How do you know what you need to apply your PCI DSS controls to? Simple, you check your asset inventory. You do have one, right? You know, PCI DSS requirement 2.4? Oh. You haven’t got one, have you.
Never fear, creating one is relatively simple providing you know your scope. Creating the asset inventory is really just a case of listing all the components that are in-scope for you. What should you include though?
Well, all system components so that’s things like network devices, firewalls, servers, desktops, laptops, wireless access points (important enough they get their own requirement, 11.1.1) and POI machines. You should also include at least key software that is used within your environment (think operating systems, payment applications, server software etc.)
You also need to include enough information to satisfy PCI DSS so for each item that is:
- Enough information to uniquely identify the component (host…
View original post 263 more words