A
strong security policy sets the tone for security affecting an organization’s entire company, and it
informs
employees of their expected duties related to security. All employees should be
aware of the
sensitivity
of cardholder data and their responsibilities for protecting it.
Requirement
12: Maintain a policy that addresses information security for all personnel
12.1 Establish, publish, maintain, and disseminate a security
policy that addresses all PCI DSS
requirements,
includes an annual process for identifying vulnerabilities and formally
assessing
risks,
and includes a review at least once a year and when the environment changes.
12.2 Develop daily operational security procedures that are
consistent with requirements in PCI DSS.
12.3 Develop usage policies for critical technologies to define
their proper use by all personnel. These
include
remote access, wireless, removable electronic media, laptops, tablets, handheld
devices,
email
and Internet.
12.4 Ensure that the security policy and procedures clearly define
information security responsibilities
for
all personnel.
12.5 Assign to an individual or team information security
responsibilities defined by 12.5 subsections.
12.6 Implement a formal security awareness program to make all
personnel aware of the importance of
cardholder
data security.
12.7 Screen potential personnel prior to hire to minimize the risk
of attacks from internal sources.
Example
screening includes previous employment history, criminal record, credit
history, and
reference
checks.
providers’ PCI DSS compliance status at least annually.
12.9
Implement an incident response plan. Be
prepared to respond immediately to a system breach.
12.8 If cardholder data is shared with service providers, maintain
policies and procedures to formally
identify
service provider responsibilities for securing cardholder data, and monitor
serviceproviders’ PCI DSS compliance status at least annually.
