pci_dss_v1-2 (Статьи, стандарты, спецификации), страница 11

All employees should beaware of the sensitivity of data and their responsibilities for protecting it. For the purposes of this requirement, “employees” refers to full-time andpart-time employees, temporary employees and personnel, and contractors and consultants who are “resident” on the company’s site.PCI DSS Requirements12.1Establish, publish, maintain,and disseminate a security policy thataccomplishes the following:Testing ProceduresNot inPlaceTarget Date/Comments12.1Examine the information security policy and verifythat the policy is published and disseminated to all relevantsystem users (including vendors, contractors, and businesspartners).12.1.1 Addresses all PCI DSSrequirements.12.1.1 Verify that the policy addresses all PCI DSSrequirements.12.1.2 Includes an annual processthat identifies threats, andvulnerabilities, and results in aformal risk assessment.12.1.2 Verify that the information security policy includesan annual risk assessment process that identifies threats,vulnerabilities, and results in a formal risk assessment.12.1.3 Includes a review at leastonce a year and updates when theenvironment changes.12.1.3 Verify that the information security policy isreviewed at least annually and updated as needed toreflect changes to business objectives or the riskenvironment.12.2Develop daily operationalsecurity procedures that are consistentwith requirements in this specification(for example, user accountmaintenance procedures, and logreview procedures).In Place12.2.a Examine the daily operational security procedures.Verify that they are consistent with this specification, andinclude administrative and technical procedures for each ofthe requirements.PCI DSS Requirements and Security Assessment Procedures, v1.2Copyright 2008 PCI Security Standards Council LLCOctober 2008Page 52PCI DSS Requirements12.3Develop usage policies forcritical employee-facing technologies(for example, remote-accesstechnologies, wireless technologies,removable electronic media, laptops,personal data/digital assistants(PDAs), e-mail usage and Internetusage) to define proper use of thesetechnologies for all employees andcontractors.

Ensure these usagepolicies require the following:Testing ProceduresIn PlaceNot inPlaceTarget Date/Comments12.3Obtain and examine the policy for criticalemployee-facing technologies and perform the following:12.3.1 Explicit managementapproval12.3.1 Verify that the usage policies require explicitmanagement approval to use the technologies.12.3.2 Authentication for use of thetechnology12.3.2 Verify that the usage policies require that alltechnology use be authenticated with user ID andpassword or other authentication item (for example,token).12.3.3 A list of all such devices andpersonnel with access12.3.3 Verify that the usage policies require a list of alldevices and personnel authorized to use the devices.12.3.4 Labeling of devices withowner, contact information, andpurpose12.3.4 Verify that the usage policies require labeling ofdevices with owner, contact information, and purpose.12.3.5 Acceptable uses of thetechnology12.3.5 Verify that the usage policies require acceptableuses for the technology.12.3.6 Acceptable networklocations for the technologies12.3.6 Verify that the usage policies require acceptablenetwork locations for the technology.12.3.7 List of company-approvedproducts12.3.7 Verify that the usage policies require a list ofcompany-approved products.12.3.8 Automatic disconnect ofsessions for remote-accesstechnologies after a specific periodof inactivity12.3.8 Verify that the usage policies require automaticdisconnect of sessions for remote-access technologiesafter a specific period of inactivity.12.3.9 Activation of remote-accesstechnologies for vendors only whenneeded by vendors, with immediatedeactivation after use12.3.9 Verify that the usage policies require activation ofremote-access technologies used by vendors only whenneeded by vendors, with immediate deactivation afteruse.PCI DSS Requirements and Security Assessment Procedures, v1.2Copyright 2008 PCI Security Standards Council LLCOctober 2008Page 53PCI DSS RequirementsTesting Procedures12.3.10 When accessingcardholder data via remote-accesstechnologies, prohibit copy, move,and storage of cardholder data ontolocal hard drives and removableelectronic media.12.3.10 Verify that the usage policies prohibit copying,moving, or storing of cardholder data onto local harddrives, and removable electronic media when accessingsuch data via remote-access technologies.12.4Ensure that the security policyand procedures clearly defineinformation security responsibilities forall employees and contractors.12.4Verify that information security policies clearlydefine information security responsibilities for bothemployees and contractors.12.5Assign to an individual or teamthe following information securitymanagement responsibilities:12.5Verify the formal assignment of information securityto a Chief Security Officer or other security-knowledgeablemember of management.

