partpricer
03-11-2009, 04:40 AM
We have a high-segmented environment where all of our cardholder data environments are firewalled from our corporate network. This has led to an internal argument regarding scope.
We use 802.1x authentication for all devices on the corporate network. If you don't properly authenticate, you are placed on a Guest network. The Guest network is also firewalled from the rest of the network and only allows users on that network to access the Internet via either port 80 or 443.
My question really comes down to requirement 6.4, "6.4 Follow change control procedures for all changes to system components." We follow 6.4 for changes to our cardholder data environments, but does this extend to the entire network? The reason I ask is that one of our manager's wants to add a wireless access point to our Guest network so that the accounting auditors can get to the Internet while they are on-site.
Are major changes to the network environment, such as this, subject to requirement 6.4 even if it does not directly impact the cardholder data environments?
We use 802.1x authentication for all devices on the corporate network. If you don't properly authenticate, you are placed on a Guest network. The Guest network is also firewalled from the rest of the network and only allows users on that network to access the Internet via either port 80 or 443.
My question really comes down to requirement 6.4, "6.4 Follow change control procedures for all changes to system components." We follow 6.4 for changes to our cardholder data environments, but does this extend to the entire network? The reason I ask is that one of our manager's wants to add a wireless access point to our Guest network so that the accounting auditors can get to the Internet while they are on-site.
Are major changes to the network environment, such as this, subject to requirement 6.4 even if it does not directly impact the cardholder data environments?