Did you know that the Payment Card Industry Data Security Standard (PCI-DSS) requires that specific cybersecurity operations procedures be conducted on a periodic basis?
Depending on whether you’re a merchant or a service provider — and the nature of how you deal with credit cards — these mandatory procedures may include (but are not limited to):
- Security log reviews
- Patching of software and system components
- Internal and external vulnerability scans
- Firewall rule reviews
- Internal and external penetration testing (Also called pen testing: the practice of testing a computer network, web application or computer system to uncover vulnerabilities)
- Security policy updates
- Incident response testing
(see article: Your Cyber Incident Response Exercise)
- Security awareness training
(see article: Step Up Employee Cybersecurity Training with These 3 Resources)
Many of the operations processes required by the PCI-DSS are not only required to be executed according to the specified period, but also when a change to the environment compels an update, such as a penetration test of a new application or vulnerability scan of a new technology environment.
Take Note! Maintaining Records is a Must
The challenge from a compliance perspective is that these procedures must not only be executed, but records must be maintained because you will need to be able to demonstrate that these procedures have taken place if audited or the subject of a breach investigation.
The PCI-DSS requires that these operations processes be executed according to documented procedures, and that the records demonstrate that these procedures were followed. Moreover, if an annual PCI-DSS assessment discovers that the execution of a periodic operations process was missed at some point over the last 12 months, that is potential grounds for your organization being deemed non-compliant.
Prepare to Succeed
“For every minute spent organizing, an hour is earned.” ~ Benjamin Franklin
It is simply not feasible to meet these PCI-DSS requirements without a formal cybersecurity operations program. Your organization needs to develop a plan for this program.
Step 1: List the periodic cybersecurity operations tasks required, with the required frequency.
Step 2: Document the procedures for the execution of each task.
Step 3: Assign personnel to execute the procedures and document the results.
Step 4: Assign one or more different personnel to review the records to make sure the procedures are being done.
As you go through this exercise, you’ll likely discover that you aren’t sure how to interpret a particular operations requirement, or that you don’t have sufficient personnel to execute the procedures according to the prescribed frequency.
If that is the case, you may need to contract outside assistance to work with you to develop some of the procedures, or to handle some of the operations tasks. Maybe you’ll need to hire more personnel or reassign existing personnel away from lower priorities.
You won’t know until you develop the plan. And you won’t achieve PCI-DSS compliance without a formal cybersecurity operations program.
Dominic Genzano is the CEO and Founder of STIGroup, an Information Security Consulting firm that provides a full suite of Information Security services. In his role, Dominic leads the continued development of the CyberSecurity services strategy. As an established cybersecurity industry expert, and a principal consultant of STIGroup, he has led significant security initiatives for major private corporations and public sector entities. Dominic can be reached at firstname.lastname@example.org.