This is the 12th and final installment in our series, The Road Map to PCI. Today we’ll take a look at Requirement 12: Maintain an Information Security Policy. Creating and maintaining a Security Policy is one of the simplest ways to reinforce the critical role security plays within your organization.
Don’t Be Afraid!
For the individual validating your compliance the idea of maintaining a Security Policy can bring some anxiety and fear. If your organization falls into Self-Assessment Questionnaire C, the PCI Council has outlined a dozen individual requirements for maintaining your policy. At first glance this can seem daunting until you realize you can scale and customize your policy to fit your organization’s needs and procedures. Whether you have ten full-time employees or a hundred, the key is to make sure that it is applicable to your operating needs. With that in mind, you may have a better start on this process than you think.
Don’t Reinvent the Wheel
As you look through Requirement 12, think of it as a table of contents for a policy that fits your organization. Often times you may have written other documentation or polices which touch on these matters. You may even have unspoken policies or procedures that address these security standards; now is the time to formalize these and get them on paper.
An employee, volunteer, or training handbook is a great place to check and see if you already have some of the items in Requirement 12 in place. If so, you can use these as a your starting point and expand on them to cover the remaining security standards you’ll need to address.
Google is Your Friend
Whatever your search engine of choice, the internet is one of your best resources if you are struggling with a particular security standard in Requirement 12. Your search will likely lead you to the SANS Institute which provides a host of Security Policy templates which can be a great starting point.
Remember if you choose to work with a template, be sure to read entirely through the template and make sure it is applicable to your organization. As you read, trim areas that do not apply, elaborate on generalities with specifics about your organization, and complete any blank fields.
The Journey is Just Beginning
Once you complete your Information Security Policy you may think to yourself, “Thank goodness, I will never have to touch PCI again!” Before you get too excited and book your trip to the San Juans, remember that security is an ongoing effort. As cyber-crime becomes more complex and ubiquitous the security standards will continue to evolve to remain relevant. Visit the PCI Security Standards Council website or following them on social media to stay informed of how these changes may affect your organization.
Stay safe out there!
If you have any questions about PCI that you would like to see covered, let us know! You can find us on Twitter @MinstryLINQ or email us at firstname.lastname@example.org to share your thoughts and questions!