Someone to Establish, Document, and Distribute Security Policies and Procedures
Building a PCI compliance program takes teamwork, and according to PCI Requirement 12.5.1, someone must establish, document, and distribute security policies and procedures. This role is crucial because formal documentation, implementation, and maintenance is required. By assigning someone this responsibility, you ensure that security policies will be held up to PCI standards.
For this role, it’s important that organizations develop transition and/or succession plans to avoid potential gaps in this security assignment, which could result in responsibilities not being assigned and therefore not performed.
We need to have somebody that’s formally responsible for developing policies, distributing them, and managing them. It’s not just good enough to develop the policies, we actually need somebody to manage them. From an assessment perspective, we’re looking to define who that physically is.