PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

Similar documents
Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

University of Pittsburgh Security Assessment Questionnaire (v1.7)

01.0 Policy Responsibilities and Oversight

The Honest Advantage

Access to University Data Policy

Information Security Policy

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

Information Security Risk Strategies. By

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

WORKSHARE SECURITY OVERVIEW

Lakeshore Technical College Official Policy

Apex Information Security Policy

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Payment Card Industry (PCI) Data Security Standard

Guidelines for Data Protection

Mapping PCI DSS v2.0 With COBIT 4.1 By Pritam Bankar, CISA, CISM, and Sharad Verma

Checklist: Credit Union Information Security and Privacy Policies

COMPUTER & INFORMATION TECHNOLOGY CENTER. Information Transfer Policy

Cybersecurity in Higher Ed

Oracle Database Vault

COSO Enterprise Risk Management

locuz.com SOC Services

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Q&A for Citco Fund Services clients The General Data Protection Regulation ( GDPR )

Information Technology Branch Organization of Cyber Security Technical Standard

Seven Requirements for Successfully Implementing Information Security Policies and Standards

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

COBIT 5 With COSO 2013

Google Cloud & the General Data Protection Regulation (GDPR)

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Juniper Vendor Security Requirements

Department of Public Health O F S A N F R A N C I S C O

GETTING STARTED WITH THE SIG 2014: A RESPONDENT S GUIDE By Shared Assessments

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

SECURITY & PRIVACY DOCUMENTATION

ADIENT VENDOR SECURITY STANDARD

Nine Steps to Smart Security for Small Businesses

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

A company built on security

Donor Credit Card Security Policy

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

Val-EdTM. Valiant Technologies Education & Training Services. Workshop for CISM aspirants. All Trademarks and Copyrights recognized.

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017

Introduction to AWS GoldBase

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

PROFESSIONAL SERVICES (Solution Brief)

Daxko s PCI DSS Responsibilities

Oracle Data Cloud ( ODC ) Inbound Security Policies

COMPLIANCE SCOPING GUIDE

University of Sunderland Business Assurance PCI Security Policy

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

EU General Data Protection Regulation (GDPR) Achieving compliance

Altius IT Policy Collection Compliance and Standards Matrix

Education Network Security

Handling Complex and Difficult Privacy and Information Security Issues

Virginia Commonwealth University School of Medicine Information Security Standard

Achieving PCI-DSS Compliance with ZirMed financial services Darren J. Hobbs, CPA and James S. Lacy, JD

Security and Privacy Governance Program Guidelines

Employee Security Awareness Training Program

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

WELCOME ISO/IEC 27001:2017 Information Briefing

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

Putting It All Together:

Table of Contents. PCI Information Security Policy

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

WHITE PAPER- Managed Services Security Practices

ISO/IEC Information technology Security techniques Code of practice for information security controls

Oracle Database Security Assessment Tool

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

Cyber Risks in the Boardroom Conference

Altius IT Policy Collection Compliance and Standards Matrix

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

Housecall Privacy Statement Statement Date: 01/01/2007. Most recent update 09/18/2009

Oracle Hospitality OPERA Cloud Services Security Guide Release 1.20 E June 2016

GDPR: A QUICK OVERVIEW

IBM Internet Security Systems October Market Intelligence Brief

PCI Compliance Assessment Module with Inspector

Twilio cloud communications SECURITY

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

EXIN Expert in IT Service Management based on ISO/IEC Preparation Guide

Corporate Information Security Policy

1 Privacy Statement INDEX

Certified Information Security Manager (CISM) Course Overview

PCI DSS 3.2 AWARENESS NOVEMBER 2017

Security and Compliance Powered by the Cloud. Ben Friedman / Strategic Accounts Director /

Application for Certification

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

Cybersecurity Auditing in an Unsecure World

Key Customer Issues to Consider Before Entering into a Cloud Services Arrangement

Altius IT Policy Collection

Security Policies and Procedures Principles and Practices

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security Cisco Italy

INFORMATION TECHNOLOGY SECURITY POLICY

Transcription:

