PCI Requirement 12.5.3 – Establish, Document, and Distribute Security Incident Response and Escalation Procedures to Ensure Timely and Effective Handling of All Situations

Someone to Respond to Incidents

Incident response plans are crucial to PCI compliance. PCI Requirement 12.5.3 requires that you have an individual assigned to establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations. Without this role, incident response programs could be completely ineffective and security incidents could lead to great damage.

For this role, it’s important that organizations develop transition and/or succession plans to avoid potential gaps in this security assignment, which could result in responsibilities not being assigned and therefore not performed.

Video Transcript

PCI Requirement 12.5.3 establishes the need to assign the roles and responsibilities around distributing your security incident response procedures and all of that relative training. Your assessor is going to be looking for who that role has been assigned to.

PCI Requirement 12.5.2 – Monitor and Analyze Security Alerts and Information, and Distribute to Appropriate Personnel

Someone to Monitor and Analyze Security Alerts

In PCI Requirement 10, we discussed a critical aspect of data protection: logging and tracking. Implementing logging mechanisms at your organization gives you the ability to track user activities, which is crucial in preventing, detecting, and minimizing the consequences of a data breach. Without logging and tracking, it’s almost impossible to find the source of the data breach or compromise. In PCI Requirement 12.5.2, we take this a step further; it’s not sufficient just to have logging and alert systems in place. PCI Requirement 12.5.2 asks you to establish a role to monitor and analyze security alerts and information, and distribute appropriate personnel.

For this role, it’s important that organizations develop transition and/or succession plans to avoid potential gaps in this security assignment, which could result in responsibilities not being assigned and therefore not performed.

Video Transcript

Back in PCI Requirement 10, we talked about having all the logging and log review programs established. PCI Requirement 12.5.2 establishes the need to define the roles and responsibilities and assign someone to manage and monitor the log review and all those other things. Once again, it’s not sufficient to just have a logging program, somebody needs to actually mange that and be actively part of that program.

PCI Requirement 12.5.1 – Establish, Document, and Distribute Security Policies and Procedures

Someone to Establish, Document, and Distribute Security Policies and Procedures

Building a PCI compliance program takes teamwork, and according to PCI Requirement 12.5.1, someone must establish, document, and distribute security policies and procedures. This role is crucial because formal documentation, implementation, and maintenance is required. By assigning someone this responsibility, you ensure that security policies will be held up to PCI standards.

For this role, it’s important that organizations develop transition and/or succession plans to avoid potential gaps in this security assignment, which could result in responsibilities not being assigned and therefore not performed.

Video Transcript

We need to have somebody that’s formally responsible for developing policies, distributing them, and managing them. It’s not just good enough to develop the policies, we actually need somebody to manage them. From an assessment perspective, we’re looking to define who that physically is.

PCI Requirement 12.5 – Assign to an Individual or Team the Following Information Security Management Responsibilities

Assigning Information Security Management Responsibilities

Building a PCI compliance program takes teamwork. PCI Requirement 12.5 recognizes this and requires that you assign an individual or team to the following information security management responsibilities:

  • Establish, document, and distribute security policies and procedures
  • Monitor and analyze security alerts and information, and distribute to appropriate personnel
  • Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations
  • Administer user accounts, including additions, deletions, and modifications
  • Monitor and control all access to data

Anyone with information security management responsibilities should be aware of their tasks through a specific policy. Without this accountability, gaps in processes may present risks to critical resources or cardholder data.

To verify compliance with PCI Requirement 12.5, an assessor will look for a formal Chief Security Officer (or other roles like this) and check for other formally assigned information security roles.

Video Transcript

It’s not just enough, from an organizational perspective, that you establish all of these programs. You also need to define who is going to be responsible for managing these things. PCI Requirement 12.5 looks to call out very specific things around assigning the roles and responsibilities. From an assessment perspective, we’re not only looking that you have this documented, but we’re looking to see that these activities are actually fully managed.

PCI Requirement 12.4.1 – Additional Requirement for Service Providers Only: Executive Management Shall Establish Responsibility for the Protection of Cardholder Data and a PCI DSS Compliance Program

Tone from the Top

PCI Requirement 12.4.1 is a sub-requirement of PCI Requirement 12 and applies to service providers only. It requires that executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program, which includes overall accountability for maintaining PCI compliance and defining a charter for a PCI DSS compliance program and communication to executive management.

PCI Requirement 12.4.1 is vital for a “tone from the top” attitude. The PCI DSS guidance says, “Executive management assignment of PCI DSS compliance responsibilities ensures executive-level visibility into the PCI DSS compliance program and allows for the opportunity to ask appropriate questions to determine the effectiveness of the program and influence strategic priorities.” Executive management could include your board of directors, C-level positions, investors, or other stakeholders.

To verify compliance with PCI Requirement 12.4.1, an assessor will examine documentation to see that executive management has some accountability assignment and review the PCI charter.

Video Transcript

PCI Requirement 12.4.1 requires that service providers define and appoint somebody within your organization the overall responsibility for managing the security of the PCI DSS. What we’re looking for is that you have a formal charter that defines what that looks like. We’re looking for the actual individual to interview them and to talk to them about the charter and how they go about managing those responsibilities for PCI DSS.