Information Security Policy based on PCI DSS

Questions and Answers

True or false: The information security policy is based on the Payment Card Industry Data Security Standard (PCI DSS).

True

True or false: The primary goal of information security is to protect information assets.

True

True or false: Breaches in information security can only result in financial losses.

False

True or false: Individual actions and behaviors of personnel have no impact on protecting information assets.

False

True or false: Line managers are responsible for ensuring their personnel attend information security training.

True

True or false: Senior management is not responsible for information security within the company.

False

True or false: The information security policy includes requirements for physical security.

True

True or false: Requirement 10 of the PCI DSS is about tracking and monitoring of all access to network resources and cardholder data.

False

True or false: Insecure Services are services that transmit data in an unencrypted format or are susceptible to known attacks.

True

Study Notes

Information Security Policy Document Control

• This document is a draft of an information security policy for a company.

• The policy is based on the Payment Card Industry Data Security Standard (PCI DSS).

• The policy sets out high-level objectives for information security.

• Personnel must refer to other procedures and standards to determine how to meet the policy objectives.

• The policy applies to people, processes, and IT systems within the company.

• The primary goal of information security is to protect information assets.

• Breaches in information security can have serious consequences, including disclosure of personal information and financial losses.

• Individual actions and behaviors of personnel are critical to protecting information assets.

• Personnel must understand their responsibilities for protecting information and attend information security training.

• Line managers are responsible for ensuring their personnel attend training and have access to policies and procedures.

• Senior management is responsible for information security within the company and must approve exceptions to the policy.

• The policy includes requirements for network security, system builds, data security, anti-virus, patching, vulnerability management, software development, change management, access control, physical security, system logging, network testing, and monitoring tools.PCI DSS Requirements and Glossary of Terms Summary

• Requirement 9: Unique ID assigned to each person with computer access

• Requirement 10: Physical access to cardholder data must be restricted

• Requirement 11: Tracking and monitoring of all access to network resources and cardholder data

• Requirement 12: Regular testing of security systems and processes

• Annex A: Glossary of Terms provided, including definitions for PCI DSS and Insecure Services

• Insecure Services: Services that transmit data in an unencrypted format or are susceptible to known attacks

• Public Network: Any network not managed by the entity and can be monitored or intercepted by others

• DMZ: Demilitarized Zone, a subnet that exposes an organization's external-facing services to an untrusted network

• Inbound Traffic: Traffic flowing into the organization from outside via routers or firewalls

• Outbound Traffic: Traffic flowing out of the organization from inside via routers or firewalls

• Sensitive Authentication Data (SAD): Data used in relation to payment cards, including full magnetic stripe data, PINs, and more

• Cardholder Data (CHD): Data used in relation to payment cards, including the primary account number, cardholder name, and expiration date

Description

Learn about an information security policy draft based on the Payment Card Industry Data Security Standard (PCI DSS). Understand the requirements, responsibilities, and objectives outlined in the policy document to protect information assets within a company.