This information has been shared freely by Mark E.S. Bernard. If you find it useful please acknowledge this contribution.
Upcoming SlideShare
Loading in …5

CyberSecurity PCI DSS Annual Program


Published on

CyberSecurity PCI DSS Annual Program

Published in: Business
1 Comment
1 Like
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

CyberSecurity PCI DSS Annual Program

  1. 1. This information has been shared freely by Mark E.S. Bernard. If you find it useful please acknowledge this contribution. If you would like additional information or assistance with the customization and implementation of a balanced risk management process for your security program then please contact Mark @ 604-349-6557 or The following 13 control points defined within PCI DSS require annual management to provide assurance of compliance in preparation for the annual Report on Compliance facilitated by the designated PCI QSA. PCI DSS V2 includes 177 control points from which most can be integrated within the current business processes and practices. The breakdown is as follows: • 54% come under the responsibility of IT • 32% Chief Information Security Officer CISO independent of IT • 10% Development independent of IT and CISO • 3% Operations, where card holder data is handled • 3% Executive Governance • 1% Human Resources, General Staff and Managers • 9.5 Store media back-ups in a secure location, preferably an off-site facility, such as an alternate or back-up site, or a commercial storage facility. Review the location’s security at least annually. • 9.6 Physically secure all media. Verified by observation and documentation review that there is an annual process in place to review security of storage locations. • 9.8 Ensure management approves any and all media that is moved from a secured area (especially when media is distributed to individuals). • 9.9.1 Properly maintain inventory logs of all media and conduct media inventories at least annually. 9.9.1 Obtain and review the media inventory log to verify that periodic media inventories are performed at least annually. • 12.1.2 Includes an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment. (Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800-30.) • 12.1.3 Includes a review at least annually and updates when the environment changes. • 12.6.1 Educate personnel upon hire and at least annually. Note: Methods can vary depending on the role of the personnel and their level of access to the cardholder data. • 12.6.2 Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures. • 12.8.1 Maintain a list of service providers. • 12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status at least annually. • 12.9.2 Test the plan at least annually. • 12.9.4 Provide appropriate training to staff with security breach response responsibilities. • 12.9.6 Develop a process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments.