PCI DSS: Writing an information security policy

As you've read throughout this series, the Payment Card Industry Data Security Standard (PCI DSS) requires a large number of technical, administrative and personnel security controls all designed to enhance the security of sensitive cardholder information. The sixth and final section of the standard contains requirements for an information security policy that tie together the remainder of your compliance efforts. When you read this section of the standard, you'll likely observe that there's more to it than simply writing a policy. The sub-requirements fill five pages of text and cover everything from policies and procedures to personnel screening and security awareness. Let's take a look at the highlights.

More PCI DSS resources PCI DSS requirement: Monitoring and testing security: The fifth focus area of PCI-DSS requires regular monitoring of systems and activity, as well regular testing of controls. PCI DSS requirement: Implement strong access control procedures: The fourth focus area of PCI DSS governs how organizations enable and restrict access to cardholder data and limit physical access to cardholder data. PCI DSS requirement: Maintaining a vulnerability management program: The third PCI DSS focus area requires antivirus software, secure coding practices, patch management and change control processes be in place. PCI DSS checklist: Mistakes and problem areas to avoid: Experts share lessons learned by midmarket companies trying to comply with PCI in areas such as self assessment questionnaires, encryption, policy creation and application security.

INFORMATION SECURITY POLICY
The cornerstone of this requirement is indeed that you create, maintain and disseminate an information security policy that, at the very least, addresses all of the PCI DSS requirements, includes an annual risk assessment and requires that the policy itself be reviewed at least once a year. When creating this policy, I strongly recommend that you not tackle this as an exercise in PCI DSS compliance alone, but rather as an opportunity to create or rework an information security policy for your entire organization that pays particular attention to the PCI DSS requirements.

In addition to the policy itself, you'll need to create procedures to address some particular areas of concern to PCI DSS:

• Operational procedures for security management
• Policies for the use of critical employee-facing technologies (including remote access, portable media/devices, and wireless technologies)
• Incident response plan

As with many of the other PCI DSS requirements, there's nothing in here that should surprise any experienced security professional. The policy requirements stated in the standard are all security best practices.

MANAGEMENT RESPONSIBILITIES
This section of the standard also requires that you explicitly define responsibility for information security functions. The policy should state the requirements that apply to all employees and contracts and also designate a chief information security officer (CISO) or other manager with responsibilities for:

• Security policies and procedures
• Monitoring, analysis, and distribution of security alerts
• Security incident response and escalation procedures
• Administration of user account changes
• Monitoring and controlling access to data

If there isn't a single individual in your organization who can logically cover all of these responsibilities, that's fine. The key here is that you must explicitly define who is responsible for each function, either by name or by title.

SECURITY AWARENESS
PCI DSS also requires that you have a formally defined security awareness program that educates employees on their security responsibilities. The program must include components that educate employees when they are hired and provides refresher training on at least an annual basis. Employees must also acknowledge (electronically or in writing) that they have read and understand the security policy.

EMPLOYEE SCREENING
Prior to making an employment offer, you must conduct a background check on any individual who will have access to more than one card number at a time. Examples of the types of checks you may wish to perform include employment history, criminal checks, credit reports and reference verification.

SERVICE PROVIDERS
If your organization shares cardholder information with any service providers, you must also ensure that you fulfill the following requirements:

• Maintain a list of such service providers
• Sign written agreements with each service provider in which they acknowledge they are responsible for the cardholder data in their possession
• Perform proper due diligence before entering into an agreement with any service provider
• Monitor the compliance status of service providers

Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a contributor to SearchMidmarketSecurity.com, a technical editor for Information Security magazine and the author of several information security titles, including the "CISSP Prep Guide" and "Information Security Illuminated."

Send comments on this technical tip editor@searchmidmarketsecurity.com.

Join our IT Knowledge Exchange discussion forum; please use the midmarket security tag.