Including the details of the rollback procedures in the record of changes is necessary to ensure that management can reverse the adjustments made if anything goes wrong in the future.
See Also: Patching to Comply with PCI DSS Requirement 6
For PCI DSS compliance, your company must test change controls and establish a formal process for approving changes. Network connectivity, firewall, router, and software configuration changes should review policies and procedures to develop a standard change process.
It is also necessary to meet with responsible personnel during the planning phase and check their records to control further whether network connections are accepted and controlled. Below you can find the controls that should be included in the change process and records:
- Rollback Plan – A saved rollback plan for your Change Management System is critical. The rollback plan will detail how exactly changes can be undone if something goes wrong or negatively impacted.
- Testing Phase – Both changes need to be reviewed to ensure that the cardholder data system is not adversely affected. Checking the take-back strategy reveals the competency level of an evaluator in your company.
- Management Approval – Both elements of the change control system must be approved by management.
- Updated Documentation – Whenever a significant change occurs to your system, you must ensure that all documentation, including network diagrams, data flowcharts, and inventory lists, is updated. Control of the change must be left open before the documentation is revised.
In assessing your compliance with PCI DSS Requirement 6.4, your auditor will review your Change Control System policies and procedures to verify that you have identified the following:
- Development and test environments must be separate from production environments, and access controls must be in place to ensure this separation.
- There should be a separation of duties between the personnel assigned to the development and testing areas and those set to the production environment.
- Production data (live PANs) should not be used for testing or development, and test data should be deleted before a system or application goes into production.
- Documentation on change management procedures, security fixes, and program changes should be established.
It is essential to adopt change management processes and procedures for all changes to system elements. Otherwise, security features may be inadvertently or intentionally skipped or rendered inoperable according to PCI Requirement 6.4, rendering errors or malicious code applied.
How Long Should You Keep the Change Control Documentation for PCI Compliance?
Revised documentation of control of change should be retained for at least one year or audit period. Your PCI auditor will request these documents and review change control records during the PCI audit process to ensure that your company has a structured plan for Change Control.
It is not enough to have records of changing systems. Assessors will also need to see the recorded policies and procedures that outline how the Change Control Process will be implemented.
Change Control System Recommendations
Effective change management processes, including reasonable security practices, have been central to information systems management. Therefore, if you have not already done so, we recommend that you follow one of the following best practice standards that integrate change management:
- ITIL 2011 – Approach to IT Service Management;
- ISO / IEC 20000-1: 2011 IT Service Management;
- ISO / IEC 27001: 2013 Information Security Management Systems – Requirements.
You can use email for change management, and your PCI auditor will be satisfied as long as you have records of their changes. However, keeping records by email lacks extensive features and is not entirely suited to the task. It would be a complete nightmare to keep track of and hang up on a series of emails and then provide them during the audit.
However, change management is more manageable with other forms of software designed to track tickets. You can find many decent, paid, or free CRM or help desk ticketing software that can be used to track change tickets. Critical components are being able to track what has changed, authorizing the change, and taking the steps.
This can be done through ticketing software that has the following features:
- Allows you to record necessary event/call details.
- Allows you to assign tickets to individuals or groups.
- Allows you to enter notes.
- Allows easy reporting, or at least database access, so that you can write your reports.
- Allows you to add code review documents, threat models, or other documents associated with the change.
- It has workflow modules to allow approval processes.
- You can control the changes made by monitoring and logging.
What Are the Benefits of Change Management Software?
Change management software is useful whenever you make an organizational change, but for your organization, the use of change management software can be particularly useful in the following situations:
1. Eliminates Human Error
It is surprisingly common to post payment card data on a public Web location accidentally. It is also easy to ensure that databases also disclose their data in violation of PCI DSS. Either way, these problems arise when a minor error in a change operation leads to data routing or changing database storage locations, making sensitive information more accessible to external sources. Change management systems can include built-in controls and balances to make it easier to identify when mistakes are made and prevent data from being compromised.
2. You Can Plan More Effectively
Change tasks need to be carefully organized and scheduled to ensure they are processed with precision. Anything less than flawless execution can lead to a data breach and a corresponding penalty from regulatory boards. Change management tools include advanced scheduling and process coordination tools to help IT teams work well together when tracking a schedule and adapt well when issues arise.
3. You Can Create Audit Trail
Documentation is essential for regulatory compliance. You don’t just have to follow the correct procedures; you have to be able to prove that you do it all the time. Change management tools have built-in, automated audit trails that make it much easier to document every change task detail.
4. Change Management Tools Provide Valuable Data
If you cannot measure how your change is progressing, you cannot make the right decisions. Change management and feedback tools help you capture critical metrics to understand the effectiveness of your efforts.
5. You Can Update Complex Processes More Conveniently
While bringing complex change to a company process, change management software can help administrators assign tasks, track progress, simplify communication, and enable automatic alerts to keep everyone up-to-date and on the same page.
Adequate change controls start with policies, are clearly defined in procedures, and are essential for any changes that could affect your information’s ongoing security. From patching to firewall rules, application updates, and running on the server, all must be updated and authorized by the required authorization channel point.
See Also: What is Inventory and Asset Management for PCI Compliance?
Change control should never be considered a bottleneck. For PCI, you can email your change requests to anyone responsible and keep the list in a pile. Keeping lists may be suitable for small companies, but the top of the list is about change management, placing online, facilitating, and at least partially automating everything.
The change list should be right next to your asset management system. As a result, if the governance function does not control the change method, you will never have the right business control.
Any changes made to any component must go through a formal change process, whether the change is a patch, a configuration or software change, or testing systems identified during the vulnerability determination process.
The change control process serves as a control against both insider threats and unwanted consequences. Separation of duties between the test and production system and staff roles is also significant. In no case should production data including CHDs and full PANs be used in test or development environments.
For changes that need to be made in emergencies, you can first permit with verbal authorization. Still, you must implement emergency change control processes that require appropriate documentation in a short time following the standard / normal process.