Information Security Policy and PCI DSS Requirements

Study Notes

Information Security Policy Document Control

This document is a draft of an information security policy for a company.
The policy is based on the Payment Card Industry Data Security Standard (PCI DSS).
The policy sets out high-level objectives for information security.
Personnel must refer to other procedures and standards to determine how to meet the policy objectives.
The policy applies to people, processes, and IT systems within the company.
The primary goal of information security is to protect information assets.
Breaches in information security can have serious consequences, including disclosure of personal information and financial losses.
Individual actions and behaviors of personnel are critical to protecting information assets.
Personnel must understand their responsibilities for protecting information and attend information security training.
Line managers are responsible for ensuring their personnel attend training and have access to policies and procedures.
Senior management is responsible for information security within the company and must approve exceptions to the policy.
The policy includes requirements for network security, system builds, data security, anti-virus, patching, vulnerability management, software development, change management, access control, physical security, system logging, network testing, and monitoring tools.PCI DSS Requirements and Glossary of Terms Summary
Requirement 9: Unique ID assigned to each person with computer access
Requirement 10: Physical access to cardholder data must be restricted
Requirement 11: Tracking and monitoring of all access to network resources and cardholder data
Requirement 12: Regular testing of security systems and processes
Annex A: Glossary of Terms provided, including definitions for PCI DSS and Insecure Services
Insecure Services: Services that transmit data in an unencrypted format or are susceptible to known attacks
Public Network: Any network not managed by the entity and can be monitored or intercepted by others
DMZ: Demilitarized Zone, a subnet that exposes an organization's external-facing services to an untrusted network
Inbound Traffic: Traffic flowing into the organization from outside via routers or firewalls
Outbound Traffic: Traffic flowing out of the organization from inside via routers or firewalls
Sensitive Authentication Data (SAD): Data used in relation to payment cards, including full magnetic stripe data, PINs, and more
Cardholder Data (CHD): Data used in relation to payment cards, including the primary account number, cardholder name, and expiration date

Description

This document outlines an information security policy based on the PCI DSS standard and includes high-level objectives for protecting information assets. It covers personnel responsibilities, training requirements, management roles, policy exceptions, and specific requirements for network security, data protection, and system monitoring.