Home > IT Blogs > Regulatory Compliance, Governance and Security >

Regulatory Compliance, Governance and Security:

requirement 12: Maintain a policy that addresses information security

Feb 23 2009   1:32AM GMT

PCI Policy and Procedures Documents | You Need them for PCI DSS



Posted by: Charles Denyer
PCI Policy and Procedures Documents, payment card industry data security standards, requirement 12: Maintain a policy that addresses information security, PCI DSS

PCI policy and procedures documents are extremely critical in achieving Payment Card Industry (PCI) compliance. How critical? Enough that an entire requirement for PCI is dedicated to developing an information security program. In fact, requirement 12: Maintain a policy that addresses information security for employees and contractors, requires just that, developing these policies and procedures.

But hold on, it is much more than just PCI DSS Requirement 12; there are a number of other areas sprinkled throughout the PCI DSS requirement that “require” documented policies and procedures on a wide array of items. News to you? Maybe, maybe not. Either way, writing these PCI policy and procedures documents take time, alot of time.

Add to the fact that because every organization is different, you can not simply stamp on a one size fits all approach; it does not work that way. You need to spend time customizing the policy and procedures document so they fit your organization’s needs.

Sure, you can start with some broad based themes and templates, but you will really have to roll your sleeves up to grind out the details in achieving the true “spirit” of these documents.

AddThis Social Bookmark Button     0 Comments     RSS Feed     Email a friend

Feb 14 2009   1:52PM GMT

Payment Card Industry (PCI) Compliance | Much More than just I.T.



Posted by: Charles Denyer
payment card industry data security standards (PCI DSS), qualified security assessor (QSA), requirement 12: Maintain a policy that addresses information security, PCI DSS, pci readiness assessment, pci dss 1.2, pci dss policies and procedures

That’s right. Payment Card Industry (PCI) compliance is much more than just I.T. and all the surrounding hardware and software components that make up the “system components” within the cardholder environment. I’ve just recently finished up a PCI Readiness Assessment for a client on the West Coast and guess what happens to be there most significant and time consuming remediation activity? The writing of documented policies and procedures for numerous requirements as set forth and promulgated by the PCI DSS v.1.2 standards. That’s right, they can be painstaking, arduous, and time consuming. Even worse, most I.T. security professionals really do not like to consume themselves with this daunting task.

So remember, when you are are all caught up in the PCI game and you are so focused on routers, switches, load balancers, and other network and system devices, make sure you focus on the much needed policies and procedures that are sprinkled throughout the PCI DSS requirements. My advice, hire a seasoned Qualified Security Assessor (QSA) to write them for you, you’ll be glad you did.

And if you don’t believe me, take a look at Requirement 12: Maintain a Policy that Addresses Information Security.

To learn more about Payment Card Industry (PCI) compliance, visit pciassessment.org

AddThis Social Bookmark Button     0 Comments     RSS Feed     Email a friend