Writing a PCI Compliant Information Policy and Standard

I mentioned in my Securing a Cloud Based Platform post that we embarked upon an effort to build a PCI compliant security program; we really needed to improve upon several areas:

  1. We needed to improve our documentation
  2. We needed to modify existing or add new technologies
  3. We needed to improve existing or add new workflow

As we learned, most of the PCI standard is about documenting what you do and doing what you document.  Sure, there are plenty of standards stating the minimum password length, key rotation standards and data retention policies – I’ll get to some of the bits and bytes soon enough.  But let’s start with documentation, which is where I started.  What I didn’t initially understand was that there is a juicy, riveting 113 page Reporting on Compliance (“ROC”) Reporting Instructions for PCI DSS v2.0.  This is basically the auditor’s instruction book which completely describes exactly how an auditor will gather evidence, ask questions, etc…  This is the auditor’s playbook and there are 12 requirements.

So, why do I mention that the auditor’s instructions are available, because if you need to write an Information Policy and Standard document then you should organize it to correspond exactly to the PCI ROC’s organization.  Why?  Because if you don’t then you get to have the fun that I enjoyed for several months which includes providing the auditor with a map of where my policy documentation states the required language.  My policy documentation is well over 100 pages, so the exercise of mapping my 100 pages to the 113 pages of auditor instructions was a truly ridiculous waste of time.  If I had to do it over again, the first 12 sections of my policy would map directly to the 12 PCI requirements and I would store extra beyond these basic policies.  In fact, I think that it is silly that the PCI council doesn’t produce a compliant security policy document (at least not one that I could find anyway) that organizations can simply adopt, or at least use as a starting document.


About chipcorrera

Chip Correra http://about.me/ChipCorrera View all posts by chipcorrera

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: