Information Security Policy and PCI DSS Quiz

Summary of Information Security Policy

• The Information Security Policy is a draft document that outlines the requirements for information security within an organization.

• The policy is based on the Payment Card Industry Data Security Standard (PCI DSS) and sets high-level objectives for personnel to follow.

• Personnel are responsible for understanding their roles and responsibilities in protecting information assets.

• Line managers are responsible for ensuring their personnel receive awareness training and have access to applicable policies and procedures.

• Senior management, including the CISO and policy manager, have specific responsibilities for information security.

• The policy includes requirements for network security, such as firewall management and documentation, as well as wireless network security.

• System builds must adhere to configuration standards and use secure management services.

• Data security requirements include the protection of sensitive authentication data and cardholder data through encryption and secure transmission.

• Anti-virus software must be deployed and regularly updated on all systems.

• Patch management and vulnerability management programs must be maintained to address security vulnerabilities.

• Software development must follow secure coding practices and undergo code review.

• Access control policies and physical security measures are also outlined in the policy, including media security and system logging requirements.PCI DSS Requirements and Glossary of Terms

• Requirement 9 of PCI DSS mandates the assignment of a unique ID to each person with computer access.

• Requirement 10 of PCI DSS requires the restriction of physical access to cardholder data.

• Requirement 11 of PCI DSS states that all access to network resources and cardholder data must be tracked and monitored.

• Requirement 12 of PCI DSS emphasizes the need for regular testing of security systems and processes.

• Annex A provides a glossary of terms related to PCI DSS.

• PCI DSS is the Payment Card Industry Data Security Standard developed by the PCI Security Standards Council.

• Insecure services are those that transmit data in an unencrypted format or are vulnerable to well-known attacks.

• Public networks are networks that are not managed by the organization and can be monitored or intercepted by other entities.

• DMZ, short for Demilitarized Zone, is a subnet that exposes an organization's external-facing services to an untrusted network.

• Inbound traffic refers to data flowing into the organization from outside via routers or firewalls.

• Outbound traffic refers to data flowing out of the organization from inside via routers or firewalls.

• Sensitive Authentication Data (SAD) includes full magnetic stripe data, PINs, and other information used in relation to payment cards.