Control Objective 6: Maintain an Information Security Policy
This includes maintaining a policy that addresses information security policies and procedures. PCI DSS Requirement 12 resides within this control objective. Requirement 12 ensures that organizations handling cardholder data have clear security policies in place, which are communicated, enforced, and updated on a regular basis. In addition to the establishing, publishing and maintaining of security policies, other Items that are evaluated in this requirement are employee training and awareness, are information security responsibilities.
By enforcing these requirements organizations ensure that security policies are in place but also actively maintained, communicated, and followed, reducing the risk of security incidents.
This control objectives covers the following PCI DSS requirements:
Requirement 12: Support information security with organizational policies and programs.
PCI Requirement 12.5.1 mandates that organizations have an inventory of system components that are in scope for PCI DSS. Maintaining a current list of all systems enables organizations to define which assets are in scope for PCI DSS. Recommended methods of maintaining the inventory list include databases, files, or inventory management tools.
PCI Requirements Under This Objective Supported by Tenable
As listed in PCI Requirement 12.5.1, a good practice is to keep an inventory of all assets. Those systems that are in scope for PCI DSS should be clearly identifiable among those assets.
Tenable products allow assets that have been identified to be tagged. Organizations can use tags to label assets, policies, credentials, or queries with a custom descriptor to improve filtering and object management. For example, you could add a tag named PCI DSS to label all of the assets that are in scope for PCI. Tenable Attack Surface Management continuously maps the Internet and discovers connections to your Internet-facing assets, whether internal or external to your networks, allowing organizations to discover unauthorized or unknown devices.
For more information regarding tagging assets reference these documents: