Quarterly Reviews of Your Security Program
Following Security Policies and Procedures
PCI Requirement 12.11 is the final requirement in the PCI DSS and only applies to service providers. It asks that service providers perform quarterly reviews to confirm that personnel are following security policies and procedures. Policies and procedures have no use if they’re not implemented and followed. These reviews need to cover:
- Daily log reviews
- Firewall rule-set reviews
- Applying configuration standards to new systems
- Responding to security alerts
- Change management processes
Transcription
At the end of the PCI DSS, we have PCI Requirement 12.11, which is only for service providers. The things that service providers are required to record for deliverables in an assessment are things relative to the log reviews that happen daily, the firewall rule set reviews that happen semi-annually, the configuration standard updates, security alert response or incident response activities, and the change management process. Those characteristics, attributes, or control mechanisms of PCI DSS need to be reviewed quarterly by service providers, so the service provider can ensure that he is consistently giving the services that he should to you as a PCI DSS end-user client.