Acceptable Use Policies
Your usage policies, as stated in PCI Requirement 12.3.5, should detail acceptable uses of the technology at your organization. Acceptable use policies (AUP) normally have users agree to not use the services for illegal purposes, not attempt to harm the security of the technology or system, and to report any suspicious activity. The PCI DSS explains that by defining acceptable uses of the technology, your organization will be better equipped to manage and control gaps in configurations and operational controls, ensuring that a back door is not opened for attackers.
To test compliance with PCI Requirement 12.3.5, an assessor will need to examine your usage policies to ensure that they define acceptable uses for the technology at your organization.
One time, I performed an assessment at an organization who had a receptionist that I met at the front desk. She was back there doing her daily job, and we get to talking about the badge access and restricting access to the badging system. The statement that was made to me was, “It’s kept up at the receptionist desk.”
I went up to ask the receptionist about the badging system, and she was using a PC. Well that isn’t so much as a problem, except if she sits all day busy playing Facebook games. Really what PCI Requirement 12.3.5 requires is that you have acceptable use policies and acceptable uses for your technologies in place to define what’s appropriate and what’s not appropriate and how to use these technologies that you’ve implemented within your environment.