GUIDANCE FOR REQUIREMENT 12: MAINTAIN AN INFORMATION SECURITY POLICY
Requirement 12: Maintain a policy that addresses information security for employees and contractors
A strong security policy sets the security tone for the whole company and informs employees what is expected of them. All employees should be aware of the sensitivity of data and their responsibilities for protecting it. For purposes of this requirement, “employees” refers to full-time and part-time employees, temporary employees and personnel, and contractors and consultants who are “resident” on the company's site.
| Requirement | Guidance | ||
| 12.1 Establish, publish, maintain, and disseminate a security policy that accomplishes the following: 12.1.1 Addresses all PA DSS requirements. 12.1.2 Includes an annual process that identifies threats and vulnerabilities, and results in a formal risk assessment. 12.1.3 Includes a review of the PA DSS Implementation Guide at least once a year and updates when the environment changes. | A company's information security policy creates the roadmap for implementing security measures to protect its most valuable assets. A strong security policy sets the security tone for the whole company, and lets employees know what is expected of them. All employees should be aware of the sensitivity of data and their responsibilities for protecting it. Security threats and protection methods evolve rapidly throughout the year. Without updating the security policy to reflect these changes, new protection measures to fight against these threats are not addressed. |
||
| 12.2 Develop daily operational security procedures that are consistent with requirements in this specification (for example, user account maintenance procedures, and log review procedures). | Daily operational security procedures act as “desk instructions” for workers to use in their day-to-day system administrative and maintenance activities. Undocumented operational security procedures will lead to workers who are not aware of the full scope of their tasks, processes that cannot be repeated easily by new workers, and potential gaps in these processes that may allow a malicious individual to gain access to critical systems and resources. | ||
| 12.3 Develop usage policies for critical employee-facing technologies (for example, remote access technologies, wireless technologies, removable electronic media, laptops, personal data/digital assistants (PDAs), e-mail usage and Internet usage) to define proper use of these technologies for all employees and contractors. Ensure these usage policies require the following: | Employee usage policies can either prohibit use of certain devices and other technologies if that is company policy, or provide guidance for employees as to correct usage and implementation. If usage policies are not in place, employees may use the technologies in violation of company policy, thereby allowing malicious individuals to gain access to critical systems and cardholder data. An example can be unknowingly setting up wireless networks with no security. To ensure that company standards are followed and only approved technologies are implemented, consider confining implementation to operations teams only and not allowing unspecialized/general employees install these technologies. | ||
| 12.3.1 Explicit management approval | Without requiring proper management approval for implementation of these technologies, an employee may innocently implement a solution to a perceived business need, but also open a huge hole that subjects critical systems and data to malicious individuals. | ||
| 12.3.2 Authentication for use of the technology | If technology is implemented without proper authentication (user IDs and passwords, tokens, VPNs, etc.), malicious individuals may easily use this unprotected technology to access critical systems and cardholder data. | ||
| 12.3.3 List of all such devices and personnel with access 12.3.4 Labeling of devices with owner, contact information, and purpose | Malicious individuals may breach physical security and place their own devices on the network as a “back door.” Employees may also bypass procedures and install devices. An accurate inventory with proper device labeling allows for quick identification of non-approved installations. Consider establishing an official naming convention for devices, and label and log all devices in concert with established inventory controls. | ||
| 12.3.5 Acceptable uses of the technologies 12.3.6 Acceptable network locations for the technologies 12.3.7 List of company-approved products | By defining acceptable business use and location of company-approved devices and technology, the company is better able to manage and control gaps in configurations and operational controls, to ensure a “back door” is not opened for a malicious individual to gain access to critical systems and cardholder data. | ||
| 12.3.8 Automatic disconnect of sessions for remote access technologies after a specific period of inactivity 12.3.9 Activation of remote-access technologies for vendors only when needed by vendors, with immediate deactivation after use | Remote-access technologies are frequent “back doors” to critical resources and cardholder data. By disconnecting remote-access technologies when not in use (for example, those used to support your systems by your POS or other vendors), access and risk to networks is minimized. Consider using controls to disconnect devices after 15 minutes of inactivity. Please also see Requirement 8.5.6 for more on this topic. | ||
| 12.3.10 When accessing cardholder data remotely via remote-access technologies, prohibit, copy, move, and storage of cardholder data onto local hard drives and removable electronic media. | To ensure your employees are aware of their responsibilities to not store or copy cardholder data onto their local personal computer or other media, your company should have a policy that clearly prohibits such activities | ||
| 12.4 Ensure that the security policy and procedures clearly define information security responsibilities for all employees and contractors. | Without clearly defined security roles and responsibilities assigned, there could be inconsistent interaction with the security group, leading to unsecured implementation of technologies or use of outdated or unsecured technologies. | ||
