Above is a table. It's kind of hard to read, but if you click on it you should be able to get a larger view of it. Security poicy requirements affect to some degree every campus merchant the table maps the PCI requirement needing a written policy to the respective Self Assessment Questionnaire (SAQ).
For example, a merchant that outsources its processing and qualifies to SAQ A has to implement policies for managing their service provider(s) (12.8) and for handling the paper media with cardholder data (9.7, 9.9, and 9.10). I decided to include 3.1 in the table since to meet the relevant parts of requirement 9 you need to develop a data retention and disposal policy.
If you use another SAQ you have more policy work to do.
Your first option is to develop your security policies independently from scratch. This choice has the advantage of responding to your organization’s operations and business needs and culture.
Your second option is to search for models templates to give yourself a head start. This is the “Google is your friend” approach. If you decide to follow this approach, three sites in particular merit your attention:
- SANS Institute has a excellent resources including whitepapers that can help get you started
- NIST’s Computer Security Resource Center is another good source
- Educause has a Data Incident Notification Toolkit.
The good news is that many schools view their security policies as public information. As a Higher Ed institution, you are part of a very collaborative group of people. Therefore, some of the best potential examples may be available to you on the web.
But if you can't find good examples, there may still be an option.
That will be the subject of Part 3.
Posts
No comments:
Post a Comment