1 minute read
3.12 Requirement 12: Maintain a policy that addresses information security for all staff
• Tests for the presence of unauthorized wireless access points should be completed at least quarterly All testing should be completed based on industry accepted approaches. Any vulnerabilities found during testing should be recorded, risk rated and mitigated in a controlled manner. This process should be documented within a Risk Mitigation Plan. Prevention and detection technologies should also be implemented to further improve security. These technologies and the above testing should be described within a Technical Vulnerability Management Policy and a Network Security Policy. Finally, it is required that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties.
Relevant Toolkit Documents:
• Information Security Policy • Information Security Roles Responsibilities and Authorities • Information Security Communication Program • Security Incident Response Procedure • Service Provider and Contracts Database • Employee Screening Checklist • Information Security Policy for Service Provider Relationships • Service Provider Due Diligence Assessment • Service Provider Due Diligence Assessment Procedure • Acceptable Use Policy • Risk Assessment and Mitigation Process • Risk Mitigation Plan • Internet Acceptable Use Policy • Mobile Device Policy • BYOD Policy • Electronic Messaging Policy • Remote Working Policy • Security Awareness Training Presentation Slides • PCI DSS Charter
A strong Information Security Policy underpins the organization’s ability to protect the CDE and informs all employees about what is expected of them. This requirement covers lots of areas that are generally found in an Information Security Management System (ISMS). It covers: • Information security roles and responsibilities • Information security communication and training to all staff members • New/Existing service provider due diligence processes