diff --git a/controls/pcidss_4_ocp4.yml b/controls/pcidss_4_ocp4.yml index 3e0a6d72cba..9ce38463576 100644 --- a/controls/pcidss_4_ocp4.yml +++ b/controls/pcidss_4_ocp4.yml @@ -3319,7 +3319,7 @@ controls: protection of the entity's information assets is known and current. levels: - base - status: pending + status: not applicable controls: - id: 12.1.1 title: An overall information security policy is established, published, maintained and @@ -3327,14 +3327,14 @@ controls: partners. levels: - base - status: pending + status: not applicable - id: 12.1.2 title: The information security policy is updated and reviewed at least once every 12 months. levels: - base - status: pending + status: not applicable - id: 12.1.3 title: The security policy clearly defines information security roles and responsibilities @@ -3344,7 +3344,7 @@ controls: Personnel understand their role in protecting the entity's cardholder data. levels: - base - status: pending + status: not applicable - id: 12.1.4 title: Responsibility for information security is formally assigned to a Chief Information @@ -3354,26 +3354,26 @@ controls: A designated member of executive management is responsible for information security. levels: - base - status: pending + status: not applicable - id: '12.2' title: Acceptable use policies for end-user technologies are defined and implemented. levels: - base - status: pending + status: not applicable controls: - id: 12.2.1 title: Acceptable use policies for end-user technologies are documented and implemented. levels: - base - status: pending + status: not applicable - id: '12.3' title: Risks to the cardholder data environment are formally identified, evaluated, and managed. levels: - base - status: pending + status: not applicable controls: - id: 12.3.1 title: Each PCI DSS requirement that provides flexibility for how frequently it is performed @@ -3381,21 +3381,21 @@ controls: analysis that is documented. levels: - base - status: pending + status: not applicable - id: 12.3.2 title: A targeted risk analysis is performed for each PCI DSS requirement that the entity meets with the customized approach levels: - base - status: pending + status: not applicable - id: 12.3.3 title: Cryptographic cipher suites and protocols in use are documented and reviewed at least once every 12 months. levels: - base - status: pending + status: not applicable notes: |- Related to requirement 2.2.7. @@ -3403,7 +3403,7 @@ controls: title: Hardware and software technologies in use are reviewed at least once every 12 months. levels: - base - status: pending + status: not applicable notes: |- The technical requirement related to this is 6.3.3. @@ -3411,7 +3411,7 @@ controls: title: PCI DSS compliance is managed. levels: - base - status: pending + status: not applicable controls: - id: 12.4.1 title: 'Additional requirement for service providers only: Responsibility is established by @@ -3419,7 +3419,7 @@ controls: program.' levels: - base - status: pending + status: not applicable - id: 12.4.2 title: 'Additional requirement for service providers only: Reviews are performed at least @@ -3430,20 +3430,20 @@ controls: task. levels: - base - status: pending + status: not applicable controls: - id: 12.4.2.1 title: 'Additional requirement for service providers only: Reviews conducted in accordance with Requirement 12.4.2 are documented.' levels: - base - status: pending + status: not applicable - id: '12.5' title: PCI DSS scope is documented and validated. levels: - base - status: pending + status: not applicable controls: - id: 12.5.1 title: An inventory of system components that are in scope for PCI DSS, including a @@ -3452,14 +3452,14 @@ controls: All system components in scope for PCI DSS are identified and known. levels: - base - status: pending + status: not applicable - id: 12.5.2 title: PCI DSS scope is documented and confirmed by the entity at least once every 12 months and upon significant change to the in-scope environment. levels: - base - status: pending + status: not applicable controls: - id: 12.5.2.1 title: 'Additional requirement for service providers only: PCI DSS scope is documented and @@ -3474,7 +3474,7 @@ controls: PCI DSS assessment. levels: - base - status: pending + status: not applicable - id: 12.5.3 title: 'Additional requirement for service providers only: Significant changes to @@ -3487,13 +3487,13 @@ controls: considered during a PCI DSS assessment. levels: - base - status: pending + status: not applicable - id: '12.6' title: Security awareness education is an ongoing activity. levels: - base - status: pending + status: not applicable controls: - id: 12.6.1 title: A formal security awareness program is implemented to make all personnel aware of the @@ -3505,27 +3505,27 @@ controls: when required. levels: - base - status: pending + status: not applicable - id: 12.6.2 title: The security awareness