The goal
|
The goal of PCI DSS Key Requirement 12 is to develop and maintain a sustainable and secure control environment for the effective protection of payment card data by maintaining a comprehensive program, supported by an integrated set of documented organizational information security, risk management and compliance standards, policies and procedures, with oversight from a governance structure and supporting processes for effective execution and continuous improvement.
This goal includes complete integration with all related PCI DSS Key Requirements for the establishment of an effective, integrated series of control systems, and the development and ongoing improvement of all related capabilities, processes, documentation, tools and training needed to achieve < Quantitatively managed/Optimized > maturity of this key requirement by < insert date >.
|
Goal applicability and scope considerations
|
- Documentation: Security policies, standards, procedures and guidance documents that cover all PCI DSS requirements, third-party vendor agreements, incident response plan, and security awareness program plan
- People: This goal applies to all employees (such as IT and security staff, accountants, support staff, call center agents, and executives), contractors, consultants, and internal and external vendors and other third parties that provide support or maintenance services, and any individuals who can access account data or any system component within the CDE
|
Goal requirements:
Some of the primary conditions necessary to achieve the goal
|
- Control environment: Establish and maintain an effective and sustainable control environment: the actions, policies, values and management styles that influence and set the tone of the day-to-day activities of the organization; a reflection of its values; the atmosphere in which people conduct their activities and carry out control responsibilities. An environment in which competent people understand their responsibilities, the limits of their authority, and are knowledgeable, mindful and committed to doing what is right and doing it the right way
- Security policy—design and documentation: Establish the capability to design, document and maintain a complete and integrated set of PCI security and compliance, and risk management policies, standards and procedures
- Security policy—training: Create the capability to design, implement and maintain supporting processes to effectively communicate and update, and to monitor user awareness and comprehension of the policy documentation set
- Capability—incident response: Establish the ability to develop a comprehensive incident response plan that covers all components within the CDE, and to test its effectiveness, and continuously improve it
- Capability—risk management: Maintain the ability to develop, implement and maintain a comprehensive risk management strategy, method and implementation plan with performance management
- Capability—resource management: Create the ability to develop, implement and maintain secure human resources and third-party management practices, policies and procedures
|
Strong dependencies and integration with other key requirements
|
- All Requirements: Security policies and standards required for all key requirements
- Requirements 10 & 11: Integration with logging, monitoring and testing for incident response
- Requirement 6: Risk management integration with secure systems and software requirements
- Requirements 5, 7, 8 & 9: Targeted risk analysis integration
|
Short-term objectives
|
- Communication: Make policy, standards procedures and guidance available online to all stakeholders and track access and use
- Training: Conduct online policy training, track which individuals read relevant security policies and completed the training (implementation coverage), and test their comprehension of the material presented
|
Long-term objectives
|
- Integrate: Improve the integration and alignment between policy, standards, procedure and guidance documentation. Frequent internal identification, reporting and correction of any misalignments
- Maturity: Achieve and maintain high-capability maturity on maintaining an effective control environment
|
Common constraints
|
- Competence: Incomplete, unclear, poorly articulated and ill-constructed security policies and standards
- Capability: Lack of information security proficiency; governance, program design, risk management, compliance management; inadequate training and education
|