PCI Policy Documentation
Without fail, the first time an organization goes through the PCI gap assessment, remediation, and assessment cycle, they always underestimate the amount of specificity required by the PCI DSS. Smaller companies will spend a significant amount of time drafting and adopting new policies within their organization, while larger companies will spend their time trying to find which existing policies satisfy which requirements, making adjustments as necessary.
Rarely do an organizations policy documents that were drafted before their PCI efforts began satisfy the majority of policy and procedure requirements found in the DSS.
DSS Policy Requirements
In v2.0 of the PCI DSS, it was a simple task to scroll through the ROC Reporting Instructions document provided by the PCI council and pick out which requirements needed a documentation review. The “Document Reviews” column could be easily distilled into a a complete set of policies and procedures required of the organization. As of PCI DSS v3.0, this task is not quite as simple. While the processes of completing the Report on Compliance (ROC) has been greatly simplified (and improved), it involved combining the PCI DSS ROC Template document for QSA’s and the ROC Reporting Instructions into a single document.
I spent some time picking apart the new ROC template in order to identify all testing procedures requiring documentation review. Following is a pretty complete list of these testing procedures/requirements:
DSS Requirement | Policy Testing Procedures |
---|---|
1 | 1.1.1.a, 1.1.2.a, 1.1.2.b, 1.1.3.a, 1.1.4.a, 1.1.5.a, 1.1.6.a, 1.1.6.b, 1.1.7.a, 1.2.1.a, 1.3.8.b, 1.4.a, 1.5 |
2 | 2.1.c, 2.1.1.a, 2.1.1.b, 2.2.a, 2.2.b, 2.2.c, 2.2.d, 2.5 |
3 | 3.1.a, 3.2.a, 3.2.c, 3.2.d, 3.3.a, 3.4.a, 3.5, 3.5.2.a, 3.6.a, 3.6.1.a, 3.6.2.a, 3.6.3.a, 3.6.4.a, 3.6.5.a, 3.6.6.a, 3.6.7.a, 3.6.8.a, 3.7 |
4 | 4.1.a, 4.1.b, 4.1.1, 4.2.b, 4.3 |
5 | 5.2.a, 5.4 |
6 | 6.1.a, 6.2.a, 6.3.a, 6.3.b, 6.3.c, 6.3.1, 6.3.2.a, 6.4, 6.4.1.a, 6.4.5.a, 6.5.a, 6.5.d, 6.7 |
7 | 7.1.a, 7.3 |
8 | 8.1.a, 8.1.6.b, 8.2, 8.2.2, 8.2.3.b, 8.2.4.b, 8.2.5.b, 8.2.6, 8.4.a, 8.4.b, 8.5.b, 8.5.1, 8.6.a, 8.8 |
9 | 9.2.a, 9.2.c, 9.5, 9.5.1.b, 9.6, 9.6.1, 9.7, 9.8, 9.9, 9.9.1.a, 9.9.2.a, 9.9.3.a, 9.10 |
10 | 10.4, 10.4.1.a, 10.4.2.a, 10.4.2.b, 10.4.3, 10.6.1.a, 10.6.2.a, 10.6.2.b, 10.6.3.a, 10.7.a, 10.8 |
11 | 11.1.a, 11.1.2.a, 11.2.1.b, 11.2.3.a, 11.3, 11.4.a, 11.6 |
12 | 12.1, 12.2.a, 12.3, 12.4.a, 12.5, 12.6.a, 12.6.b, 12.7, 12.8, 12.10, 12.10.3, 12.10.4, 12.10.6 |
Common Policy Documents
If an organization has a good set of policies, they often want to know which specific ones the assessor will need to review as part of the assessment process. Following is a pretty standard list of policies and procedure documents that an organization will need in order to implement best-practices and ultimately gain compliance with PCI:
- Anti-Virus Policy
- Audit Logging Policy
- Background Check Policy
- Change Control Policy
- Cryptographic System Policy
- Data Retention and destruction Policy
- Firewall and Route Configuration Policy
- Information Security Incident Response Policy
- Information Security Policy
- Information Technology Acceptable Use Policy>
- Media Storage, Distribution, and Destruction Policy
- Network, Computer, and Data Access Control Policy
- Physical Security Policy
- Security Monitoring and Testing Policy
- Software Development Policy
- Software Security Policy
- Third Party Service Provider Policy
- User and Password Management Policy
Hopefully these resources will be of use as organizations struggle to get their policies and procedures organized for their next assessment.