Assigning Information Security Management Responsibilities
Building a PCI compliance program takes teamwork. PCI Requirement 12.5 recognizes this and requires that you assign an individual or team to the following information security management responsibilities:
- Establish, document, and distribute security policies and procedures
- Monitor and analyze security alerts and information, and distribute to appropriate personnel
- Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations
- Administer user accounts, including additions, deletions, and modifications
- Monitor and control all access to data
Anyone with information security management responsibilities should be aware of their tasks through a specific policy. Without this accountability, gaps in processes may present risks to critical resources or cardholder data.
To verify compliance with PCI Requirement 12.5, an assessor will look for a formal Chief Security Officer (or other roles like this) and check for other formally assigned information security roles.
It’s not just enough, from an organizational perspective, that you establish all of these programs. You also need to define who is going to be responsible for managing these things. PCI Requirement 12.5 looks to call out very specific things around assigning the roles and responsibilities. From an assessment perspective, we’re not only looking that you have this documented, but we’re looking to see that these activities are actually fully managed.