Skip to content

Commit

Permalink
Merge pull request #12280 from rhmdnd/pci-dss-requirement-12
Browse files Browse the repository at this point in the history 
pci dss requirement 12
  • Loading branch information
@yuumasato
yuumasato authored Aug 8, 2024
2 parents ce7a8e0 + cf14fc8 commit 3ed7515
Showing 1 changed file with 46 additions and 46 deletions.
92 changes: 46 additions & 46 deletions controls/pcidss_4_ocp4.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3319,22 +3319,22 @@ controls:
protection of the entity's information assets is known and current.
levels:
- base
status: pending
status: not applicable
controls:
- id: 12.1.1
title: An overall information security policy is established, published, maintained and
disseminated to all relevant personnel, as well as to relevant vendors and business
partners.
levels:
- base
status: pending
status: not applicable

- id: 12.1.2
title: The information security policy is updated and reviewed at least once every 12
months.
levels:
- base
status: pending
status: not applicable

- id: 12.1.3
title: The security policy clearly defines information security roles and responsibilities
Expand All @@ -3344,7 +3344,7 @@ controls:
Personnel understand their role in protecting the entity's cardholder data.
levels:
- base
status: pending
status: not applicable

- id: 12.1.4
title: Responsibility for information security is formally assigned to a Chief Information
Expand All @@ -3354,72 +3354,72 @@ controls:
A designated member of executive management is responsible for information security.
levels:
- base
status: pending
status: not applicable

- id: '12.2'
title: Acceptable use policies for end-user technologies are defined and implemented.
levels:
- base
status: pending
status: not applicable
controls:
- id: 12.2.1
title: Acceptable use policies for end-user technologies are documented and implemented.
levels:
- base
status: pending
status: not applicable

- id: '12.3'
title: Risks to the cardholder data environment are formally identified, evaluated, and
managed.
levels:
- base
status: pending
status: not applicable
controls:
- id: 12.3.1
title: Each PCI DSS requirement that provides flexibility for how frequently it is performed
(for example, requirements to be performed periodically) is supported by a targeted risk
analysis that is documented.
levels:
- base
status: pending
status: not applicable

- id: 12.3.2
title: A targeted risk analysis is performed for each PCI DSS requirement that the entity
meets with the customized approach
levels:
- base
status: pending
status: not applicable

- id: 12.3.3
title: Cryptographic cipher suites and protocols in use are documented and reviewed at least
once every 12 months.
levels:
- base
status: pending
status: not applicable
notes: |-
Related to requirement 2.2.7.
- id: 12.3.4
title: Hardware and software technologies in use are reviewed at least once every 12 months.
levels:
- base
status: pending
status: not applicable
notes: |-
The technical requirement related to this is 6.3.3.
- id: '12.4'
title: PCI DSS compliance is managed.
levels:
- base
status: pending
status: not applicable
controls:
- id: 12.4.1
title: 'Additional requirement for service providers only: Responsibility is established by
executive management for the protection of cardholder data and a PCI DSS compliance
program.'
levels:
- base
status: pending
status: not applicable

- id: 12.4.2
title: 'Additional requirement for service providers only: Reviews are performed at least
Expand All @@ -3430,20 +3430,20 @@ controls:
task.
levels:
- base
status: pending
status: not applicable
controls:
- id: 12.4.2.1
title: 'Additional requirement for service providers only: Reviews conducted in accordance
with Requirement 12.4.2 are documented.'
levels:
- base
status: pending
status: not applicable

- id: '12.5'
title: PCI DSS scope is documented and validated.
levels:
- base
status: pending
status: not applicable
controls:
- id: 12.5.1
title: An inventory of system components that are in scope for PCI DSS, including a
Expand All @@ -3452,14 +3452,14 @@ controls:
All system components in scope for PCI DSS are identified and known.
levels:
- base
status: pending
status: not applicable

- id: 12.5.2
title: PCI DSS scope is documented and confirmed by the entity at least once every 12 months
and upon significant change to the in-scope environment.
levels:
- base
status: pending
status: not applicable
controls:
- id: 12.5.2.1
title: 'Additional requirement for service providers only: PCI DSS scope is documented and
Expand All @@ -3474,7 +3474,7 @@ controls:
PCI DSS assessment.
levels:
- base
status: pending
status: not applicable

- id: 12.5.3
title: 'Additional requirement for service providers only: Significant changes to
Expand All @@ -3487,13 +3487,13 @@ controls:
considered during a PCI DSS assessment.
levels:
- base
status: pending
status: not applicable

- id: '12.6'
title: Security awareness education is an ongoing activity.
levels:
- base
status: pending
status: not applicable
controls:
- id: 12.6.1
title: A formal security awareness program is implemented to make all personnel aware of the
Expand All @@ -3505,27 +3505,27 @@ controls:
when required.
levels:
- base
status: pending
status: not applicable

