Castleforce IT Security Team

Maintain an Information Security Policy

Requirement 12 Maintain a policy that addresses information security for employees and contractors

A strong security policy sets the security tone for the whole company and informs employees what is expected of them. All employees should be aware of the sensitivity of data and their responsibilities for protecting it. For the purposes of this requirement, “employees” refers to full-time and part-time employees, temporary employees and personnel, and contractors and consultants who are “resident” on the company’s site.

12.1 Establish, publish, maintain, and disseminate a security policy that accomplishes the following:

  • 12.1.1 Addresses all PCI DSS requirements
  • 12.1.2 Includes an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment
  • 12.1.3 Includes a review at least once a year and updates when the environment changes

12.2 Develop daily operational security procedures that are consistent with requirements in this specification (for example, user account maintenance procedures, and log review procedures).

12.3 Develop usage policies for critical employee-facing technologies (for example, remote access technologies, wireless technologies, removable electronic media, laptops, personal data/digital assistants (PDAs), email usage and internet usage) to define proper use of these technologies for all employees and contractors. Ensure these usage policies require the following:

  • 12.3.1 Explicit management approval
  • 12.3.2 Authentication for use of the technology
  • 12.3.3 A list of all such devices and personnel with access
  • 12.3.4 Labeling of devices with owner, contact information, and purpose
  • 12.3.5 Acceptable uses of the technology
  • 12.3.6 Acceptable network locations for the technologies
  • 12.3.7 List of company-approved products
  • 12.3.8 Automatic disconnect of sessions for remote access technologies after a specific period of inactivity
  • 12.3.9 Activation of remote access technologies for vendors only when needed by vendors, with immediate deactivation after use
  • 12.3.10 When accessing cardholder data via remote access technologies, prohibit copy, move, and storage of cardholder data onto local hard drives and removable electronic media.

12.4 Ensure that the security policy and procedures clearly define information security responsibilities for all employees and contractors.

12.5 Assign to an individual or team the following information security management responsibilities:

  • 12.5.1 Establish, document, and distribute security policies and procedures.
  • 12.5.2 Monitor and analyze security alerts and information, and distribute to appropriate personnel.
  • 12.5.3 Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.
  • 12.5.4 Administer user accounts, including additions, deletions, and modifications
  • 12.5.5 Monitor and control all access to data.

12.6 Implement a formal security awareness program to make all employees aware of the importance of cardholder data security.

  • 12.6.1 Educate employees upon hire and at least annually.
  • 12.6.2 Require employees to acknowledge at least annually that they have read and understood the company’s security policy and procedures.

12.7 Screen potential employees (see definition of employees above) prior to hire to minimize the risk of attacks from internal sources.

12.8 If cardholder data is shared with service providers, maintain and implement policies and procedures to manage service providers, to include the following:

  • 12.8.1 Maintain a list of service providers.
  • 12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.
  • 12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.
  • 12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status.

12.9 Implement an incident response plan. Be prepared to respond immediately to a system breach.

  • 12.9.1 Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum:

Roles, responsibilities and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum

Specific incident response procedures

Business recovery and continuity procedures

Data backup processes

Analysis of legal requirements for reporting compromises

Coverage and responses of all critical system components

Reference or inclusion of incident response procedures from the payment brands

  • 12.9.2 Test the plan at least annually.
  • 12.9.3 Designate specific personnel to be available on a 24/7 basis to respond to alerts.
  • 12.9.4 Provide appropriate training to staff with security breach response responsibilities.
  • 12.9.5 Include alerts from intrusion detection, intrusion prevention, and file integrity monitoring systems.
  • 12.9.6 Develop process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments.

Contact Castleforce for help with PCI DSS

PCI DSS Core Principles

The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organised:

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters 

Requirement 3: Protect stored cardholder data

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Requirement 5: Use and regularly update anti-virus software

Requirement 6: Develop and maintain secure systems and applications

Requirement 7: Restrict access to cardholder data by business need-to-know

Requirement 8: Assign a unique ID to each person with computer access

Requirement 9: Restrict physical access to cardholder data

Requirement 10: Track and monitor all access to network resources and cardholder data

Requirement 11: Regularly test security systems and processes

Security Awareness

Castleforce are partnered with AwareGo and ISECT Ltd (Noticebored) to offer organisations different ways to deliver IT Security Awareness messages to their employees.

Noticebored IT Secuirty Awareness We can supply security awareness materials for your staff, managers and IT professionals, covering a fresh security topic each month. 

awareGO IT Security Awareness Campaigns offers security awareness made simple and easy, with 12 short and funny episodes with a message

Vulnerability Management

SureCloud SureGuard Vulnerability Management SureCloud are an Approved Scanning Vendor (ASV) and can provide the required vulnerability management scans required t enable organisations to reach PCI DSS requirement 12

Assuria Compliance and Vulnerability assessment, change detection, file integrity monitoring, Server Hardening and Log Management NETASQ-UTM-EAL4-Network-Security-appliances Credant we protect what matters DESlock+ FIPS-140-2 CESG CCTM Full disk Encryption, Removable Media Encryption, Email Encryption, Folder Encryption Stonesoft produce high availability multi link ISP firewalls to help reduce single point of failure Sourcefire-3D System and masters of SNORT and CLAMAV InfoGov helps you to achieve compliance, manage risk and demonstrate good governance now, and into the future. Swivel-PINsafe-CESG-CCTM-the-power-of-knowing Lumension-Security-Patch-Management-and-end-point-protection Imprivata OneSign Single Sign-On (SSO) appliance Check Point firewalls and Pointsec Encryption software Wallix-AdminBastion-and-LogBastion-provide-access-control-and-monitoring-solutions

© Copyright Castleforce 2007-2012. Web design by Theme Group