PCI Policy Compliance Using Information Security Policies Made Easy PCI Policy Compliance Information Shield Page 1

PCI Policy Compliance Using Information Security Policies Made Easy By David J Lineman Information Shield Contents 1. Introduction 2. Security Policy Requirements 3. Specific PCI Compliance 4. Policy Development Tools 5. Addressing Specific PCI Policy Topics 6. PCI Security Policies Step-by-Step 7. Staying Up to Date 8. References Introduction Many organizations are building or updating written information security policies in response to the newly updated Payment Card Industry Data Security Standard [1] (PCI-DSS). Written information security policies are fundamental to an effective information security program and required for compliance with many frameworks and regulations, including PCI, HIPAA, COBIT and many others. In this paper we describe how Information Shield security policy products can be used to save time and money and enable compliance with the PCI standard. All Contents Copyright 2007, Information Shield, Inc. All design elements and content are copyright Information Shield, Inc. unless otherwise noted. All rights reserved. All trademarks cited herein are the property of their respective owners. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the copyright holder. Limit of Liability/Disclaimer of Warranty: While the copyright holders, publishers, and authors have used their best efforts in preparing this work, they make no representations or warranties with respect to the accuracy or completeness of its contents and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. The advice and strategies contained herein are based on the author s experience and may not be usable for your situation. You should consult with an information security professional where appropriate. Neither the publishers nor authors shall be liable for any loss of profit or any other commercial damages, including, but not limited to, special, incidental, consequential, or other damages. PCI Policy Compliance Information Shield Page 2

Security Policy Requirements Written information security policies are the foundation of any information security program. Information security policies provide the high-level business rules for how an organization will protect information assets. Written policies are required so that each member of the organization understands their information security responsibilities for their job role. Written information security policies also provide documented evidence of management s intent to protect information, and a baseline for both internal and external auditors to validate the security posture of the organization. The fact that written security policies are fundamental to any security program is underscored by Requirement 12 within the PCI-DSS standard - Maintain a policy that addresses information security. [2] At the highest level, ISPME is designed to address the core requirements of PCI. (See Table 1 - PCI Security Policy Checklist - which shows how ISPME addresses each subsection within Requirement 12 of the PCI Self-Assessment Questionnaire Version 1.0.) Addressing Specific PCI Compliance PCI compliance can be addressed using Information Security Policies Made Easy [3] (ISPME) at two fundamental levels. First, ISPME provides time-saving policy development tools and advice to aid the entire policy development process. Second, ISPME provides pre-written policy statements covering each topic within the PCI standard. The combination of pre-written policy statements and expert advice on the policy development process will save organizations valuable time. Policy Development Tools ISPME provides a variety of time-saving tools to help organization manage the policy development process. We use the word process because policy development is not a one-time project. An effective written information security policy program requires organizations to regularly update policies based on the latest risks to the organization. This implies that organizations must develop a formal process for developing, approving, integrating, and deploying written policies on a regular basis. ISPME provided the following time-savings tools: Detail Policy Development Project Guidance ISPME contains over 40 pages of expert advice on how to build and develop information security policies. This tutorial is based on the 20 year information security experience of Charles Cresson Wood, CISSP, CISM. The guidance includes helpful checklists to use in the development and deployment of policies, and includes an outline for a policy management program. PCI Policy Compliance Information Shield Page 3

