Friday, January 15, 2010

PCI Security Policies and You - Part 3


When the going gets tough, the tough get help.

At least that's how I look at it, especially when dealing with policy development.

An automated PCI security policy template is a productivity tool that makes sense. A tool - any tool - can't write a good policy for you. What it can do, however, is give you a starting point and guide you along the way to developing all the policies you need. A good tool provides a discipline and thoroughness to keep you from missing something important. It also saves you and your colleagues time and effort by letting you focus on what is important: developing actual policy details that work for your school.

A good security policy template provides you with a structure while preserving flexibility. It also should lead you to additional resources where this can be useful. I've provided an example of this above for a policy addressing web application security policy. (Yes, I know it's impossible to read, but if you click on it you should get an enlarged version.)

Another feature to look for in a policy template is the ability to cross-reference your policies to the PCI requirements. I'm not saying that your policies have to mimic the DSS numbering system, but being able to cross-reference your policies to the DSS can be a time saver.

So the obvious question is where can you find a security policy template? The obvious first answer may be to search the web, but my personal opinion is that this would be one case where Google is not your friend: I searched for "security policy template" and turned up over 41 million links.

A better approach would be to start with the public sources noted in the previous post. Some of these sources may have templates although I'm not sure all are PCI-specific. You also can ask your QSA if they have a policy template tool. Many QSA firms have templates that you can buy and use on your own or with additional consulting assistance. Either way you get a tool that is designed to help you write high quality PCI security policies in the fastest and (hopefully) most painless way. There will be a cost for the templates and for additional support, but compared to the person-hours you will save over developing your own policies from scratch the investment may make sense.

Another approach is to take advantage of the fact that Higher Ed institutions collaborate. Check with your peers who are managing the PCI program for their schools to see if they have policies that you might be able to use as a guide. They may not be able to solve all your needs, but maybe they can give you a start.

I am planning on a session at the Treasury Institute's PCI Workshop in May addressing PCI policy development. Several individuals have volunteered to help, so I am hopeful we will have a good discussion. (You have registered for the Workshop, right...?)

In the meantime, give a thought to using a policy template. Your PCI policies do not have to be long, wordy documents. My own belief is that policies should be simple declarative sentences. The fewer words the better. Your procedures may be more lengthy, but the policies can be straightforward, so don't fall into the trap of making them cover every possible contingency.

That's another advantage of a template: it keeps you focused.

No comments:

Post a Comment