Quarterly Reviews of Your Security Program
Following Security Policies and Procedures
PCI Requirement 12.11 is the final requirement in the PCI DSS and only applies to service providers. It asks that service providers perform quarterly reviews to confirm that personnel are following security policies and procedures. Policies and procedures have no use if they’re not implemented and followed. These reviews need to cover:
- Daily log reviews
- Firewall rule-set reviews
- Applying configuration standards to new systems
- Responding to security alerts
- Change management processes
Transcription
At the end of the PCI DSS, we have PCI Requirement 12.11, which is only for service providers. The things that service providers are required to record for deliverables in an assessment are things relative to the log reviews that happen daily, the firewall rule set reviews that happen semi-annually, the configuration standard updates, security alert response or incident response activities, and the change management process. Those characteristics, attributes, or control mechanisms of PCI DSS need to be reviewed quarterly by service providers, so the service provider can ensure that he is consistently giving the services that he should to you as a PCI DSS end-user client.
Related Videos
Creating a Data Flow Diagram
Creating a Network Diagram
Define a Password Reset Procedure to Authenticate Requests
Define the Boundaries of Your Systems
How To Build Workforce Awareness Around Incident Response
How To Govern the Use of Mobile Devices
How to Evaluate the Maturity of Your Security Awareness Training
Improve Your Security Policy With FBI CJIS
Maintain Logs for Audit Accountability
PCI Requirement 10.9 – Document Policies & Procedures for Monitoring Access to Network Resources
PCI Requirement 11.6 – Ensure Security Policies for Security Monitoring are Documented
PCI Requirement 12- Maintain a Policy that Addresses Information Security for All Personnel
PCI Requirement 12.1 & 12.1.1 – Establish, Publish, Maintain, and Disseminate a Security Policy
PCI Requirement 12.3 – Develop Usage Policies for Critical Technologies
PCI Requirement 12.3.1 – Explicit Approval by Authorized Parties
PCI Requirement 12.3.10 – Prohibit the Moving of Cardholder Data onto Local Hard Drives
PCI Requirement 12.3.2 – Authentication for Use of the Technology
PCI Requirement 12.3.3 – A List of All Such Devices and Personnel with Access
PCI Requirement 12.3.4 – A Method to Accurately Determine Owner, Contact Information, and Purpose
PCI Requirement 12.3.5 – Acceptable Uses of the Technology
PCI Requirement 12.3.6 – Acceptable Network Locations for the Technologies
PCI Requirement 12.3.7 – List of Company-Approved Products
PCI Requirement 12.4 – Ensure Security Policies & Procedures Define Responsibilities for All
PCI Requirement 12.5.1 – Establish, Document, and Distribute Security Policies and Procedures
PCI Requirement 12.6.2 – Require Personnel to Read and Understand Security Policies and Procedures
PCI Requirement 5.4 – Ensure Security Policies and Procedures are Known to all Affected Parties
PCI Requirement 6.7 – Ensure Policies & Procedures for Systems Are Documented, in Use & Known
PCI Requirement 9.10 – Ensure Policies for Restricting Physical Access to Cardholder Data are Known
Physical Security Policy in a Remote World
Prepare for a Formal Audit
Publish and Maintain an Information Security Policy
The Components of a System Security Plan
The Importance of Following a Remote Access Policy
The Importance of Keeping Security Training Records
The Importance of a Perimeter Security Monitoring Policy
Use Alerts to Enforce Your Access Control Policy
Verify Internal Log Processes
