PCI for SMB: Requirement 12 – Maintain an Information Security Policy
Welcome to the final post to conclude our series on understanding the Payment Card Industry Data Security Standard–PCI DSS. We want to show how PCI DSS affects anyone going through the compliance process using the PCI SAQ’s (Self Assessment Questionnaires).
In the previous articles written about PCI, we covered the following:
- Requirement 1: Build and Maintain a Secure Network – Install and maintain a firewall configuration to protect cardholder data.
- Requirement 2: Build and Maintain a Secure Network – Do not use vendor-supplied defaults for system passwords or other security parameters.
- Requirement 3 & 4: Secure Cardholder Data
- Requirement 5 & 6: Maintain a Vulnerability Management Program
- Requirement 7 & 8: Implement Strong Access Control Measures
- Requirement 9: Implement Strong Access Control Measures
- Requirement 10 & 11: Regularly Monitor and Test Networks
Having recapped this so far, we’re going to focus on the requirements under the Maintain an Information Security Policy section.
A security policy sets the expectation for your business and works to inform your team about what is required from a security standpoint. All employees should be aware of the responsibility they have with respect to the type of data they need to protect and your Information Security Policy (ISP) will be their guide in how to do it.
To help with describing this requirement, PCI DSS defines “employees” as:
full-time and part-time employees, temporary employees and personnel, and contractors and consultants who are “resident” on the company’s site.
PCI Requirement 12
Maintain an Information Security Policy
Let’s start with the foundation–Education.
PCI DSS requirement 12.6 speaks on staff security training:
“Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security.”
In particular, it speaks on two sub-requirements. 12.6.1:
“Educate personnel upon hire and at least annually. Note: Methods can vary depending on the role of the personnel and their level of access to the cardholder data”
and 12.6.2:
“Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures.”
In an ever-changing landscape such as website security, education is key and ensures that your team continues to acknowledge your policy (both from initial employment and through their career). It will prove key in reassuring your stakeholders and potential PCI QSA (Qualified Security Assessors) that you’re taking the right approach.
Individuals should have clearly defined standards and be aware of potential consequences. When hiring personnel, thorough background checks need to take place, as to limit potential security risks/breaches as instructed by Requirement 12.7.
If you’re looking for a cost-effective way to offer educational resources within your policy, e-learning resources are everywhere online for your team to take advantage of.
Wait. What should be included in a Security Policy, anyway?
Security Policy Checklist
Well, officially the PCI DSS states within the sub-requirements of 12.1 that the following should be included:
- 12.1.1 Addresses all PCI DSS requirements.
- 12.1.2 Includes an annual process that identifies threats and vulnerabilities and results in a formal risk assessment.
- 12.1.3 Includes a review of the PCI DSS Implementation Guide at least once a year and updates when the environment changes.
So, as we’ve touched on so far, we’re looking to establish how to properly secure Cardholder Data, maintain Vuln. Management programs, exercise strong access controls (both physically and digitally), and regularly monitor our systems.
This can be summarized at the start within your version of a “Scope of the Information Security Policy” that speaks to whom this policy will apply to, the technologies this will apply to, as well as highlight the inherent goal of the policy.
It should be a very readable document with good security policies that are concise and enforceable. Policies such as this will have more success within the business.
It should contain a minimum of specialized jargon and acronyms, and clearly define any industry-specific terminology. You wouldn’t want employees or contractors confusing the parameters in which they are practicing good security policies.
Conclusion
Congratulations! You’ve completed a crash course reading up on the PCI DSS (an official quick guide can also be found here).
We have resources on our website that will continue to come out to provide learning material to help maintain PCI compliance.
The Sucuri WAF will also help you achieve many of them through our existing IDS/IPS stack. Some of the items we cover through our virtual patching/hardening and security options provided are:
- Requirement 1: Establish and implement a firewall
- Requirement 2: Harden your environment, disable unnecessary services & configure system parameters to prevent misuse.
- Requirement 6: Ensure that system components are protected from known vulnerabilities
- Requirement 6: Address common coding vulnerabilities
- Requirement 10: Implement audit trails
- Requirement 10: Review logs
We’re also a Level 1 Certified PCI Provider. The Sucuri Firewall has also been recognized as the 2018 Gartner Peer Insights Customers’ Choice.
If you’d like a copy of our current AOC, please be sure to email info@sucuri.net to request it and any other concerns regarding our technology.
*** This is a Security Bloggers Network syndicated blog from Sucuri Blog authored by Victor Santoyo. Read the original post at: https://blog.sucuri.net/2019/04/pci-for-smb-requirement-12-maintain-an-information-security-policy.html