| 12.5 Assign to an individual or team the following information security management responsibilities: 12.5.1 Establish, document, and distribute security policies and procedures. 12.5.2 Monitor and analyze security alerts and information, and distribute to appropriate personnel. 12.5.3 Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations. 12.5.4 Administer user accounts, including additions, deletions, and modifications. 12.5.5 Monitor and control all access to data. | Each person or team with responsibilities for information security management should be clearly aware of their responsibilities and related tasks, through specific policy. Without this accountability, gaps in processes may open access into critical resources or cardholder data. | ||
| 12.6 Implement a formal security awareness program to make all employees aware of the importance of cardholder data security. | If users are not educated about their security responsibilities, security safeguards and processes that have been implemented may become ineffective through employee errors or intentional actions. | ||
| 12.6.1 Educate employees upon hire and at least annually. | If the security awareness program does not include annual refresher sessions, key security processes and procedures may be forgotten or bypassed, resulting in exposed critical resources and cardholder data. | ||
| 12.6.2 Require employees to acknowledge at least annually that they have read and understood the company's security policy and procedures. | Requiring an acknowledgement by employees (example: in writing or electronically) helps ensure that they have read and understood the security policies/procedures, and that they have made a commitment to comply with these policies. | ||
| 12.7 Screen potential employees (see definition of “employees” at 9.2 above) prior to hire to minimize the risk of attacks from internal sources. For those employees such as store cashiers who only have access to one card number at a time when facilitating a transaction, this requirement is a recommendation only. | Performing thorough background investigations prior to hiring employees who are expected to be given access to cardholder data reduces the risk of unauthorized use of PANs and other cardholder data by individuals with questionable or criminal backgrounds. It is expected that a company would have a policy and process for background checks, including their own decision process for which background check results would have an impact on their hiring decisions (and what that impact would be). | ||
| 12.8 If cardholder data is shared with service providers, maintain and implement policies and procedures to manage service providers, to include the following: | If a merchant or service provider shares cardholder data with a service provider, then certain requirements apply to ensure continued protection of this data will be enforced by such service providers. | ||
| 12.8.1 Maintain a list of service providers. | Knowing who their service providers are identifies where potential risk extends to outside of the organization. | ||
| 12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess. | The acknowledgement of the service providers evidences their commitment to maintaining proper security of cardholder data that it obtains from its clients, and thus holds them accountable. | ||
| 12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement. | The process ensures that any engagement of a service provider is thoroughly vetted internally by an organization, which should include a risk analysis prior to establishing a formal relationship with the service provider. | ||
| 12.8.4 Maintain a program to monitor service providers' PCI DSS compliance status. | Knowing a service provider's PCI DSS compliance status provides further assurance that they comply with the same requirements that an organization is subjected to. | ||
| 12.9 Implement an incident response plan. Be prepared to respond immediately to a system breach. | Without a thorough security incident response plan that is properly disseminated, read, and understood by the parties responsible, confusion and lack of a unified response could create further downtime for the business, unnecessary public media exposure, as well as new legal liabilities. | ||
| 12.9.1 Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum: * Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum * Specific incident response procedures * Business recovery and continuity procedures * Data back-up processes * Analysis of legal requirements for reporting compromises * Coverage and responses of all critical system components * Reference or inclusion of incident response procedures from the payment brands | The incident response plan should be thorough and contain all the key elements to allow your company to respond effectively in the event of a breach that could impact cardholder data. | ||
| 12.9.2 Test the plan at least annually. | Without proper testing, key steps may be missed that could limit exposure during an incident. | ||
| 12.9.3 Designate specific personnel to be available on a 24/7 basis to respond to alerts. 12.9.4 Provide appropriate training to staff with security breach response responsibilities. | Without a trained and readily available incident response team, extended damage to the network could occur, and critical data and systems may become “polluted” by inappropriate handling of the targeted systems. This can hinder the success of a post-incident investigation. If internal resources are not available, consider contracting with a vendor that provides these services. | ||
| 12.9.5 Include alerts from intrusion-detection, intrusion-prevention, and file-integrity monitoring systems. | These monitoring systems are designed to focus on potential risk to data, are critical in taking quick action to prevent a breach, and must be included in the incident-response processes. | ||
| 12.9.6 Develop process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments. | Incorporating “lessons learned” into the incident response plan after an incident helps keep the plan current and able to react to emerging threats and security trends. |
You could leave a comment if you were logged in.