Obtain and examine informationsecurity policies and procedures to verify that the followinginformation security responsibilities are specifically andformally assigned:12.5.1 Establish, document, anddistribute security policies andprocedures.12.5.1 Verify that responsibility for creating anddistributing security policies and procedures is formallyassigned.12.5.2 Monitor and analyze securityalerts and information, and distributeto appropriate personnel.12.5.2 Verify that responsibility for monitoring andanalyzing security alerts and distributing information toappropriate information security and business unitmanagement personnel is formally assigned.12.5.3 Establish, document, anddistribute security incident responseand escalation procedures to ensuretimely and effective handling of allsituations.12.5.3 Verify that responsibility for creating anddistributing security incident response and escalationprocedures is formally assigned.12.5.4 Administer user accounts,including additions, deletions, andmodifications12.5.4 Verify that responsibility for administering useraccount and authentication management is formallyassigned.12.5.5 Monitor and control allaccess to data.12.5.5 Verify that responsibility for monitoring andcontrolling all access to data is formally assigned.PCI DSS Requirements and Security Assessment Procedures, v1.2Copyright 2008 PCI Security Standards Council LLCIn PlaceNot inPlaceTarget Date/CommentsOctober 2008Page 54PCI DSS Requirements12.6Implement a formal securityawareness program to make allemployees aware of the importance ofcardholder data security.12.6.1 Educate employees uponhire and at least annually.Testing ProceduresIn PlaceNot inPlaceTarget Date/Comments12.6.aVerify the existence of a formal securityawareness program for all employees.12.6.bObtain and examine security awarenessprogram procedures and documentation and perform thefollowing:12.6.1.a Verify that the security awareness programprovides multiple methods of communicating awarenessand educating employees (for example, posters, letters,memos, web based training, meetings, and promotions).12.6.1.b Verify that employees attend awarenesstraining upon hire and at least annually.12.6.2 Require employees toacknowledge at least annually thatthey have read and understood thecompany’s security policy andprocedures.12.6.2 Verify that the security awareness programrequires employees to acknowledge (for example, inwriting or electronically) at least annually that they haveread and understand the company’s information securitypolicy.12.7Screen potential employees(see definition of “employee” at 9.2above) prior to hire to minimize therisk of attacks from internal sources.For those employees such as storecashiers who only have access to onecard number at a time when facilitatinga transaction, this requirement is arecommendation only.12.7Inquire with Human Resource departmentmanagement and verify that background checks areconducted (within the constraints of local laws) onemployees prior to hire who will have access to cardholderdata or the cardholder data environment.

(Examples ofbackground checks include previous employment history,criminal record, credit history, and reference checks.)12.8If cardholder data is sharedwith service providers, maintain andimplement policies and procedures tomanage service providers, to includethe following:12.8If the entity being assessed shares cardholder datawith service providers (for example, back-up tape storagefacilities, managed service providers such as Web hostingcompanies or security service providers, or those thatreceive data for fraud modeling purposes), throughobservation, review of policies and procedures, and reviewof supporting documentation, perform the following:12.8.1 Maintain a list of serviceproviders.12.8.1 Verify that a list of service providers ismaintained.PCI DSS Requirements and Security Assessment Procedures, v1.2Copyright 2008 PCI Security Standards Council LLCOctober 2008Page 55PCI DSS RequirementsTesting Procedures12.8.2 Maintain a writtenagreement that includes anacknowledgement that the serviceproviders are responsible for thesecurity of cardholder data theservice providers possess.12.8.2 Verify that the written agreement includes anacknowledgement by the service providers of theirresponsibility for securing cardholder data.12.8.3 Ensure there is anestablished process for engagingservice providers including properdue diligence prior to engagement.12.8.3 Verify that policies and procedures aredocumented and were followed including proper duediligence prior to engaging any service provider.12.8.4 Maintain a program tomonitor service providers’ PCI DSScompliance status.12.8.4 Verify that the entity assessed maintains aprogram to monitor its service providers’ PCI DSScompliance status.12.9Implement an incidentresponse plan.