Assigning Information Security Management Responsibility
Supporting PCI Requirement 12.5 in AWS
PCI Requirement 12.5 requires that you assign an individual or team to the following information security management responsibilities:
- Establish, document, and distribute security policies and procedures
- Monitor and analyze security alerts and information, and distribute to appropriate personnel
- Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations
- Administer user accounts, including additions, deletions, and modifications
- Monitor and control all access to data
Anyone with information security management responsibilities in AWS should be made aware of their tasks through the information security policy. Without these responsibilities assigned, new risks may threaten the security of cardholder data.
If PCI Requirement 12.4 speaks to assigning and authorizing proper access, then PCI Requirement 12.5 lets us know what roles we have to fill. For small organizations, these can be the same people, but it still needs to be formalized and documented. We are talking about an overall assignment, whether it is the CEO or President or someone at the head of the information security program, that is clearly, formally defined in your policies as being in charge of this thing. Establish documents and procedures that could actually be several people in the IT staff, but you might want to consider a document controller – someone that handles the documentation and takes care of version control. For monitoring and analyzing security alerts, you assign that to your security analysts, or firewall admins for smaller organizations if they are handling the IDS. For larger organizations, this assignment may go to the Security Operations Center. PCI Requirement 12.5.3 says to establish a document and distribute security incident response escalation procedures, which is a whole subtopic in itself, but this is discussing the formalization of the incident response team. Documenting its members and assigning the processes for those members to follow in the case of an incident. You have your user account administrations (people who add and remove users on a daily basis), you have all of these individuals or roles, and a system under PCI DSS assessments. In AWS – you guessed it – this is all IAM followed by security groups that match these roles. If you can put all of that together in the technical controls, just make sure you have those roles defined in your security policy.