PCI Requirement 11.6 – Ensure Security Policies and Procedures for Security Monitoring and Testing are Documented, in Use, and Known to All Affected Parties

by Randy Bartels / June 5th, 2018

Implement Policies and Procedures

PCI Requirement 11 states, “Regularly test security systems and processes.” Complying with PCI Requirement 11 is critical to ensuring that you’ve adequately secured your systems. For this requirement, we’ve discussed how to test your systems and processes, which includes vulnerability scanning, penetration testing, change-detection, and more. But, as we’ve learned, it’s not enough just to learn and talk about these things. All policies, procedures, and standards must be implemented in order to comply with PCI Requirement 11.6.

PCI Requirement 11.6 states, “Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties.” It is not sufficient that you generate documentation just for the sake of the audit. It is a requirement of this framework that the affected parties use the policies and procedures. Your assessor should be reading these documents, be familiarizing themselves with the policies and procedures, and be interviewing staff to make sure that anybody who is subject to the policies and operational procedures understands what they are. If PCI Requirement 11.6 is not met, your cardholder data could be left vulnerable.

PCI Requirement 11.6 is the capstone to PCI DSS Requirement 11. PCI Requirement 11.6 requires that you maintain appropriate documentation that it is in use and known to all affected parties. The assessor is going to be asking for this documentation, they’re going to be reviewing it, they’re going to be looking at your environment, and how you’ve managed and configured it as compared to what you have implemented in your documentation. The assessor will be verifying that what you are doing is what you said you are doing.