Valuable Policy Development Forms and Templates ISPME contains a number of time-saving forms that are required within an effective written policy program. Examples include a sample Agreement to Comply with Information Security Policies (for all users) and a Sample Risk Assessment Form to process and manage exceptions to policy. Policy Development Resources ISPME contains a number of time-saving resources and references including periodicals, web sites and professional organizations that may help you develop policies more quickly and effectively. ISPME contains over 1400 individual policy statements addressing all of the core areas of PCI-DSS. Sample ISPME Topics: Firewall Configuration Complete Pre-Written Documents ISPME contains seventeen complete, pre-written information security policy documents addresses some of the most critical organizational security needs. Examples include electronic mail, internet acceptable use, firewalls, network security, data privacy and many others. Addressing Specific PCI Information Security Topics ISPME makes it easy to develop written policies that address each of the 12 requirement areas of PCI DSS. Policy Statement Library The core of ISPME is a complete library of over 1400 individual security policy statements that address thousands of topics and technologies. The policy library is organized around the ISO 17799 (ISO 27001) security framework, and includes over 120 separate information security domains. While the ISPME is based upon the ISO security standard, easy search and browsing facilities make it easy to locate specific written policies related to PCI- DSS. Policy statements can be easily filtered by target audience, security environment (low, medium, high) and keyword. Each policy within the library contains valuable commentary to help organizations implement the given policy. The commentary describes the risks that each policy is designed to address, which greatly aids a formal risk-assessment process. Policy Mapping Documents ISPME contains high-level mapping documents which provide a guide for locating specific PCI-DSS security policies. Also included are maps for COBIT 4.0 [6] (used for Sarbanes-Oxley) and HIPAA [7]. Many organizations are required to demonstrate compliance with more than one regulation or framework. ISPME is designed to facilitate a best-practices approach which allows for audits against multiple standards and regulations. Secure Passwords Viruses and Malicious Code Application Security User Authentication Risk Assessments Data Classification Security Organization Network Access Control Encryption Data Destruction Electronic Records Incident Response System Testing Secure Application Development Data Privacy Physical Security And 100 others PCI Policy Compliance Information Shield Page 4

PCI Security Policies Step-by-Step A complete set of information security policies for PCI-DSS can be developed with the help of ISPME using four basic steps: 1. Perform a Gap-Analysis with Current PCI Policies - A sound first step is to compare your existing security policies against the requirements from PCI DSS. The ISPME table of contents is a useful tool to identify possible content gaps between your existing policies and a best-practices set of policies. 2. Prioritize Missing Policies The results of Step 1, along with any organizational risk-assessment, can be used to prioritize a list of policy topics that must be covered to enable compliance. This worksheet can be used to track the progress of policies throughout the development lifecycle. 3. Develop a policy development and review plan Use the instructions within ISPME to develop a written information security policy plan. This plan should include, at a minimum, a policy review and exception process, and definition of roles and responsibilities for all members of the organization who may have a role in policy development. Information Security Roles and Responsibilities Made Easy [5] will be a useful tool in the role definition and documentation process. 4. Build and deploy written policies Once the plan has been developed and approved, organizations can beginning developing specific written policies based on existing content within ISPME. ISPME contains fifteen complete sample policy documents that can be used as an excellent starting point. The policy library provides 1400 individual policy statements that can easy be incorporated into existing documents. Staying Up to Date PolicyShield Policy Subscription PolicyShield is a new information security policy subscription service based on ISPME. The goal of PolicyShield is to allow your organization to build and maintain a robust set of written information security policies with the least amount of effort. To achieve this goal, the PolicyShield library is regularly updated with new policies and resources to help you address new risks. PolicyShield acts as your on-demand security policy consultant. Our team of information security professionals continually monitors the technology landscape to look for new risks to your organization s information assets. These risk may include new threats (such as botnets), regulatory changes (including enforcement actions) and new technologies (instant-messaging, VOIP, etc.) Each quarter we compile a list of new additions to the existing PolicyShield library. New additions may include pre-written information security policies, policy development resources, sample documents, news items and policy-related incidents. PolicyShield is an extremely cost-effective way for an organization to keep written policies up to date and help protect against the latest threats. PCI Policy Compliance Information Shield Page 5

