PCI DSS Requirement 12


PCI DSS Requirement 12: Maintain a policy that addresses information security of all personnel



Requirements Addressed




Requirement 12: Policies and Procedures

- Notify end users and company personnel of updated and new security policies.

12.1: Map business security policies into application traffic rules that clearly and unambiguously enforce the policy to network resources.

12.6 Implement a formal security awareness program to make all employees aware of the importance of cardholder data security.

12.6.1: Provide templates for training and testing of policies.

 12.8 Maintain information about which PCI requirements are managed by your company versus which are managed by service providers.

- Must maintain an inventory of which requirements are dependent on service provider.

- This is about identifying and managing people and systems with shared responsibility. You can not put the responsibility back on your cloud provider.
 

Solution Features



> Firewalls & Routers

Do you know how payment card data is flowing through your firewalls and routers?

> Employee Education

Employees also handle credit card data and use systems that transport this data, and can sometime make mistake, for example choosing poor passwords, clicking on malicious links, sharing sensitive information via social media, etc. They need to be trained and educated.

> Shared Responsibility

Security is no longer a one-team mentality, but rather a shared responsibility of many different roles and groups such as application owners, database admins, network operations, security engineers, firewall administrators, etc., as well as outsourced third-parties that play a role in processing and storing cardholder data. Whether your cloud is a hosted solution, virtual, SaaS, IaaS, PaaS, your provider must also share responsibility when it comes to the security of your networks, data centers and ultimately card holder data – and you need to hold them accountable. That means periodic reviews of their processes and controls to ensure there are no gaps.
> Automate Audits

- Manual use up too much of your time and resources and leave you no better off strategically.

- Forrester Research has stated that conducting a manual firewall audit is “nearly impossible”. Some customers were spending 2-3 weeks of audit preparation per firewall.

- Automating the audit process is really important because you most likely have to comply with more than just PCI-DSS and even for just PCI-DSS you may have to go through a couple of audits per year.

> Data Loss Prevention


Using data leakage prevention functionality to warn and educate end-users - using alerts - that sensitive data is about to be moved, copied, or emailed.

> Point-in-time compliance serves no purpose – you need to ensure continuous compliance

Every time a change is made, there’s an opportunity to take your environment out of compliance. So if you build into your change process a risk and compliance check (and even better, if you can automate that), you can validate that changes will not take you out of your ideal security and compliance posture.


 
Contact us today to discuss your requirements in more detail.

P: +44(0)7714 209927

S: +44(0)1273 329753

info@securenetconsulting.co.uk