Elements of Your Incident Response Plan
To develop a thorough incident response plan, PCI Requirement 12.10.1 lists out the elements that should be included in your plan. At a minimum, your plan should include:
- Roles, responsibilities, communication, and contact strategies in the event of a compromise including notification of the payment brands
- Specific incident response procedures
- Business recovery and continuity procedures
- Data back-up processes
- Analysis of legal requirements for reporting compromises
- Coverage and responses of all critical system components
- Reference or inclusion of incident response procedures from the payment brands
To verify compliance with PCI Requirement 12.10.1, an assessor will interview personnel to examine your incident response plan to ensure that it contains the elements above.
PCI Requirement 12.10.1 really calls out the program attributes (or the majority of them). We won’t go over all of them, but if you have specific interest in them, I would recommend looking at the PCI Requirement 12.10.1, or better yet, you can give me or your assessor a call and they’ll be happy to work with you on this.
You need to develop a communication plan in the event of a breach. You need to include the payment brands in terms of what to do or how to alert them in the event of a breach. You have to have a notification program. In many of the states and many of the places where you do business, if you are breached and one of the residents of a state that has a notification law is impacted, you’re required to notify them. You’re required to take those things into account. You’re required to document specific incident response procedures such as: what do we do in the event of X? We’re not going to spend a whole lot of time as part of this video series talking about what is a good incident response program, but we do have a webinar where we’ve talked about that, so please look through our webinar series for that information.