PCI Policies & Procedures: Why you need them
As with most regulatory compliance mandates, such as PCI DSS, the inherent weakness for organizations lie in the documentation of their PCI DSS policies and procedures. Payment Card Industry compliance, specifically requirement 12: Maintain a policy that addresses information security for employees and contractors, requires organizations to develop a comprehensive set of documented policies and procedures for their organization. For example, company X may very well do an excellent job of tape/media backup and archival, but is there a documented process that discusses these activities with specific procedures to follow? The same example can be applied across the board to many of the core, functional areas within the PCI DSS framework. In short, you will need to develop documented policies and procedures to suffice for Requirement 12 of PCI DSS and the numerous other areas where these policies and procedures are needed.
What's needed is the development of policies and procedures that are current, accurate, relevant and specific enough in nature to warrant their credibility for purposes of PCI DSS compliance. NDB Advisory personnel have spent years putting together industry best of breed Policies & Procedures templates. We have developed a wide range of templates, spreadsheets, documents, and other supporting materials for helping organizations build highly customizable and scalable Policies & Procedures documents for the following areas:
- Organization & Administration
- Human Resources
- Network Security
- Logical Security
- Physical Security
- Environmental Security
- Change Management
- Incident Management
- Computer Operations
- Business Continuity & Disaster Recovery
- And many more
These Policies & Procedure documents often become increasingly visible during a PCI DSS Readiness Assessment, when gaps and deficiencies are found in an organization's internal control framework.
Author: Charles Denyer