|
Integrator Notes
Establish, publish, maintain, and disseminate a security policy that accomplishes the following:
| • | Addresses all requirements in the PCI-DSS specification. |
| • | Includes an annual process that identifies threats and vulnerabilities, and results in a formal risk assessment |
| • | Includes a review at least once a year and updates when the environment changes. |
Per PCI-DSS 12.3, develop usage policies for critical employee-facing technologies (such as modems and wireless) to define proper use of these technologies for all employees and contractors. Ensure these usage policies require the following:
| • | Explicit management approval |
| • | Authentication for use of the technology |
| • | List of all such devices and personnel with access |
| • | Labeling of devices with owner, contact information, and purpose |
| • | Acceptable uses of the technologies |
| • | Acceptable network locations for the technologies |
| • | List of company approved products. |
| • | Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity. |
| • | Activation of remote-access technologies for vendors only when needed, with immediate deactivation after use. |
| • | Never permit cardholder data to be copied or moved to local storage devices from a remote environment. |
|