Randy Bartels, Author at KirkpatrickPrice

Someone to Administer User Accounts

In PCI Requirement 8.1.2, we learned there must be a formal program of control for additions, deletions, and modifications of user IDs and other credentials. This ties right in with PCI Requirement 12.5.4, which states there must be someone assigned to administer user accounts, including additions, deletions, and modifications. Think about all of the additions, deletions, and modifications that has occurred within your organization in the last year: new hires, terminations, quitting, promotions, or a change in role. You must to ensure that the privileges that an individual has been assigned are the privileges that they actually need, but those privileges do not exceed what is required by their job.

For this role, it’s important that organizations develop transition and/or succession plans to avoid potential gaps in this security assignments, which could result in used IDs and credentials being left out-of-date.

PCI Requirement 12.5.4 establishes that somebody needs to be assigned the responsibility of your move, add, and change functions of all of your user accounts within the environment. Somebody needs to be actively removing individuals that have been terminated. Somebody needs to be removing or disabling accounts that haven’t been used in the last 90 days. The assessor going to be looking for who is responsible for this. For all of these requirements, the assignment can be given to an individual, a title, or a group of people, as long as these particular roles have been disseminated in being managed.

Someone to Respond to Incidents

Incident response plans are crucial to PCI compliance. PCI Requirement 12.5.3 requires that you have an individual assigned to establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations. Without this role, incident response programs could be completely ineffective and security incidents could lead to great damage.

For this role, it’s important that organizations develop transition and/or succession plans to avoid potential gaps in this security assignment, which could result in responsibilities not being assigned and therefore not performed.

PCI Requirement 12.5.3 establishes the need to assign the roles and responsibilities around distributing your security incident response procedures and all of that relative training. Your assessor is going to be looking for who that role has been assigned to.

Someone to Monitor and Analyze Security Alerts

In PCI Requirement 10, we discussed a critical aspect of data protection: logging and tracking. Implementing logging mechanisms at your organization gives you the ability to track user activities, which is crucial in preventing, detecting, and minimizing the consequences of a data breach. Without logging and tracking, it’s almost impossible to find the source of the data breach or compromise. In PCI Requirement 12.5.2, we take this a step further; it’s not sufficient just to have logging and alert systems in place. PCI Requirement 12.5.2 asks you to establish a role to monitor and analyze security alerts and information, and distribute appropriate personnel.

Back in PCI Requirement 10, we talked about having all the logging and log review programs established. PCI Requirement 12.5.2 establishes the need to define the roles and responsibilities and assign someone to manage and monitor the log review and all those other things. Once again, it’s not sufficient to just have a logging program, somebody needs to actually mange that and be actively part of that program.

Someone to Establish, Document, and Distribute Security Policies and Procedures

Building a PCI compliance program takes teamwork, and according to PCI Requirement 12.5.1, someone must establish, document, and distribute security policies and procedures. This role is crucial because formal documentation, implementation, and maintenance is required. By assigning someone this responsibility, you ensure that security policies will be held up to PCI standards.

We need to have somebody that’s formally responsible for developing policies, distributing them, and managing them. It’s not just good enough to develop the policies, we actually need somebody to manage them. From an assessment perspective, we’re looking to define who that physically is.

Assigning Information Security Management Responsibilities

Building a PCI compliance program takes teamwork. PCI Requirement 12.5 recognizes this and requires that you assign an individual or team to the following information security management responsibilities:

Establish, document, and distribute security policies and procedures
Monitor and analyze security alerts and information, and distribute to appropriate personnel
Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations
Administer user accounts, including additions, deletions, and modifications
Monitor and control all access to data

Anyone with information security management responsibilities should be aware of their tasks through a specific policy. Without this accountability, gaps in processes may present risks to critical resources or cardholder data.

To verify compliance with PCI Requirement 12.5, an assessor will look for a formal Chief Security Officer (or other roles like this) and check for other formally assigned information security roles.

It’s not just enough, from an organizational perspective, that you establish all of these programs. You also need to define who is going to be responsible for managing these things. PCI Requirement 12.5 looks to call out very specific things around assigning the roles and responsibilities. From an assessment perspective, we’re not only looking that you have this documented, but we’re looking to see that these activities are actually fully managed.