Who Approves Usage Policies?

Your usage policies, as stated in PCI Requirement 12.3.1, should require explicit approval by authorized parties. The PCI DSS explains that if your usage policies do not require formal approval for implementation of critical technologies, your personnel may innocently implement a solution to a perceived business need, but also open a gap that puts critical systems and cardholder data at risk.

To test compliance with PCI Requirement 12.3.1, an assessor will need to examine your usage policies to ensure that there is a process for obtaining explicit approval by authorized parties to use certain technologies.

Your usage policy needs to include explicit approval by management for your critical technologies. This is really intended to prevent the casual user, the administrator, or any individual with mal-intent or non- mal-intent from bringing something into your environment and plugging it in or causing some type of negative impact to your security environment.

Developing Usage Policies

In order to prohibit inappropriate use of devices or technology, PCI Requirement 12.3 requires, “Develop usage policies for critical technologies and define proper use of these technologies.” Critical technologies may be things like laptops, tablets, removable electronic media, or the Internet. If usage policies are not implemented, your personnel could use the critical technologies in a way that violates company policy, allowing malicious individuals to gain access to critical systems and cardholder data.

According to the PCI DSS, to comply with PCI Requirement 12.3, usage policies should include the following:

  • Explicit approval by authorized parties
  • Authentication for use of the technology
  • A list of all such devices and personnel with access
  • A method to accurately and readily determine owner, contact information, and purpose
  • Acceptable uses of the technology
  • Acceptable network locations for the technologies
  • List of company-approved products
  • Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity
  • Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use
  • For personnel accessing cardholder data via remote-access technologies, prohibit the copying, moving, and storage of cardholder data onto local hard drives and removable electronic media, unless explicitly authorized for a defined business need
  • Where there is an authorized business need, the usage policies must require the data be protected in accordance with all applicable PCI DSS Requirements

PCI Requirement 12.3 defines the need for your organization to develop usage policies around critical technologies. There are numerous controls here that get called out, so spend some time looking at the next set of videos to learn what those might be.

What is a Risk Assessment?

Most information security frameworks require a formally documented, annual risk assessment, and the PCI DSS is no different. PCI Requirement 12.2 focuses on risk assessments. We recommend that you implement a risk assessment process that is based off an industry best practices, but PCI Requirement 12.2 states that you should implement a risk assessment process that includes the following characteristics:

  • Performed annually or after significant changes
  • Identifies critical assets, threats, and vulnerabilities
  • Results in a formal, documented analysis of risk

A risk assessment is a methodology used to identify, assess, and prioritize organizational risk. Without a risk assessment, organizations can be left unaware of where their critical assets live and what the risks to those assets are. Risk assessments evaluate the likelihood and impact of those threats actually happening, and give you an opportunity to evaluate your current security controls to determine if what you’re doing will be an effective defense mechanism against a malicious attack. We recommend that you implement a risk assessment process that includes:

  • Conducting a risk assessment survey
  • Identifying risks
  • Assessing risk importance and likelihood
  • Creating a risk management action plan
  • Implementing your risk management plan

Performing risk assessments annually allows your organization to establish a proactive security measure. This measure will keep you up-to-date with evolving threats.

PCI Requirement 12.2 talks about having a risk assessment program and that this risk assessment program documents all of the risk within your environment. This is one requirement that most organizations truly struggle with. What I would recommend is that, even if you think you are doing this well, take an opportunity to look at some of the NIST documentation. There are a lot of industry best practices out there around developing a risk management program. In fact, you are required to base yours off of an industry best practice. Understand that the output of this particular activity is a laundry list of things that might impact your environment from a negative perspective. The result of this is for you to risk rank those things and apply resources where you need to in order to reduce those risk levels down to an acceptable level. Your assessor should be asking you for your results of your risk program and all of your policies, procedures, and documentation subject to your risk assessment program.

Establishing an Information Security Policy

PCI Requirement 12.1 states, “Establish, publish, maintain, and disseminate a security policy.” Pretty straightforward, right? Guidance on information security policies is the focus of PCI Requirement 12. An organization’s information security policy creates the foundation for implementing security measures to protect valuable assets.

To comply with PCI Requirement 12.1, organizations must meet all four steps: establish, publish, maintain, and disseminate. When you’ve determined what’s appropriate for your organization, you can establish an information security policy, then publish it in a formal way. This documentation needs to be maintained to reflect relevant changes, as well as implemented throughout the organization. Dissemination is a key aspect of PCI Requirement 12.1. All personnel should be aware of the sensitivity of data, their responsibilities for protecting it, and the purpose of the information security policy that’s been established.

PCI Requirement 12.1 has one sub-requirement that dives further into dissemination. PCI Requirement 12.1.1 states, “Review the security policy at least annually and update the policy when the environment changes.” Because security threats evolve so quickly, information security policies need to be updated to put new protections in place.

PCI Requirement 12.1 and PCI Requirement 12.1.1 require that you have a information security policy program. Specific to this requirement is that you as an organization maintain your policies. These policies should be disseminated to all relevant individuals and then should be updated at least annually and/or when business objectives change. From an assessment perspective, what we’re looking for is that your organization has taken into account things that might alter your business. We’re taking into account your business partners that might be subject to your policies. We’re making sure that all individuals have access to the policies themselves. If they’re published in a binder and kept in a locked room, I don’t know how you could meet PCI Requirement 12. We’ve seen that happen before. Make sure that anybody that would be subject to these policies has access to them and understand that these policies are an executive-level document that defines how you want your business run or how the executive staff wants their business to be run.

We’ve finally made it! Here we are at PCI Requirement 12, the last of the PCI requirements. PCI Requirement 12 states, “Maintain a policy that addresses information security for all personnel.” This requirement is centered around the management of your information security program, which stems from a strong information security policy that sets the tone and expectations for your employees.

In order to create a strong information security policy, PCI Requirement 12 demands that many elements be included, such as:

  • Risk assessment process
  • Usage policies
  • Lists of devices and personnel with access to them
  • Defined authentication methods
  • Acceptable network locations
  • Remote-access rules
  • Executive management responsibilities
  • Security awareness program
  • Personnel training requirements
  • Vendor compliance management
  • Incident response program
  • Alerts from security monitoring systems
  • Documentation of review process

After implementing the other 11 PCI requirements, you’ve finally moved past the technology aspect of PCI. Now, we’re defining how your organization will manage your information security program

PCI Requirement 12 is the last of the PCI DSS requirements. PCI Requirement 12 is really focused on the executive management and the management of the policy and paperwork of the overall program. At this point in the assessment and this point in your program, the technology aspect of things is kind of done. This requirement defines the overall management of your program.