Which statement requires documentation and business justification and approval for use of all services, protocols, and ports allowed?

• A. Documentation and business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.
• B. Install perimeter firewalls between all wireless networks and the cardholder data environment.
• C. Limit inbound Internet traffic to IP addresses within the DMZ.
• D. Implement DMZ to limit inbound traffic to authorized services.

Answer: (A)

The main idea here is governance over what is allowed into the cardholder data environment. The best statement emphasizes that every service, protocol, and port that’s permitted must come with documented business justification and formal approval, and it even requires documenting the security measures for any protocols considered insecure. This creates a formal, risk-based control: you only allow what is necessary, and you have traceable authorization and safeguards for those choices. Without that documented justification and approval, there’s a higher chance of expanding the attack surface accidentally.

The other options describe concrete network designs (like placing firewalls between wireless networks and the CDE, or limiting inbound traffic to a DMZ) that are important security controls, but they don’t address the requirement to document and approve all allowed services and their protective measures. They focus on how traffic is restricted rather than ensuring that any allowed services have a documented justification and appropriate security features.