PCI Requirement 12.11 – Additional Requirement for Service Providers Only: Perform Reviews at Least Quarterly to Confirm Personnel Are Following Security Policies and Operational Procedures

by Randy Bartels / July 3rd, 2018

Reviewing Your Personnel

If you are a service provider, your organization must comply with PCI Requirement 12.11. It requires that you perform reviews at least quarterly to confirm personnel are following security policies and operational procedures. These reviews must cover the following processes:

• Daily log reviews
• Firewall rule-set reviews
• Applying configuration standards to new systems
• Responding to security alerts
• Change management processes

The PCI DSS explains, “Regularly confirming that security policies and procedures are being followed provides assurance that the expected controls are active and working as intended. The objective of these reviews is not to re-perform other PCI DSS requirements, but to confirm whether procedures are being followed as expected.”

If you’re a service provider, once again the PCI DSS calls out another specific requirement for you. PCI Requirement 12.1 says that if you are a service provider, you have to have a program in place that’s performed at least quarterly, making sure that your security program is still functioning. For example, your log review program, your firewall route reviews, and your scanning – all of those things that go into the daily care and feeding of your information security program. What we’re going to be looking for if you’re a service provider is that you actually have a program in place for monitoring and then taking corrective actions in the event that you find out, for some reason, your program has failed and it’s no longer working.