3.15 Requirement 12 Part 1

00:00

Welcome to the cyber Very team Mystifying P. C. I. D. S s compliance course.

00:05

This module focused on the goals of the PC Idea says the requirements associated with him

00:12

this video introduces you to requirement 12.1 through 12 7

00:16

We will talk about how you need to make sure all of your processes, procedures and controls within the CD or documented.

00:23

And we'll talk about some of the requirements around acceptable use and remote connections.

00:29

The learning objective of this video is to discuss the policies required for the operation of AH compliant CD

00:38

requirement. 12 is directed at the establishment and maintenance of the security policies that direct the operation of your environment.

00:46

Every individual requirement group ends with you need to be creating policies and procedures.

00:52

So a lot of those mandates of this requirement

00:56

are satisfied by those.

00:58

This will primate group is the formalization of a lot of the procedures you should have in place to protect your CD.

01:04

This group also has things that you should do to maintain your policy and mandates that you disseminate the policies to your staff.

01:12

The 12 1 requirement is simple enough.

01:15

You have to create, maintain and share your security policy

01:19

in orderto have an effective security policy, it needs to have to the support of the very top of your organization.

01:26

It is meant to direct how your organization will operate in high level terms.

01:32

You do not need to get into the weeds to the point of describing the security controls and the technology that you'll use.

01:38

The policy is just meant to establish a high level objectives and define the roles and responsibilities.

01:45

You get more into the weeds when you talk about the procedures about how you will meet the goals to find in the policy.

01:52

The security policy can grow into a monolith if you try to track all of your requirements into a single document,

01:57

so it may be beneficial to break it into smaller pieces that reflect an individual topic.

02:02

For example, you can have a document that specifically addresses identity and access management.

02:08

By doing it this way, you're able to share portions of the policy that air specific to the roles that the policy may be applicable to.

02:15

Then, when you have to aggregate it all together for audit purposes, you can do so

02:23

12 2 mandates that you at least angrily reevaluate the security risk that impact your organization.

02:30

As the environment evolves to support new capabilities or a new threats emerge, it is important that you take steps to assess how your security posture needs to be updated to protect yourselves.

02:42

The threat landscape is constantly evolving, so you have to evolve with it.

02:46

The 12 to requirement. Make sure that you're up to date.

02:51

Annual penetration tests and regular skins help facilitate this process

02:55

because you can use the output of these processes as the input to your risk assessment,

03:00

and it could help immensely.

03:04

The 12 3 grouping of requirements is about how you will manage all of the technology in your environment.

03:10

We've talked throughout the requirements modules about how you need to know what you're running, and you have to explicitly authorize and allow that technology in the CD.

03:20

This is just about making sure you document that and document your justification for use for the technology.

03:27

The usage policy says what is allowed and how it's allowed. But it should also say what is disallowed

03:34

12 31 and 12 3 to state that you have to have explicit authorization for the use of technology by those granted the power to authorize such things,

03:44

which, by the way, you have tohave somewhere documented who is authorized to approve technology.

03:50

And you have to have a manner to authenticate the person that's allowed to authorize technology

03:55

12 33 and 12 34 is about maintaining an accurate inventory of your systems and who's allowed to access these systems.

04:03

Whatever method you used to manage assets, you have to make sure you are continually verifying its contents and updating it as evil as the environment evolves.

04:14

12 35 and 12 37 is around the development of an acceptable use policy.

04:19

You have to say what people are allowed to do

04:21

on what systems and where they're allowed to do it.

04:26

You'll be defining acceptable business use and location of company approved devices and technology

04:31

in the policy. You also want to explicitly state actions. You do not want to occur that do not want to occurring your environment.

04:39

You have to have strike a balance between the use of general actions and specific actions that are allowed.

04:46

If you're too specific, you can exclude actions you don't mean to exclude

04:54

12 38 through 12 3 10 is around remote connections in the CD.

04:59

Remote connections need to be disconnected after a specific

05:01

defined period of in activity.

05:05

When assigning vendors of partners remote access to the CD there, access should only be allowed for the amount of time that is needed

05:14

and 12 3 10 It's just the ability to move cardholder data to a local system via remote connection should be prohibited

05:21

unless explicitly authorized.

05:25

The allowance or denial of this action should be specified clearly in your acceptable use. Policy

05:31

for 12 4 roles and responsibilities is critical for the implementation of any security program.

05:39

The roles of the executive should be defined all the way down to the engineer who has to execute the procedures to satisfy the policy.

05:46

If you're not detailed about the establishment of roles, there could be gaps in the execution and in compliance.

05:54

So it is key to spend a fair amount of time thinking about roles.

05:58

Often tabletop exercises or walk throughs of scenarios will help define roles and identify areas where Rolls air ambiguous,

06:05

while 12 for one is required for service providers. It wouldn't be a bad idea to apply this requirement to merchants as well.

06:16

The 12 5 group is about making sure security functions are assigned to the proper personnel.

06:23

It's designed to help guide you in fulfilling the 12 4 requirement. By explicitly outlining the minimum rolls, you need to make sure you disseminate how these rolls are to be executed by the relevant people

06:35

previously, and the logging requirements. We stated that you have too long events. Interview the logs

06:42

in this. You need to review these logs and determine what activity should generate an alert.

06:47

You need to have staff review the alerts and respond appropriately,

06:51

so you have to make sure you have adequate training For those who'll be performing this role,

06:59

12 53 is that you need to have an incident response plan in procedures.

07:03

Well, a sport that's more deeply in the 12 10 requirements

07:08

the creation administration and monitoring of user accounts needs to be defined needs to be a defined role within your organization.

07:15

A process has to be in place to help track who has access to what and who was responsible for granting that Access.

07:24

Training is key to the security of your CD.

07:27

Most attacks air facilitated via the compromise of an individual,

07:30

so ongoing training to help the individual detect and report attacks is necessary to minimize the risk to your environment.

07:39

The mandate is that they're trained yearly, but in practice this isn't enough.

07:43

Training should occur regularly throughout the year.

07:46

Regular meetings and e mails as reminders for security tips would help you track that your employees are being trained as well as make them better.

07:57

12 7 states that you have to conduct a background check on your personnel prior to hire.

08:03

Now, this doesn't have to be anything that's extremely extensive unless your risk appetite demands it.

08:09

But your auditor will be looking for something that shows that you have vetted your employees

08:16

OK. In summary, this video went over all the mandates associated with requirement 12 1 through 12 7

08:22

recovered acceptable use, remote connections and risk assessments for the CD.

08:28

And now for a quick quist.

08:31

The policy that defines what's allowed in the CD is the

08:35

technology policy.

08:37

Acceptable use policy,

08:39

personnel policy

08:41

or service is policy.

08:46

This will be the acceptable use policy.

08:50

This policy defines what's allowed and should also define what is not allowed within the city

08:58

win Must employee security awareness training occur

09:03

upon higher

09:03

after a breach

09:05

upon higher and then annually

09:09

every five years.

09:15

Awareness training must happen upon higher and then at least every year. But it's best practice for security training to be an ongoing activity.

09:26

Risk assessments must occur

09:28

every two years

09:30

after a penetration test.

09:31

After an incident

09:33

or after a significant change,