The following list of recommended documents and records for auditing purposes. Payment Card Industry Data Security
Specifi...
The following list of recommended documents and records for auditing purposes. Payment Card Industry Data Security
Specifi...
Upcoming SlideShare
Loading in …5
×

PCI DSS Recommendations for Audit Evidence

1,469 views

Published on

PCI DSS Recommendations for Audit Evidence

Published in: Business

PCI DSS Recommendations for Audit Evidence

  1. 1. The following list of recommended documents and records for auditing purposes. Payment Card Industry Data Security Specification (PCI DSS) is very prescriptive and not flexible. These recommendations are based on a significant amount of experience leading legal statutory and regulatory compliance programs that included the adoption of PCI DSS across multiple industries including Government, Banking, Legal, Pharmaceutical, Nanotechnology, Cloud Computing Services PaaS, IaaS and SaaS, Manufacturing and Academia. This information has been shared freely by Mark E.S. Bernard. If you find it useful please acknowledge this contribution. If you would like additional information or assistance with the customization and implementation of a balanced risk management process for your security program then please contact Mark @ 604-349-6557 or mesbernard@gmail.com Governance • Security Governance process (clause 12.4, 12.5) • Security Governance Committee Terms of Reference (clause 12.4, 12.5) • Security Governance Committee Schedule (clause 12.4, 12.5) • Policy Review (clause 12) • Reconcile service providers (clause 12.8) • Service Provider Compliance (clause 12.8) • Service Provider Compliance acknowledgement (clause 12.8) • Employee compliance acknowledgement (clause 12.6.2) • Create Enterprise Security Manual (Explicit Knowledge Transfer) (clause 2.1.1a, 2.2.3a, 3.6.5, 3.6.6, 6.3.2, 6.5b, 12.5) Communications /Awareness Training • Annual Security Communication Strategy /Plan (clause 12.6.1(a)) • SEC01 - New Employee Awareness Training • SEC02 - Annual Awareness Training • SEC03 - Information Handling & Classification • SEC04 - Call-Centre CDE In scope Training • SEC05 - Credit Card Security Training CHE In Scope • SEC06 - IT Privileged User CDE In scope Training • SEC07 - Monthly Enterprise Security Compendium • SEC08 - Contractor or Service Providers Policies • Policy (clause 3.1.1, 12.1, 12.4, 12.6.2) • Enterprise Security Policy (clause 12) • Acceptable Use Policy (clause 12) • Risk Management Policy (clause 12) • Classification Schema Policy (clause 12) • Privacy Breach Protocol (clause 12.5.3, 12.9) Procedures • Procedure (clauses 3.1, 3.4, 3.6, 6.4, 8.5.7, 9.2, 11.2, 12.2, 12.4, 12.5.1, 12.5.3, 12.8, 12.9.1) • Information Handling Procedure (clause 4, 6.2, 6.3,) • Security Incident Response Team Procedure (clause 12.5.3, 12.9) • Personal Information Breach Plan (clause 12.5.3, 12.9) • Document Control Procedure (clause 12.5.1) • Access Control Procedure (clause 8.5.3, 8.5.7) • Cryptography procedure (clause 3.4, 3.6) Page 1 of 2
  2. 2. The following list of recommended documents and records for auditing purposes. Payment Card Industry Data Security Specification (PCI DSS) is very prescriptive and not flexible. These recommendations are based on a significant amount of experience leading legal statutory and regulatory compliance programs that included the adoption of PCI DSS across multiple industries including Government, Banking, Legal, Pharmaceutical, Nanotechnology, Cloud Computing Services PaaS, IaaS and SaaS, Manufacturing and Academia. This information has been shared freely by Mark E.S. Bernard. If you find it useful please acknowledge this contribution. If you would like additional information or assistance with the customization and implementation of a balanced risk management process for your security program then please contact Mark @ 604-349-6557 or mesbernard@gmail.com Procedures • Change Control procedure (clause 6.4, 6.4.5, 6.4.5.4, ) • Visitor Procedure (clause 9.2) • Audit Procedure (clause 10.6) • Vulnerability Management Procedure (clause 11.2) • Operational Security Procedure (clause 12.2) • Security Governance RACI Chart (clause 12.4) • Communication Plan /Strategy for Security Awareness (clause 12.6) • Service Provider Compliance (clause 12.8) Standards • Security Standards (IQ, OQ, DQ, PQ) (clause 1.1, 2.2) • Legal Registry Standard (clause 3.1.1, 9.10, 12.9.1) • Information Retention Standard (clause 3.1) • Media Disposal and Re-Use Standard (clause 3.1.1) • Configuration Standards (clause 4, 6.4, 8.5.9a, 8.5.10a, 8.5.11a, 8.5.12a, 8.5.13a, 8.5.14, 8.5.15, 11.1d, 11.4b, 11.4c, 11.5) • Information Classification Security Standard (clause 9.7.1) Page 2 of 2

×