Information Security Policy and PCI DSS Requirements Quiz

Information Security Policy Document Control Summary

• The Information Security Policy is a draft document that sets out the requirements for information security within a company, based on the Payment Card Industry Data Security Standard (PCI DSS).

• The policy covers the protection of information assets, including the prevention of theft, loss, or misuse of information.

• The policy emphasizes the importance of individual actions and behaviors in protecting information assets.

• Personnel are responsible for understanding their responsibilities for information security and attending awareness training.

• Line managers are responsible for ensuring their personnel receive training and have access to policies and procedures.

• Senior management, including the CISO, is responsible for information security and approving exceptions to the policy.

• Network security requirements include firewall management, documentation, architecture, and configuration.

• System builds must adhere to configuration build standards and use secure management services.

• Data security includes requirements for data storage and transmission, including encryption.

• Anti-virus software must be deployed on all systems and kept up to date.

• Patching and vulnerability management procedures must be followed to apply critical security updates.

• The policy also covers software development, change management, access control, physical security, system logging, network testing, and monitoring tools.Summary of PCI DSS Requirements and Glossary of Terms

• Requirement 9 of the Payment Card Industry Data Security Standard (PCI DSS) mandates assigning a unique ID to each person with computer access.

• Requirement 10 of PCI DSS requires restricting physical access to cardholder data.

• Requirement 11 of PCI DSS states that all access to network resources and cardholder data must be tracked and monitored.

• Requirement 12 of PCI DSS emphasizes the need to regularly test security systems and processes.

• Annex A of PCI DSS provides a glossary of terms related to the standard.

• Insecure services are those that transmit data in an unencrypted format or are susceptible to well-known attacks or vulnerabilities.

• Public networks are networks that are not managed by the organization and can be monitored or intercepted by other entities.

• A DMZ (Demilitarized Zone) is a subnet that exposes an organization's external-facing services to a larger, untrusted network like the Internet.

• Inbound traffic refers to data flowing into the organization from outside, via routers or firewalls.

• Outbound traffic refers to data flowing out of the organization from inside, via routers or firewalls.

• Sensitive Authentication Data (SAD) includes full magnetic stripe data, PINs, and other information used in relation to payment cards.

• Cardholder data (CHD) encompasses the primary account number (PAN), cardholder name, and expiration date.