PCI Requirement 12.1 & 12.1.1 – Establish, Publish, Maintain, and Disseminate a Security Policy
Establishing an Information Security Policy
PCI Requirement 12.1 states, “Establish, publish, maintain, and disseminate a security policy.” Pretty straightforward, right? Guidance on information security policies is the focus of PCI Requirement 12. An organization’s information security policy creates the foundation for implementing security measures to protect valuable assets.
To comply with PCI Requirement 12.1, organizations must meet all four steps: establish, publish, maintain, and disseminate. When you’ve determined what’s appropriate for your organization, you can establish an information security policy, then publish it in a formal way. This documentation needs to be maintained to reflect relevant changes, as well as implemented throughout the organization. Dissemination is a key aspect of PCI Requirement 12.1. All personnel should be aware of the sensitivity of data, their responsibilities for protecting it, and the purpose of the information security policy that’s been established.
PCI Requirement 12.1 has one sub-requirement that dives further into dissemination. PCI Requirement 12.1.1 states, “Review the security policy at least annually and update the policy when the environment changes.” Because security threats evolve so quickly, information security policies need to be updated to put new protections in place.
PCI Requirement 12.1 and PCI Requirement 12.1.1 require that you have a information security policy program. Specific to this requirement is that you as an organization maintain your policies. These policies should be disseminated to all relevant individuals and then should be updated at least annually and/or when business objectives change. From an assessment perspective, what we’re looking for is that your organization has taken into account things that might alter your business. We’re taking into account your business partners that might be subject to your policies. We’re making sure that all individuals have access to the policies themselves. If they’re published in a binder and kept in a locked room, I don’t know how you could meet PCI Requirement 12. We’ve seen that happen before. Make sure that anybody that would be subject to these policies has access to them and understand that these policies are an executive-level document that defines how you want your business run or how the executive staff wants their business to be run.