PCI Policies, Procedures and Evidence – What is expected?
Policies, Procedures and Evidence
While it’s one of the areas that IT and security departments find challenging, documentation
(and compliant evidence) is what makes for a happy and satisfied PCI Qualified Security
Assessor (QSA), and, more importantly, a successful PCI compliance audit! Successful
compliance programmes invariably depend on the accurate and consistent recording of
events and the adherence to well-defined policies and procedures.
These documents ensure all staff are aware of their obligations, as well as defining the necessary actions to ensure a secure
and compliant environment is achieved. With a number of PCI requirements, certain documents will need to be reviewed
periodically or the instructions contained therein carried out at specific intervals.
If the actions in question (i.e. firewall rule reviews / external vulnerability scans) are not performed as instructed, the entire
compliance initiativemay be jeopardised. Organisations are well-advised to analyse their documentation and evidentiary
requirements and summarise these centrally, where the content and resulting actions can be tracked.
Security policies and procedures are not a new concept and, coupled with the multitude of security standards that have been
developed over the past few decades, there’s no need to start from scratch and be overly creative.
As long as the documents are clear, concise, deliver the intended message, are customised to the environment in question and
elicit the necessary behaviour, the document set will achieve the desired outcome. It is essential that you ensure all PCI control
statements which require explicit documentation are included in the relevant documents. This will save you both time and
resources when addressing this necessary, albeit challenging, task.
The list of documents and evidence artefacts that act as the baseline for achieving compliance with the PCI DSS is very extensive.
Not all documents will be obligatory for all organisations, however, a significant number will need to have been implemented in
order for a successful outcome to be achieved.
If these documents, procedures and activities geared towards producing the necessary evidence are in place, you are well on the
way to attaining compliance. To illustrate the type of documents and evidence (by no means exhaustive!) you will typically need
to develop and implement, here is starter for ten!:
Network device management policy
Wireless scanning procedure (rogue access points)
Remote access policy (staff/vendor)
Device configuration standards
Operational security procedures
Incident response test
Role-based access matrix
Third party contracts (soft copy)