Information Security Policy based on PCI DSS

Questions and Answers

Which standard is the information security policy based on?

HIPAA

PCI DSS (correct)

GDPR

ISO 27001

What is the primary goal of information security?

To ensure compliance with regulations

To prevent financial losses

To protect personal information (correct)

To secure IT systems

Who is responsible for ensuring personnel attend information security training?

IT department

Line managers (correct)

Human resources

Senior management

What is the purpose of the Demilitarized Zone (DMZ)?

To provide secure access to external-facing services

What is Sensitive Authentication Data (SAD)?

Data used in relation to payment cards

What is Cardholder Data (CHD)?

Data used in relation to payment cards

What are the consequences of breaches in information security?

Both A and B

What must personnel refer to in order to determine how to meet the policy objectives?

Other procedures and standards

Who is responsible for information security within the company?

Senior management

Study Notes

Information Security Policy Document Control

• This document is a draft of an information security policy for a company.

• The policy is based on the Payment Card Industry Data Security Standard (PCI DSS).

• The policy sets out high-level objectives for information security.

• Personnel must refer to other procedures and standards to determine how to meet the policy objectives.

• The policy applies to people, processes, and IT systems within the company.

• The primary goal of information security is to protect information assets.

• Breaches in information security can have serious consequences, including disclosure of personal information and financial losses.

• Individual actions and behaviors of personnel are critical to protecting information assets.

• Personnel must understand their responsibilities for protecting information and attend information security training.

• Line managers are responsible for ensuring their personnel attend training and have access to policies and procedures.

• Senior management is responsible for information security within the company and must approve exceptions to the policy.

• The policy includes requirements for network security, system builds, data security, anti-virus, patching, vulnerability management, software development, change management, access control, physical security, system logging, network testing, and monitoring tools.PCI DSS Requirements and Glossary of Terms Summary

• Requirement 9: Unique ID assigned to each person with computer access

• Requirement 10: Physical access to cardholder data must be restricted

• Requirement 11: Tracking and monitoring of all access to network resources and cardholder data

• Requirement 12: Regular testing of security systems and processes

• Annex A: Glossary of Terms provided, including definitions for PCI DSS and Insecure Services

• Insecure Services: Services that transmit data in an unencrypted format or are susceptible to known attacks

• Public Network: Any network not managed by the entity and can be monitored or intercepted by others

• DMZ: Demilitarized Zone, a subnet that exposes an organization's external-facing services to an untrusted network

• Inbound Traffic: Traffic flowing into the organization from outside via routers or firewalls

• Outbound Traffic: Traffic flowing out of the organization from inside via routers or firewalls

• Sensitive Authentication Data (SAD): Data used in relation to payment cards, including full magnetic stripe data, PINs, and more

• Cardholder Data (CHD): Data used in relation to payment cards, including the primary account number, cardholder name, and expiration date

Description

This quiz covers the components of an information security policy draft based on the Payment Card Industry Data Security Standard (PCI DSS). It includes high-level objectives, responsibilities of personnel, requirements for network security, data security, access control, and more.