Acknowledgement of Security Policy and Procedures

As part of your security awareness program, PCI Requirement 12.6.2 requires personnel to acknowledge at least annually that they have read and understood the security policy and procedures. There should be some type of evidence to show that your personnel have read and understood security policies and procedures; this could be in writing or electronic. The PCI DSS guidance explains, “Requiring an acknowledgement by personnel in writing or electronically helps ensure that they have read and understood the security policies/procedures, and that they have made and will continue to make a commitment to comply with these policies.”

To verify compliance with PCI Requirement 12.6.2, an assessor will examine your documentation or evidence of acknowledgement from personnel.

PCI Requirement 12.6.2 requires that after your staff has attended their annual security awareness training or their new employee orientation training, they have read and actually understood the policies. One of the things we do from an assessment perspective is that we ask for evidence of that. Signing off that they’ve read and they’ve understood the policies can either be electronic or in writing – it makes no difference. What we’re looking for is that staff truly understands what the policies are.

As part of your policy documentation program, one of the things that I recommend is writing the policies or developing the policies in such a state that the average layman user can truly understand them. If you lawyer-up your policies and you put all of this HR information in there, you’re kind of dumbing down the purpose of what they’re about. They’re really meant as an educational document that defines how you want your business run. Your staff needs to be aware of what that looks like.

Education for Personnel

As part of your security awareness program, PCI Requirement 12.6.1 asks that you educate personnel upon hire and at least annually. The PCI DSS recognizes that if your security awareness program does not include periodic refreshers or training, key security policies and procedures may be forgotten or circumvented, which could result in exposed or at-risk critical resources and cardholder data.

This education could be different for every employee or department, depending on their role and level of access to cardholder data. To verify compliance with PCI Requirement 12.6.1, an assessor will review your security awareness program and will also likely interview a sample of your personnel to see if they understand their responsibilities and cardholder data security policy and procedures.

PCI Requirement 12.6.1 requires that we educate personnel upon hire and at least annually. The annual clause is there because you’re going to be amending, updating, or reviewing your policies at least annually, so to meet that requirement of making sure that your staff understands what those policies are, they need to be going through that policy and annual security awareness training program. Your assessor is going to be looking for evidence of that.

Developing a Security Awareness Program

PCI Requirement 12.6 requires that your organization implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures. Without compliance with this requirement, how would your program even work properly? If personnel are not educated and aware of their security responsibilities, security safeguards and processes that you’ve worked hard to develop and implement may become ineffective through intentional or unintentional actions.

An assessor wants to see that your personnel can operate in your environment securely. To verify compliance with PCI Requirement 12.6, they will want to review your security awareness program and what type of training you provide. An assessor will also likely interview a sample of your personnel to see if they understand their responsibilities and cardholder data security policy and procedures.

PCI Requirement 12.6 requires that you implement a security awareness training program. There are many things that we look for in this program. We look for the fact that you are training your staff about how to carry out the actions within your environment securely; we’re not just necessarily looking for training them on the PCI DSS, though. Really what we’re looking for is if they can operate your environment securely. So, your security awareness training program is called out in PCI Requirement 12.6, and your assessors are going to be looking and asking for a copy of that information or at least to observe that information to see what you’re actually training for.

Someone to Monitor and Control All Access to Data

PCI Requirement 12.5.5 states, “Monitor and control all access to data.” Really, this is the whole point of PCI compliance, isn’t it? Without someone formally responsible for monitoring and giving access to cardholder data, that data does not have the protection it needs.

Throughout the PCI DSS, it talks about key management, data custodians, and giving access based on a business’ need to know; these topics all factor into PCI Requirement 12.5.5. This role might not be the data owner, but if someone who ensures that the access given is appropriate, that technical safeguards are in place, and that if suspicious activity arises, it’s monitored and analyzed. Without someone assigned to this role, gaps in processes will open access into critical resources or cardholder data.

We get to PCI Requirement 12.5.5, and we need to have somebody that’s formally responsible for monitoring the access to cardholder data. What this comes down to is the concept of the data security owner and the data security custodian. In this case, somebody needs to be responsible for managing who’s had access to the data and making sure that that access is appropriate.

Someone to Administer User Accounts

In PCI Requirement 8.1.2, we learned there must be a formal program of control for additions, deletions, and modifications of user IDs and other credentials. This ties right in with PCI Requirement 12.5.4, which states there must be someone assigned to administer user accounts, including additions, deletions, and modifications. Think about all of the additions, deletions, and modifications that has occurred within your organization in the last year: new hires, terminations, quitting, promotions, or a change in role. You must to ensure that the privileges that an individual has been assigned are the privileges that they actually need, but those privileges do not exceed what is required by their job.

For this role, it’s important that organizations develop transition and/or succession plans to avoid potential gaps in this security assignments, which could result in used IDs and credentials being left out-of-date.

PCI Requirement 12.5.4 establishes that somebody needs to be assigned the responsibility of your move, add, and change functions of all of your user accounts within the environment. Somebody needs to be actively removing individuals that have been terminated. Somebody needs to be removing or disabling accounts that haven’t been used in the last 90 days. The assessor going to be looking for who is responsible for this. For all of these requirements, the assignment can be given to an individual, a title, or a group of people, as long as these particular roles have been disseminated in being managed.