- id: 12.6.2
title: The security awareness program is updated and reviewed at least once every 12 months.
levels:
- base
status: pending
status: not applicable

- id: 12.6.3
title: Personnel receive security awareness training upon hire and at least once every 12
months via multiple methods of communication.
levels:
- base
status: pending
status: not applicable
controls:
- id: 12.6.3.1
title: Security awareness training includes awareness of threats and vulnerabilities that
could impact the security of the CDE.
levels:
- base
status: pending
status: not applicable

- id: 12.6.3.2
title: Security awareness training includes awareness about the acceptable use of end-user
Expand All @@ -3537,13 +3537,13 @@ controls:
must be fully considered during a PCI DSS assessment.
levels:
- base
status: pending
status: not applicable

- id: '12.7'
title: Personnel are screened to reduce risks from insider threats.
levels:
- base
status: pending
status: not applicable
controls:
- id: 12.7.1
title: Potential personnel who will have access to the CDE are screened, within the
Expand All @@ -3556,14 +3556,14 @@ controls:
requirement is a recommendation only.
levels:
- base
status: pending
status: not applicable

- id: '12.8'
title: Risk to information assets associated with third-party service provider (TPSP)
relationships is managed.
levels:
- base
status: pending
status: not applicable
controls:
- id: 12.8.1
title: A list of all third-party service providers (TPSPs) with which account data is shared
Expand All @@ -3575,13 +3575,13 @@ controls:
responsibility for its own PCI DSS compliance.
levels:
- base
status: pending
status: not applicable

- id: 12.8.2
title: Written agreements with TPSPs are maintained
levels:
- base
status: pending
status: not applicable

- id: 12.8.3
title: An established process is implemented for engaging TPSPs, including proper due
Expand All @@ -3591,7 +3591,7 @@ controls:
data are assessed before the TPSP is engaged.
levels:
- base
status: pending
status: not applicable

- id: 12.8.4
title: A program is implemented to monitor TPSPs' PCI DSS compliance status at least once
Expand All @@ -3604,7 +3604,7 @@ controls:
PCI DSS requirements, then those requirements are also "not in place" for the entity.
levels:
- base
status: pending
status: not applicable

- id: 12.8.5
title: Information is maintained about which PCI DSS requirements are managed by each TPSP,
Expand All @@ -3614,13 +3614,13 @@ controls:
TPSP is solely or jointly responsible, are maintained and reviewed periodically.
levels:
- base
status: pending
status: not applicable

- id: '12.9'
title: Third-party service providers (TPSPs) support their customers' PCI DSS compliance.
levels:
- base
status: pending
status: not applicable
controls:
- id: 12.9.1
title: |-
Expand All @@ -3637,15 +3637,15 @@ controls:
requirement.
levels:
- base
status: pending
status: not applicable

- id: 12.9.2
title: |-
Additional requirement for service providers only: TPSPs support their customers' requests
for information to meet Requirements 12.8.4 and 12.8.5.
levels:
- base
status: pending
status: not applicable

- id: '12.10'
title: Suspected and confirmed security incidents that could impact the CDE are responded to
Expand All @@ -3659,14 +3659,14 @@ controls:
suspected or confirmed security incident.
levels:
- base
status: pending
status: not applicable

- id: 12.10.2
title: At least once every 12 months, the security incident response plan is reviewed,
updated, and tested.
levels:
- base
status: pending
status: not applicable

- id: 12.10.3
title: Specific personnel are designated to be available on a 24/7 basis to respond to
Expand All @@ -3675,7 +3675,7 @@ controls:
Incidents are responded to immediately where appropriate.
levels:
- base
status: pending
status: not applicable

- id: 12.10.4
title: Personnel responsible for responding to suspected and confirmed security incidents
Expand All @@ -3685,7 +3685,7 @@ controls:
are able to access assistance and guidance when required.
levels:
- base
status: pending
status: not applicable
controls:
- id: 12.10.4.1
title: The frequency of periodic training for incident response personnel is defined in
Expand All @@ -3697,14 +3697,14 @@ controls:
and must be fully considered during a PCI DSS assessment.
levels:
- base
status: pending
status: not applicable

- id: 12.10.5
title: The security incident response plan includes monitoring and responding to alerts from
security monitoring systems.
levels:
- base
status: pending
status: not applicable

- id: 12.10.6
title: The security incident response plan is modified and evolved according to lessons
Expand All @@ -3714,14 +3714,14 @@ controls:
each invocation.
levels:
- base
status: pending
status: not applicable

- id: 12.10.7
title: Incident response procedures are in place, to be initiated upon the detection of
stored PAN anywhere it is not expected.
levels:
- base
status: pending
status: not applicable

- id: A1.1
title: Multi-tenant service providers protect and separate all customer environments and data.
Expand Down

0 comments on commit 3ed7515

Please sign in to comment.