|
1 | 1 | [ |
2 | 2 | { |
3 | | - "common_id": "CC-7130e083", |
| 3 | + "common_id": "CC-395c4a7f", |
4 | 4 | "theme": "Policy and Procedures", |
5 | 5 | "unified_description": "Develop, document, and disseminate access control policies and procedures.", |
6 | 6 | "source_references": [ |
7 | 7 | "AC-1" |
8 | 8 | ] |
9 | 9 | }, |
10 | 10 | { |
11 | | - "common_id": "CC-966a08ae", |
| 11 | + "common_id": "CC-969b4780", |
12 | 12 | "theme": "Account Management", |
13 | 13 | "unified_description": "Define and document the types of accounts allowed and specifically prohibited for use within the system.", |
14 | 14 | "source_references": [ |
15 | 15 | "AC-2" |
16 | 16 | ] |
17 | 17 | }, |
18 | 18 | { |
19 | | - "common_id": "CC-f0c1f730", |
| 19 | + "common_id": "CC-4626709f", |
20 | 20 | "theme": "Automated System Account Management", |
21 | 21 | "unified_description": "Support the management of system accounts using automated mechanisms.", |
22 | 22 | "source_references": [ |
23 | 23 | "AC-2(1)" |
24 | 24 | ] |
25 | 25 | }, |
26 | 26 | { |
27 | | - "common_id": "CC-46fe4b36", |
| 27 | + "common_id": "CC-06352f3a", |
28 | 28 | "theme": "Protection of Information at Rest", |
29 | 29 | "unified_description": "Protect the confidentiality and integrity of information at rest.", |
30 | 30 | "source_references": [ |
31 | 31 | "SC-28" |
32 | 32 | ] |
33 | 33 | }, |
34 | 34 | { |
35 | | - "common_id": "CC-fbd55581", |
| 35 | + "common_id": "CC-59f0df03", |
36 | 36 | "theme": "PCI DSS 1.1.1", |
37 | 37 | "unified_description": "All security policies and operational procedures that are identified in Requirement 1 are: \n\u2022\t Documented.\n\u2022\t Kept up to date.\n\u2022\t In use.\n\u2022\t Known to all affected parties. All security policies and operational procedures that are identified in Requirement 3 are: \n\u2022\tDocumented. \n\u2022\tKept up to date. \n\u2022\tIn use.\n\u2022\tKnown to all affected parties. All security policies and operational procedures that are identified in Requirement 6 are:\n\u2022\t Documented.\n\u2022\t Kept up to date.\n\u2022\t In use.\n\u2022\t Known to all affected parties. All security policies and operational procedures that are identified in Requirement 8 are:\n\u2022\t Documented.\n\u2022\t Kept up to date.\n\u2022\t In use.\n\u2022\t Known to all affected parties.", |
38 | 38 | "source_references": [ |
|
43 | 43 | ] |
44 | 44 | }, |
45 | 45 | { |
46 | | - "common_id": "CC-c4cc78f7", |
| 46 | + "common_id": "CC-cfe8f63e", |
47 | 47 | "theme": "PCI DSS 1.1.2", |
48 | 48 | "unified_description": "Roles and responsibilities for performing activities in Requirement 1 are documented, assigned, and understood. Roles and responsibilities for performing activities in Requirement 3 are documented, assigned, and understood. Roles and responsibilities for performing activities in Requirement 6 are documented, assigned, and understood. \nNew requirement - effective immediately Roles and responsibilities for performing activities in Requirement 8 are documented, assigned, and understood.", |
49 | 49 | "source_references": [ |
|
54 | 54 | ] |
55 | 55 | }, |
56 | 56 | { |
57 | | - "common_id": "CC-09946ffa", |
| 57 | + "common_id": "CC-d19f7fbf", |
58 | 58 | "theme": "PCI DSS 1.2.1", |
59 | 59 | "unified_description": "Configuration standards for NSC rulesets are:\n\u2022\t Defined.\n\u2022\t Implemented.\n\u2022\t Maintained.", |
60 | 60 | "source_references": [ |
61 | 61 | "1.2.1" |
62 | 62 | ] |
63 | 63 | }, |
64 | 64 | { |
65 | | - "common_id": "CC-c1255c81", |
| 65 | + "common_id": "CC-b122e211", |
66 | 66 | "theme": "PCI DSS 1.2.2", |
67 | 67 | "unified_description": "All changes to network connections and to configurations of NSCs are approved and managed in accordance with the change control process defined at Requirement 6.5.1.", |
68 | 68 | "source_references": [ |
69 | 69 | "1.2.2" |
70 | 70 | ] |
71 | 71 | }, |
72 | 72 | { |
73 | | - "common_id": "CC-707aa218", |
| 73 | + "common_id": "CC-7218e73e", |
74 | 74 | "theme": "PCI DSS 1.2.3", |
75 | 75 | "unified_description": "An accurate network diagram(s) is maintained that shows all connections between the CDE and other networks, including any wireless networks.", |
76 | 76 | "source_references": [ |
77 | 77 | "1.2.3" |
78 | 78 | ] |
79 | 79 | }, |
