As we continue our review of the 12 Requirements of PCI DSS version 4.0, one has to stop and consider, is it possible to have a favorite section of a standard? After all, most guidance documents, as well as regulations are seen as tedious distractions from the importance of getting the job done. However, depending on a person’s position and function in an organization, it is possible to “geek out” on some of the information in these official papers.

In the case of the new PCI DSS, it is clear from my previous articles, that the language was very carefully considered.  As we continue with the final Requirement sections, one can see that the Standard has something to contemplate for all levels of an organization.

An Appealing View for the C-Suite

Requirements 10 through 12 should pique the interest of any C-Level executive. They are presented under two separate headings:

Regularly Monitor and Test Networks

Requirement 10: Log and Monitor All Access to System Components and Cardholder Data

Requirement 11: Test Security of Systems and Networks Regularly

Maintain an Information Security Policy

Requirement 12: Support Information Security with Organizational Policies and Programs

My justification for viewing these three Requirements as having supreme interest for the C-Suite is because they are more directed towards organizational structure and process. Viewing these from the perspective of a system administrator, or somebody that has to deal with these specific security controls and systems, these are much less interesting.

Requirement 10 starts with the same theme that runs throughout the entire Standard.  That is, that “Roles and responsibilities for performing activities . . . are documented, assigned, and understood.” There is nothing strange or unusual about that. However, this is the section that talks about the fact that an organization should collect logs (Read more...)