Friday, May 17, 2013

Seminar Notes - Requirements 11 and 12

This information was presented by Emma Sutcliffe, Director of Standards Coordination, PCI Security Standards Council

Req 11 - Regularly Test Security Systems and Processes, System Components, processes and Custom Software

Look for unnatural wireless access points [link - definition], even if there is no wireless
Run network vulnerability scans at least quarterly
Run penetration tests [link - definition] at least once a year
Use intrusion detection  systems and/or intrusion prevention
Look for changes to critical files at least weekly
Check for changes to executable files at least weekly

Req 12 -Maintain a policy that addresses information security for all personnel.

All personnel should be aware of sensibility of data and their responsibilities.
Establish, publish, maintain and disseminate a security policy
Develop daily operational security policies
Assign to individuals or team security management responsibilities
Screen personnel prior to hire to minimize attacks
Implement an incident response plan and respond immediately to breaches
Obtain a written agreement (include acknowledgement) from your service provider(s) responsible for security of cardholder data. 

No comments:

Post a Comment