program is updated and reviewed at least once every 12 months. levels: - base - status: pending + status: not applicable - id: 12.6.3 title: Personnel receive security awareness training upon hire and at least once every 12 months via multiple methods of communication. levels: - base - status: pending + status: not applicable controls: - id: 12.6.3.1 title: Security awareness training includes awareness of threats and vulnerabilities that could impact the security of the CDE. levels: - base - status: pending + status: not applicable - id: 12.6.3.2 title: Security awareness training includes awareness about the acceptable use of end-user @@ -3537,13 +3537,13 @@ controls: must be fully considered during a PCI DSS assessment. levels: - base - status: pending + status: not applicable - id: '12.7' title: Personnel are screened to reduce risks from insider threats. levels: - base - status: pending + status: not applicable controls: - id: 12.7.1 title: Potential personnel who will have access to the CDE are screened, within the @@ -3556,14 +3556,14 @@ controls: requirement is a recommendation only. levels: - base - status: pending + status: not applicable - id: '12.8' title: Risk to information assets associated with third-party service provider (TPSP) relationships is managed. levels: - base - status: pending + status: not applicable controls: - id: 12.8.1 title: A list of all third-party service providers (TPSPs) with which account data is shared @@ -3575,13 +3575,13 @@ controls: responsibility for its own PCI DSS compliance. levels: - base - status: pending + status: not applicable - id: 12.8.2 title: Written agreements with TPSPs are maintained levels: - base - status: pending + status: not applicable - id: 12.8.3 title: An established process is implemented for engaging TPSPs, including proper due @@ -3591,7 +3591,7 @@ controls: data are assessed before the TPSP is engaged. levels: - base - status: pending + status: not applicable - id: 12.8.4 title: A program is implemented to monitor TPSPs' PCI DSS compliance status at least once @@ -3604,7 +3604,7 @@ controls: PCI DSS requirements, then those requirements are also "not in place" for the entity. levels: - base - status: pending + status: not applicable - id: 12.8.5 title: Information is maintained about which PCI DSS requirements are managed by each TPSP, @@ -3614,13 +3614,13 @@ controls: TPSP is solely or jointly responsible, are maintained and reviewed periodically. levels: - base - status: pending + status: not applicable - id: '12.9' title: Third-party service providers (TPSPs) support their customers' PCI DSS compliance. levels: - base - status: pending + status: not applicable controls: - id: 12.9.1 title: |- @@ -3637,7 +3637,7 @@ controls: requirement. levels: - base - status: pending + status: not applicable - id: 12.9.2 title: |- @@ -3645,7 +3645,7 @@ controls: for information to meet Requirements 12.8.4 and 12.8.5. levels: - base - status: pending + status: not applicable - id: '12.10' title: Suspected and confirmed security incidents that could impact the CDE are responded to @@ -3659,14 +3659,14 @@ controls: suspected or confirmed security incident. levels: - base - status: pending + status: not applicable - id: 12.10.2 title: At least once every 12 months, the security incident response plan is reviewed, updated, and tested. levels: - base - status: pending + status: not applicable - id: 12.10.3 title: Specific personnel are designated to be available on a 24/7 basis to respond to @@ -3675,7 +3675,7 @@ controls: Incidents are responded to immediately where appropriate. levels: - base - status: pending + status: not applicable - id: 12.10.4 title: Personnel responsible for responding to suspected and confirmed security incidents @@ -3685,7 +3685,7 @@ controls: are able to access assistance and guidance when required. levels: - base - status: pending + status: not applicable controls: - id: 12.10.4.1 title: The frequency of periodic training for incident response personnel is defined in @@ -3697,14 +3697,14 @@ controls: and must be fully considered during a PCI DSS assessment. levels: - base - status: pending + status: not applicable - id: 12.10.5 title: The security incident response plan includes monitoring and responding to alerts from security monitoring systems. levels: - base - status: pending + status: not applicable - id: 12.10.6 title: The security incident response plan is modified and evolved according to lessons @@ -3714,14 +3714,14 @@ controls: each invocation. levels: - base - status: pending + status: not applicable - id: 12.10.7 title: Incident response procedures are in place, to be initiated upon the detection of stored PAN anywhere it is not expected. levels: - base - status: pending + status: not applicable - id: A1.1 title: Multi-tenant service providers protect and separate all customer environments and data.