3.15 Requirement 12 Part 1
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
3 hours 37 minutes
Welcome to the cyber Very team Mystifying P. C. I. D. S s compliance course.
This module focused on the goals of the PC Idea says the requirements associated with him
this video introduces you to requirement 12.1 through 12 7
We will talk about how you need to make sure all of your processes, procedures and controls within the CD or documented.
And we'll talk about some of the requirements around acceptable use and remote connections.
The learning objective of this video is to discuss the policies required for the operation of AH compliant CD
requirement. 12 is directed at the establishment and maintenance of the security policies that direct the operation of your environment.
Every individual requirement group ends with you need to be creating policies and procedures.
So a lot of those mandates of this requirement
are satisfied by those.
This will primate group is the formalization of a lot of the procedures you should have in place to protect your CD.
This group also has things that you should do to maintain your policy and mandates that you disseminate the policies to your staff.
The 12 1 requirement is simple enough.
You have to create, maintain and share your security policy
in orderto have an effective security policy, it needs to have to the support of the very top of your organization.
It is meant to direct how your organization will operate in high level terms.
You do not need to get into the weeds to the point of describing the security controls and the technology that you'll use.
The policy is just meant to establish a high level objectives and define the roles and responsibilities.
You get more into the weeds when you talk about the procedures about how you will meet the goals to find in the policy.
The security policy can grow into a monolith if you try to track all of your requirements into a single document,
so it may be beneficial to break it into smaller pieces that reflect an individual topic.
For example, you can have a document that specifically addresses identity and access management.
By doing it this way, you're able to share portions of the policy that air specific to the roles that the policy may be applicable to.
Then, when you have to aggregate it all together for audit purposes, you can do so
12 2 mandates that you at least angrily reevaluate the security risk that impact your organization.
As the environment evolves to support new capabilities or a new threats emerge, it is important that you take steps to assess how your security posture needs to be updated to protect yourselves.
The threat landscape is constantly evolving, so you have to evolve with it.
The 12 to requirement. Make sure that you're up to date.
Annual penetration tests and regular skins help facilitate this process
because you can use the output of these processes as the input to your risk assessment,
and it could help immensely.
The 12 3 grouping of requirements is about how you will manage all of the technology in your environment.
We've talked throughout the requirements modules about how you need to know what you're running, and you have to explicitly authorize and allow that technology in the CD.
This is just about making sure you document that and document your justification for use for the technology.
The usage policy says what is allowed and how it's allowed. But it should also say what is disallowed
12 31 and 12 3 to state that you have to have explicit authorization for the use of technology by those granted the power to authorize such things,
which, by the way, you have tohave somewhere documented who is authorized to approve technology.
And you have to have a manner to authenticate the person that's allowed to authorize technology
12 33 and 12 34 is about maintaining an accurate inventory of your systems and who's allowed to access these systems.
Whatever method you used to manage assets, you have to make sure you are continually verifying its contents and updating it as evil as the environment evolves.
12 35 and 12 37 is around the development of an acceptable use policy.
You have to say what people are allowed to do
on what systems and where they're allowed to do it.
You'll be defining acceptable business use and location of company approved devices and technology
in the policy. You also want to explicitly state actions. You do not want to occur that do not want to occurring your environment.
You have to have strike a balance between the use of general actions and specific actions that are allowed.
If you're too specific, you can exclude actions you don't mean to exclude
12 38 through 12 3 10 is around remote connections in the CD.
Remote connections need to be disconnected after a specific
defined period of in activity.
When assigning vendors of partners remote access to the CD there, access should only be allowed for the amount of time that is needed
and 12 3 10 It's just the ability to move cardholder data to a local system via remote connection should be prohibited
unless explicitly authorized.
The allowance or denial of this action should be specified clearly in your acceptable use. Policy
for 12 4 roles and responsibilities is critical for the implementation of any security program.
The roles of the executive should be defined all the way down to the engineer who has to execute the procedures to satisfy the policy.
If you're not detailed about the establishment of roles, there could be gaps in the execution and in compliance.
So it is key to spend a fair amount of time thinking about roles.
Often tabletop exercises or walk throughs of scenarios will help define roles and identify areas where Rolls air ambiguous,
while 12 for one is required for service providers. It wouldn't be a bad idea to apply this requirement to merchants as well.
The 12 5 group is about making sure security functions are assigned to the proper personnel.
It's designed to help guide you in fulfilling the 12 4 requirement. By explicitly outlining the minimum rolls, you need to make sure you disseminate how these rolls are to be executed by the relevant people
previously, and the logging requirements. We stated that you have too long events. Interview the logs
in this. You need to review these logs and determine what activity should generate an alert.
You need to have staff review the alerts and respond appropriately,
so you have to make sure you have adequate training For those who'll be performing this role,
12 53 is that you need to have an incident response plan in procedures.
Well, a sport that's more deeply in the 12 10 requirements
the creation administration and monitoring of user accounts needs to be defined needs to be a defined role within your organization.
A process has to be in place to help track who has access to what and who was responsible for granting that Access.
Training is key to the security of your CD.
Most attacks air facilitated via the compromise of an individual,
so ongoing training to help the individual detect and report attacks is necessary to minimize the risk to your environment.
The mandate is that they're trained yearly, but in practice this isn't enough.
Training should occur regularly throughout the year.
Regular meetings and e mails as reminders for security tips would help you track that your employees are being trained as well as make them better.
12 7 states that you have to conduct a background check on your personnel prior to hire.
Now, this doesn't have to be anything that's extremely extensive unless your risk appetite demands it.
But your auditor will be looking for something that shows that you have vetted your employees
OK. In summary, this video went over all the mandates associated with requirement 12 1 through 12 7
recovered acceptable use, remote connections and risk assessments for the CD.
And now for a quick quist.
The policy that defines what's allowed in the CD is the
Acceptable use policy,
or service is policy.
This will be the acceptable use policy.
This policy defines what's allowed and should also define what is not allowed within the city
win Must employee security awareness training occur
after a breach
upon higher and then annually
every five years.
Awareness training must happen upon higher and then at least every year. But it's best practice for security training to be an ongoing activity.
Risk assessments must occur
every two years
after a penetration test.
After an incident
or after a significant change,
risk assessments must occur after a significant change.