Blog

PCI Requirement 12.10.6 – Develop a Process to Modify and Evolve the Incident Response Plan According to Lessons Learned and to Incorporate Industry Developments

by Randy Bartels / April 5, 2023

Modifying Your Incident Response Plan Your incident response plan should be able to easily modify so it can be as thorough and up-to-date as possible. PCI Requirement 12.10.6 says, “Develop a process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments.” This is sort of a management exercise to analyze what could’ve been done better during incident response and to keep…

PCI Requirement 12.10.5 – Include Alerts from Security Monitoring Systems, Including but Not Limited to Intrusion-Detection, Intrusion-Prevention, Firewalls, and File-Integrity Monitoring Systems

by Randy Bartels / April 5, 2023

Monitoring Mechanisms in Incident Response Plans PCI Requirement 12.10.5 states that your incident response plan should, “Include alerts from security monitoring systems, including but not limited to intrusion-detection, intrusion-prevention, firewalls, and file-integrity monitoring systems.” We’ve talked about these monitoring mechanisms in PCI Requirement 10 and PCI Requirement 11, but what do they have to do with incident response? The PCI DSS explains, “These monitoring systems are designed to focus…

PCI Requirement 12.10.4 – Provide Appropriate Training to Staff with Security Breach Responsibilities

by Randy Bartels / April 5, 2023

Training Your Incident Response Team PCI Requirement 12.10.4 requires that your organization provides appropriate training to staff with security breach response responsibilities. One type of training that we recommend is table-top incident response exercises. Experts suggest that participating in table-top exercises to simulate a real-world scenario is the best way to prepare and test your incident response plan. When facilitating these exercises at your organization, be sure that the…

PCI Requirement 12.10.3 – Designate Specific Personnel to Be Available on a 24/7 Basis

by Randy Bartels / April 5, 2023

24/7 Incident Response Team Even if you’re a small organization, PCI Requirement 12.10.3 requires that you designate specific personnel to be available on a 24/7 basis to respond to alerts. The PCI DSS explains, “Without a trained and readily available incident response team, extended damage to the network could occur, and critical data and systems may become ‘polluted’ by inappropriate handling of the targeted systems. This can hinder the…

PCI Requirement 12.10.2 – Review and Test the Plan at Least Annually

by Randy Bartels / April 5, 2023

Testing Your Incident Response Plan You must test your incident response plan. What’s the point of the plan if you aren’t sure that it works? Without appropriate testing, major steps or gaps could be missed, which could result in increased exposure during a real incident. PCI requirement 12.10.2 states, “Review and test the plan, including all elements listed in Requirement 12.10.1, at least annually.” To verify compliance with PCI…

PCI Requirement 12.10.6 – Develop a Process to Modify and Evolve the Incident Response Plan According to Lessons Learned and to Incorporate Industry Developments

PCI Requirement 12.10.5 – Include Alerts from Security Monitoring Systems, Including but Not Limited to Intrusion-Detection, Intrusion-Prevention, Firewalls, and File-Integrity Monitoring Systems

PCI Requirement 12.10.4 – Provide Appropriate Training to Staff with Security Breach Responsibilities

PCI Requirement 12.10.3 – Designate Specific Personnel to Be Available on a 24/7 Basis

PCI Requirement 12.10.2 – Review and Test the Plan at Least Annually

Categories

Newsletter

Learn what you need to get started with our Audit Readiness Guide.