Information Security Policy and PCI DSS Requirements Quiz

Information Security Policy Document Control

• The Information Security Policy sets out the high-level policy objectives for information security within the company.

• Personnel are responsible for understanding their responsibilities for protecting information and information assets.

• Line Managers must ensure their personnel attend information security awareness training and have access to applicable policies and procedures.

• The Client CISO or equivalent is responsible for information security within the company.

• Firewalls must be managed with documented roles and responsibilities for approving and implementing changes.

• All networks must be documented in a version-controlled network diagram.

• Firewalls must be placed between internal networks and public networks, and between internal networks and DMZ networks.

• Wireless networks must connect to other networks through a firewall that restricts traffic.

• All systems must have vendor default settings removed or changed.

• Data must be handled and transmitted in accordance with the Data Security policy.

• Anti-virus software must be deployed on all systems and centrally managed.

• Patches and critical security updates from vendors must be applied to all systems within specified timeframes.Summary of PCI DSS Requirements and Glossary of Terms

• Requirement 9 of PCI DSS mandates the assignment of a unique ID to each person with computer access.

• Requirement 10 of PCI DSS requires the restriction of physical access to cardholder data.

• Requirement 11 of PCI DSS states that all access to network resources and cardholder data should be tracked and monitored.

• Requirement 12 of PCI DSS calls for regular testing of security systems and processes.

• Annex A of the document provides a glossary of terms related to PCI DSS.

• PCI DSS is the Payment Card Industry Data Security Standard developed by the PCI Security Standards Council.

• Insecure services include those that transmit data in an unencrypted format or are susceptible to well-known attacks or vulnerabilities.

• A public network is any network that is not managed by the organization and can be monitored or intercepted by other entities.

• A DMZ, or Demilitarized Zone, is a subnet that exposes an organization's external-facing services to a larger and untrusted network like the Internet.

• Inbound traffic refers to data flowing into the organization from outside via routers or firewalls.

• Outbound traffic refers to data flowing out of the organization from inside via routers or firewalls.

• Sensitive Authentication Data (SAD) includes full magnetic stripe data, PINs, PIN blocks, and primary account numbers (PANs) used in relation to payment cards.