Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security for all personnel. #

• 12.1 A security policy should be well established, well published and well maintained for effective results.
• 12.2 A risk assessment should be implemented that helps identify assets, critical threats.
• 12.3 For various critical technologies, a policy guide should be created with its usage policy and its proper use should be well defined.
• 12.4 The security policy and procedures of an enterprise should clearly define information security responsibilities of all employees.
• 12.5 An individual or a team of individuals can be assigned information security management tasks.
• 12.6 All employees must be well aware of the cardholder data security policies. To ensure everyone is aware of them same, security awareness program must of conducted.
• 12.7 It is essential to run a background check of a person before hiring them. This helps keep internal attack at bay.
• 12.8 Policies are required to manage service providers who have cardholder data that could suffer a breach.
• 12.9 Service providers are should inform customers that they are responsible for the security of the cardholder data which they possess. They should take full responsibility.
• 12.10 In case of a system breach, a suitable response must be ready to deal with it. This calls for implemention of an incident response plan.
• 12.11 It needs to be confirmed if the everyone is following the security policies and operational procedures or not. Reviews can be conducted on a daily basis to to determine this.