WEBVTT 00:00:01.909 --> 00:00:05.545 The last requirement in all of the 12 PCI DSS 00:00:05.545 --> 00:00:07.909 requirements concerns policies and procedures, 00:00:07.909 --> 00:00:10.909 and that's what requirement 1.5 demands. 00:00:10.909 --> 00:00:11.337 Simply, 00:00:11.337 --> 00:00:16.766 an organization has to have written security policies and any associated 00:00:16.766 --> 00:00:22.909 operational procedures or processes as required by PCI DSS. 00:00:22.909 --> 00:00:24.909 The policies need to be documented, 00:00:24.909 --> 00:00:26.909 they need to be available to anyone who needs to use them, 00:00:26.909 --> 00:00:29.370 they need to be kept up to date, 00:00:29.370 --> 00:00:33.909 and they also very clearly need to be in use by the organization. 00:00:33.909 --> 00:00:36.909 In previous versions of PCI DSS, 00:00:36.909 --> 00:00:38.909 this was actually all in requirement 12 at the end. 00:00:38.909 --> 00:00:41.242 There was a general overall requirement that said you 00:00:41.242 --> 00:00:42.909 must have policies and procedures. 00:00:42.909 --> 00:00:43.659 But now, 00:00:43.659 --> 00:00:46.409 because it's recognized that different teams are typically 00:00:46.409 --> 00:00:48.337 responsible for each of the different requirements, 00:00:48.337 --> 00:00:51.576 this mandate for policies and procedures is included 00:00:51.576 --> 00:00:52.909 within each requirement separately. 00:00:52.909 --> 00:00:56.909 You'll see it at the end of every single requirement we look at. 00:00:56.909 --> 00:00:59.659 The QSA will want to review all of these policies and procedures, 00:00:59.659 --> 00:01:03.659 and they'll typically ask for these to be sent in advance of an 00:01:03.659 --> 00:01:06.909 assessment so they can read them before they come on site. 00:01:06.909 --> 00:01:10.909 When the QSA is on site, they'll want to make sure the documents are accessible. 00:01:10.909 --> 00:01:12.909 So that means they're going to be looking for them, 00:01:12.909 --> 00:01:13.195 for instance, 00:01:13.195 --> 00:01:15.242 to be on an intranet rather than being printouts and kept 00:01:15.242 --> 00:01:17.909 in the cupboards locked away somewhere. 00:01:17.909 --> 00:01:20.284 They're going to interview people who should be aware of and 00:01:20.284 --> 00:01:22.909 should be using these policies and procedures. 00:01:22.909 --> 00:01:23.909 So they'll ask, where is the policy? 00:01:23.909 --> 00:01:27.909 Show me the procedure you follow when you do something. 00:01:27.909 --> 00:01:29.909 I know that policies and procedures are boring, 00:01:29.909 --> 00:01:33.464 but without them there's no evidence that an 00:01:33.464 --> 00:01:36.909 organization intends to comply with PCI DSS. 00:01:36.909 --> 00:01:39.909 And honestly, in the event of a data breach, 00:01:39.909 --> 00:01:43.242 the lack of policies and procedures is instantly going to put liability 00:01:43.242 --> 00:01:47.159 back to the breached entity because they can't demonstrate they have 00:01:47.159 --> 00:01:50.909 the intention of complying with the standard by having the necessary 00:01:50.909 --> 00:01:52.909 policies and procedures in place. 00:01:52.909 --> 00:01:56.766 We're going to finish this module with a short conversation between Jacob 00:01:56.766 --> 00:02:00.909 and me about personal firewalls and about policies. 00:02:00.909 --> 00:02:04.766 I know you're thinking that there's probably nothing duller than two 00:02:04.766 --> 00:02:06.909 QSAs discussing information security policies. 00:02:06.909 --> 00:02:07.242 Look, 00:02:07.242 --> 00:02:10.659 I promise you we only have this discussion about policies 00:02:10.659 --> 00:02:12.909 once in respect of requirement 1.5. 00:02:12.909 --> 00:02:15.909 So, for the other 11 PCI DSS requirements, 00:02:15.909 --> 00:02:17.909 we're not going to mention them at all. 00:02:17.909 --> 00:02:20.909 And honestly, it's not that boring. 00:02:20.909 --> 00:02:24.909 After the conversation with Jacob, the next module looks at requirement 2, 00:02:24.909 --> 00:02:27.909 which is another infrastructure-focused requirement, 00:02:27.909 --> 00:02:29.909 but this time looking at systems, 00:02:29.909 --> 00:02:32.909 how systems in the cardholder data environment are 00:02:32.909 --> 00:02:38.909 built and configured to be secure.