80 | 80 | { |
81 | | - "common_id": "CC-60a96355", |
| 81 | + "common_id": "CC-e9422191", |
82 | 82 | "theme": "PCI DSS 1.2.4", |
83 | 83 | "unified_description": "An accurate data-flow diagram(s) is maintained that meets the following: \n\u2022\t Shows all account data flows across systems and networks.\n\u2022\t Updated as needed upon changes to the environment.", |
84 | 84 | "source_references": [ |
85 | 85 | "1.2.4" |
86 | 86 | ] |
87 | 87 | }, |
88 | 88 | { |
89 | | - "common_id": "CC-878aa714", |
| 89 | + "common_id": "CC-04d46536", |
90 | 90 | "theme": "PCI DSS 3.2.1", |
91 | 91 | "unified_description": "Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes that include at least the following:\n\u2022\t Coverage for all locations of stored account data.\n\u2022\t Coverage for any sensitive authentication data (SAD) stored prior to completion of authorization. This bullet is a best practice until its effective date; refer to", |
92 | 92 | "source_references": [ |
93 | 93 | "3.2.1" |
94 | 94 | ] |
95 | 95 | }, |
96 | 96 | { |
97 | | - "common_id": "CC-8f1f8c38", |
| 97 | + "common_id": "CC-9e5f3e6d", |
98 | 98 | "theme": "PCI DSS 3.3.1", |
99 | 99 | "unified_description": "SAD is not stored after authorization, even if encrypted. All sensitive authentication data received is rendered unrecoverable upon completion of the authorization process", |
100 | 100 | "source_references": [ |
101 | 101 | "3.3.1" |
102 | 102 | ] |
103 | 103 | }, |
104 | 104 | { |
105 | | - "common_id": "CC-98c5fba5", |
| 105 | + "common_id": "CC-5c676cde", |
106 | 106 | "theme": "PCI DSS 3.3.1.1", |
107 | 107 | "unified_description": "The full contents of any track are not stored upon completion of the authorization process.", |
108 | 108 | "source_references": [ |
109 | 109 | "3.3.1.1" |
110 | 110 | ] |
111 | 111 | }, |
112 | 112 | { |
113 | | - "common_id": "CC-a236aa7a", |
| 113 | + "common_id": "CC-99ea31ec", |
114 | 114 | "theme": "PCI DSS 3.3.1.2", |
115 | 115 | "unified_description": "The card verification code is not stored upon completion of the authorization process.", |
116 | 116 | "source_references": [ |
117 | 117 | "3.3.1.2" |
118 | 118 | ] |
119 | 119 | }, |
120 | 120 | { |
121 | | - "common_id": "CC-c5008b7e", |
| 121 | + "common_id": "CC-3ffed50a", |
122 | 122 | "theme": "PCI DSS 3.3.1.3", |
123 | 123 | "unified_description": "The personal identification number (PIN) and the PIN block are not stored upon completion of the authorization process.", |
124 | 124 | "source_references": [ |
125 | 125 | "3.3.1.3" |
126 | 126 | ] |
127 | 127 | }, |
128 | 128 | { |
129 | | - "common_id": "CC-260baf6e", |
| 129 | + "common_id": "CC-d2380416", |
130 | 130 | "theme": "PCI DSS 6.2.1", |
131 | 131 | "unified_description": "Bespoke and custom software are developed securely, as follows:\n\u2022\t Based on industry standards and/or best practices for secure development. \n\u2022\t In accordance with PCI DSS (for example, secure authentication and logging). \n\u2022\t Incorporating consideration of information security issues during each stage of the software development lifecycle.", |
132 | 132 | "source_references": [ |
133 | 133 | "6.2.1" |
134 | 134 | ] |
135 | 135 | }, |
136 | 136 | { |
137 | | - "common_id": "CC-2abb7ce9", |
| 137 | + "common_id": "CC-c5d468fb", |
138 | 138 | "theme": "PCI DSS 6.2.2", |
139 | 139 | "unified_description": "Software development personnel working on bespoke and custom software are trained at least once every 12 months as follows: \n\u2022\t On software security relevant to their job function and development languages.\n\u2022\t Including secure software design and secure coding techniques.\n\u2022\t Including, if security testing tools are used, how to use the tools for detecting vulnerabilities in software.", |
140 | 140 | "source_references": [ |
141 | 141 | "6.2.2" |
142 | 142 | ] |
143 | 143 | }, |
144 | 144 | { |
145 | | - "common_id": "CC-1dbc2e64", |
| 145 | + "common_id": "CC-b10e7ee9", |
146 | 146 | "theme": "PCI DSS 6.2.3", |
147 | 147 | "unified_description": "Bespoke and custom software is reviewed prior to being released into production or to customers, to identify and correct potential coding vulnerabilities, as follows:\n\u2022\t Code reviews ensure code is developed according to secure coding guidelines.\n\u2022\t Code reviews look for both existing and emerging software vulnerabilities.\n\u2022\t Appropriate corrections are implemented prior to release.", |
