PCI Requirement 11.1.2 – Implement Incident Response Procedures in the Event Unauthorized Wireless Access Points are Detected

by Randy Bartels / June 5th, 2018

Incident Response Procedures

What would your organization do if an unauthorized wireless device was detected in your environment? PCI Requirement 11.1.2 requires that you implement incident response procedures so that in the event of some type of rogue wireless device, your employees know exactly how to respond. The size and complexity of your environment will determine what your incident response procedures should be. To verify compliance with PCI Requirement 11.1.2, an assessor will ensure that incident response procedures include instructions on unauthorized wireless device situations.

We believe that there are six basic steps in effective incident response procedures:

  1. Preparation – How are you currently preparing for a security incident? How are you limiting the impact of an incident? Have you tested our policies and procedures?
  2. Detection and Identification – How do you detect malicious activity? Do you have an Incident Response Team?
  3. Containment – Has the appropriate personnel been notified? What evidence should be collected? How can you prevent further damage?
  4. Remediation – Do you have backups in place? What changes can you make to prevent a repeated incident?
  5. Recovery – Have you securely restored the system? Do you have continuous monitoring to ensure problem is resolved?
  6. Lessons Learned – What happened? What gaps can we now identify? Have we regained our customers’ confidence?

To learn more about effective incident response procedures for PCI Requirement 11.1.2 compliances, visit these resources:

Incident Response Planning: 6 Steps to Prepare your Organization

What Is an Incident Response Plan? The Collection and Evaluation of Evidence

Conducting Incident Response Plan Table Top Exercises

If your organization should identify that there is a rogue wireless device or a device that was not authorized to have been installed within your environment, you need to maintain those activities within your incident response program. As part of the test, your assessor is going to be asking about your incident response program. They are going to be looking to make sure that wireless has been called out and what to do as a procedure in the event that wireless has been identified.