Ensure that Policies and Procedures are Documented, In Use, and Known to All Affected Parties
PCI DSS Requirement 2.5 addresses one of the most important aspects of the assessment. It directs, “Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties.” If vendor defaults and other security measures are not continuously managed, it’s harder to prevent insecure configurations; this is why security policies and procedures must be documented, in use, and known to all affected parties. We find that many organizations struggle with documentation, but policies and procedures are vital to your business. You need to have the processes in place to define how to complete tasks securely to ensure the ongoing operation and security of your organization. Small organizations, huge businesses – it doesn’t matter, you must ensure that policies and procedures are documented, in use, and known to all affected parties.
Do you know the difference between a policy, a procedure, and a standard? A policy is an executive level document that defines that something must be done. Standards are the tools, means, and methods that you will use to meet policy requirements. A policy defines that something must be done, but a procedure defines how you do it. A procedure should provide very clear, step-by-step instructions on how something must be done or is to be done. Procedures are instructions on how to run your business.
Policies, procedures, and standards should be written at a level so that someone with knowledge of the topic could be able to carry that task on. These documents aren’t intended to educate or teach someone from the ground level; someone who has knowledge of the topic should be able to read the policy or procedure and perform the task that’s detailed.
Organizations who do not implement policies and procedures do not comply with PCI Requirement 2.5. If the only time you interact with policies and procedures is during an assessment, you must begin educating your users; ensure that security policies are documented, in use, and known to all affected parties. During the assessment, your assessor will examine your policies and procedures, then examine your staff to verify that the documentation you present is actually in use.
PCI Requirement 2.5
PCI DSS Requirement 2.5 is very similar to the majority of the other requirements. You have to maintain your policies and procedures. Understand that in years past, organizations would develop policies, give them to the assessors, the assessors would sign off “Yes, they have policies,” but that was the only time that organizations would interact with them. PCI DSS Requirement 2.5 requires that you educate your users on your policies. One of the things that they added that I really appreciate is that these policies need to actually be in use.
So, this capstone that we have here is going to require that your assessor, being knowledgeable of what your policies say, interviews your staff, looks at your processes, and looks at your procedures to make sure that the documentation you have put forth is not just, what I would call, a paper tiger. Policies need to demonstrate how you go about doing your business.
Requirement 2.5 requires that you have policies and procedures that are documented, in use, and known to all affected parties.