148 | 148 | "source_references": [ |
149 | 149 | "6.2.3" |
150 | 150 | ] |
151 | 151 | }, |
152 | 152 | { |
153 | | - "common_id": "CC-b8a73bf2", |
| 153 | + "common_id": "CC-5661e363", |
154 | 154 | "theme": "PCI DSS 8.2.1", |
155 | 155 | "unified_description": "All users are assigned a unique ID before access to system components or cardholder data is allowed.", |
156 | 156 | "source_references": [ |
157 | 157 | "8.2.1" |
158 | 158 | ] |
159 | 159 | }, |
160 | 160 | { |
161 | | - "common_id": "CC-50c00579", |
| 161 | + "common_id": "CC-15a81f0a", |
162 | 162 | "theme": "PCI DSS 8.2.2", |
163 | 163 | "unified_description": "Group, shared, or generic IDs, or other shared authentication credentials are only used when necessary on an exception basis, and are managed as follows:\n\u2022\t ID use is prevented unless needed for an exceptional circumstance.\n\u2022\t Use is limited to the time needed for the exceptional circumstance.\n\u2022\t Business justification for use is documented.\n\u2022\t Use is explicitly approved by management. \n\u2022\t Individual user identity is confirmed before access to an account is granted.\n\u2022\t Every action taken is attributable to an individual user.", |
164 | 164 | "source_references": [ |
165 | 165 | "8.2.2" |
166 | 166 | ] |
167 | 167 | }, |
168 | 168 | { |
169 | | - "common_id": "CC-6e6a288c", |
| 169 | + "common_id": "CC-ca9cb7bc", |
170 | 170 | "theme": "PCI DSS 8.2.3", |
171 | 171 | "unified_description": "Additional requirement for service providers only: Service providers with remote access to customer premises use unique authentication factors for each customer premises.", |
172 | 172 | "source_references": [ |
173 | 173 | "8.2.3" |
174 | 174 | ] |
175 | 175 | }, |
176 | 176 | { |
177 | | - "common_id": "CC-88ba173e", |
| 177 | + "common_id": "CC-9f107b62", |
178 | 178 | "theme": "PCI DSS 8.2.4", |
179 | 179 | "unified_description": "Addition, deletion, and modification of user IDs, authentication factors, and other identifier objects are managed as follows:\n\u2022\t Authorized with the appropriate approval.\n\u2022\t Implemented with only the privileges specified on the documented approval.", |
180 | 180 | "source_references": [ |
181 | 181 | "8.2.4" |
182 | 182 | ] |
183 | 183 | }, |
184 | 184 | { |
185 | | - "common_id": "CC-acafaddc", |
| 185 | + "common_id": "CC-b13f0844", |
186 | 186 | "theme": "PCI DSS 8.2.5", |
187 | 187 | "unified_description": "Access for terminated users is immediately revoked", |
188 | 188 | "source_references": [ |
189 | 189 | "8.2.5" |
190 | 190 | ] |
191 | 191 | }, |
192 | 192 | { |
193 | | - "common_id": "CC-0858093c", |
| 193 | + "common_id": "CC-c7e62ebd", |
194 | 194 | "theme": "PCI DSS 12.1.1", |
195 | 195 | "unified_description": "An overall information security policy is: \n\u2022\t Established.\n\u2022\t Published.\n\u2022\t Maintained.\n\u2022\t Disseminated to all relevant personnel, as well as to relevant vendors and business partners. The information security policy is:\n\u2022\t Reviewed at least once every 12 months.\n\u2022\t Updated as needed to reflect changes to business objectives or risks to the environment. The security policy clearly defines information security roles and responsibilities for all personnel, and all personnel are aware and acknowledge their information security responsibilities. Responsibility for information security is formally assigned to a Chief Information Security Officer or other information security knowledgeable member of executive management.", |
196 | 196 | "source_references": [ |
|
201 | 201 | ] |
202 | 202 | }, |
203 | 203 | { |
204 | | - "common_id": "CC-fb67c0a0", |
| 204 | + "common_id": "CC-7282b4ae", |
205 | 205 | "theme": "PCI DSS 12.2.1", |
206 | 206 | "unified_description": "Acceptable use policies for end-user technologies are documented and implemented, including:\n\u2022\t Explicit approval by authorized parties.\n\u2022\t Acceptable uses of the technology.\n\u2022\t List of products approved by the company for employee use, including hardware and software.", |
207 | 207 | "source_references": [ |
|
0 commit comments