Table 1: Specific Security Policy Requirements for PCI DSS Requirement 12: Maintain a policy that addresses information security. 12.1 Are information security policies, including policies for access control, application and system development, operational, network and physical security, formally documented? 12.2 Are information security policies and other relevant security information disseminated to all system users (including vendors, contractors, and business partners)? 12.3 Are information security policies reviewed at least once a year and updated as needed? 12.4 Have the roles and responsibilities for information security been clearly defined within the company? 12.5 Is there an up-to-date information security awareness and training program in place for all system users? 12.6 Are employees required to sign an agreement verifying they have read and understood the security policies and procedures? 12.7 Is a background investigation (such as a creditand criminal record check, within the limits of local law) performed on all employees with access to account numbers? 12.8 Are all third parties with access to sensitive cardholder data contractually obligated to comply with card association security standards? 12.9 Is a security incident response plan formally documented and disseminated to the appropriate responsible parties? 12.10 Are security incidents reported to the person responsible for security investigation? 12.11 Is there an incident response team ready to be deployed in case of a cardholder data compromise? ISPME contains over 1400 individual pre-written security policies covering 123 different security topics as defined in ISO 17799:2005/ISO 27001. ISPME also contains 15 complete security policy documents covering key aspects of information security. ISPME contains over 100 separate information security policy controls that related to outsourcing and thirdparty contracts ISPME helps organizations maintain an updated set of written policies by providing content updates with each new version. ISPME also provides time-saving tutorials on the policy development and review cycle from Charles Cresson Wood, CISSP, CISA Information Security Roles and Responsibilities Made Easy provides over 70 different pre-written information security related job descriptions and department mission statements, allowing organizations to quickly document roles and responsibilities. ISR&R also includes time-saving tools and techniques for developing an information security program. ISPME contains pre-written policies that allow organizations to document and develop and information security awareness program. ISPME contains over 1500 policy commentaries with detailed advice that can help drive awareness activities. ISPME comes with pre-written information security policies that document the responsibilities and rights of users, including a sample Agreement to Comply with Information Security Policies. ISPME contains over 100 different pre-written information security policies covering the entire lifecycle of employee management, including pre-screening, during employment, and after termination. ISPME contains over 100 different information security controls relating the management of security with outsourcing contracts and third party access to sensitive information. ISPME contains over 80 different information security policies covering each aspect of incident reporting, management, handling and disclosure. ISPME contains pre-written policies for the reporting and documentation of security incidents. ISPME contains pre-written policies for the formation and documentation of a Computer Incident Response Team (CIRT), while ISR&R provides specific pre-written job responsibilities and mission statements for members of a Computer Incident Response Team. PCI Policy Compliance Information Shield Page 6

References [1] Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire Version 1.0, Release: December 2004, PCI Standards Council. [2] Payment Card Industry (PCI) Data Security Standard, Version 1.1 Published September 2006, PCI Security Standards Council. [3] ISO/IEC 17799:2005 (ISO 27001) Code of practice for information security management - Published by ISO and available at BSI [http://www.bsi-global.org/] [4] Information Security Policies Made Easy, by Charles Cresson Wood - Published by Information Shield, Inc. 2002-2005. [http://www.informationshield.com] [5] Information Security Roles and Responsibilities Made Easy, by Charles Cresson Wood - Published by Information Shield, Inc. 2002-2005. [http://www.informationshield.com] [6] Control Objectives for Information Technology (COBIT ) 4th Edition Published by ISACA, November 2005. [http://www.isaca.org] [7] Health Insurance Portability and Accountability Act of 1996 (HIPAA): Final Security Rule. Department of Health and Human Services; Published in the Federal Registrar. [http://aspe.hhs.gov/admnsimp/index.shtml] About the Author David Lineman is President and CEO of Information Shield. Mr. Lineman has 20 years of experience in software development, business consulting and security. He is the author of Information Protection Made Easy A Guide for Employees and Contractors and is a frequent speaker on the subjects of information security policy and regulatory requirements. About Information Shield Information Shield is a global provider of security policy, data privacy and security awareness solutions that enable organizations to effectively comply with international security and privacy regulations. Information Shield products are used by over 7000 customers in 59 countries worldwide. Information Shield, Inc. 2660 Bering Dr. Houston, TX 77057 www.informationshield.com sales@informationshield.com P: 888.641.0505 F: 866.304.6704 PCI Policy Compliance Information Shield Page 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback