PCI DSS Requirement 1.5: Ensure Security Policies are Known to all Affected Parties
Examining PCI Requirement 1.5
At the end of each of the PCI DSS v3.2 Requirements, we have what we like to call a “capstone.” At the end of Requirement 1, there is PCI Requirement 1.5. It states, “Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties.” PCI Requirement 1.5 is not only saying that your organization needs to maintain documented security policies and operational procedures; the policies and procedures needs to be known and in use by all relevant parties. It is a requirement of this framework that the affected parties use the policies and procedures as a way of managing your organization’s assets. It is not sufficient that you generate documentation just for the sake of the audit.
PCI DSS Requirement 1.5
At the end of each of the PCI DSS Requirements, we have what I call a “capstone.” Requirement 1, dealing with firewalls and routers and networking is not an exception to this. Each one of these capstones talks about the need to maintain policies and procedures and that these policies and procedures be documented and, effectively, known to all affected parties.
So it’s not just sufficient that you have this documentation in place. It’s not sufficient that you generate documentation just for the sake of the audit. It’s required that you as an organization implement the documentation, you implement the policies, and people are using this documentation as means and methods for managing their assets.