Maintain an Information Security Policy

June 22nd, 2007

Requirement 12 of the PCI DSS states, “Requirement 12: Maintain a policy that addresses information security for employees and contractors.”  If you want to be successful at PCI start your policy effort by segregating your environments.  Have an information security policy that is specifically for the card holder environment.  These will make auditing and testing your environment much easier because you won’t have to hold your entire environment to such high standards.  This will help you achieve compliance fast. 

You can read a lot more compliance discussion at this site.

Further 12.1 basically says you need a policy that addresses every single item in the PCI DSS.
Establish, publish, maintain, and disseminate a security policy that accomplishes the following:    

12.1.1  Addresses all requirements in this specification
12.1.2  Includes an annual process that identifies threats and vulnerabilities, and results in a formal risk assessment
12.1.3 Includes a review at least once a year and updates when the environment changes.

Information Security Policy for PCI compliance

June 21st, 2007

I’d like to offer one secret to fast PCI compliance today.  Get ready here it comes…   All successful PCI compliance efforts start with an Information Security Policy.  This might be called an IT Security Policy, an Info Sec Policy, a Data Protection Policy or just a Security Policy.    What the Information Security Policy is called doesn’t matter.  What the Information Security Policy contains does matter.
If you have a properly crafted Information Security Policy you will immediately be compliant with 50% of the more than 250 audit items in the PCI DSS.   That’s right, a single document can make you compliant with half of the PCI DSS.  That’s a great start and that document will give everyone basic instructions on how to finish the remainder.   I’ll post a more about this secret later this week.  

Information Security Policy a PCI Compliance Secret

June 10th, 2007

My compliance colleagues and I have recently spent a lot of time working with companies on their PCI compliance efforts.   PCI compliance is being mandated by Visa and the other card companies to shift risk to merchants and service providers.  The method they are using to shift risk is to mandate compliance with the Payment Card Industry Data Security Standard (PCI DSS).  
PCI compliance is very important for merchants and service providers because fines and penalties are about to be imposed for those merchants and service providers that are not PCI compliant.   Plus the news has been full of reports of data breaches that have resulted in millions of stolen credit card numbers.   Most of the companies we work with will spend thousands of dollars to become compliant.  Even though they spend thousands they will still be fined and the people responsible for PCI compliance will be fired.   How can this be?  It’s easy, they don’t know the secrets to compliance.    I will follow up with more in my next post. Read the rest of this entry »

Welcome To The Blog

June 6th, 2007

I’m starting this blog to help people through compliance problems of all types.  I’ve spent the last several years working with many different types of organizations to achieve compliance.  Those organizations include some of the largest in the world, fast growing Internet companies and small retailers.  While this work has been hugely successful and rewarding, I’ve also seen what I call the dark side of compliance.  The dark side includes huge amounts of wasted time, money and energy because people didn’t understand the fundamentals about how to achieve compliance fast.

In the future I’ll discuss many topics and reveal my personal compliance secrets.  Those secrets are some of the things that have helped me become successful and guide organizations to their compliance goals.  Those secrets include money saving tips on PCI compliance, Sarbanes Oxley compliance, Gramm-Leach-Bliley compliance and many others. 

Stay tuned for compliance tips.