IT auditors are challenged on several fronts. They face the challenge of keeping up with complex and evolving security standards and regulatory mandates. They are also challenged to stay current with rapidly changing technology and emerging threats. Finally, they need to understand how to relate the current state of IT technology, governance, people and processes to the security and risk management intent of regulatory requirements. This requires the skills and knowledge to connect the specifics of what and how IT technology is deployed within an organization to the security requirements of the audit. Many auditors and security professionals have paid little attention to Secure Shell, but that is changing. SSH has impact across the scope of PCI DSS requirements.
This “cheat sheet” provides auditors with a basic investigation guidance for PCI DSS Audits. As part of any PCI DSS audit, the auditor should determine if and how Secure Shell is used in the CDE. Auditors have a responsibility to do basic investigation as to whether and how Secure Shell is used within the CDE and to perform the necessary validations that emerge from the investigation.