Page 293 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 293
Restrict physical access to cardholder data.
Track and monitor all access to network resources and
cardholder data.
Regularly test security systems and processes.
Maintain a policy that addresses information security for all
personnel.
Each of these requirements is spelled out in detail in the full PCI
DSS standard, which can be found at
www.pcisecuritystandards.org/.
Dealing with the many overlapping, and sometimes contradictory,
compliance requirements facing an organization requires careful
planning. Many organizations employ full-time IT compliance staff
responsible for tracking the regulatory environment, monitoring
controls to ensure ongoing compliance, facilitating compliance audits,
and meeting the organization’s compliance reporting obligations.
Organizations that are not merchants but store, process,
or transmit credit card information on behalf of merchants must
also comply with PCI DSS. For example, the requirements apply to
shared hosting providers who must protect the cardholder data
environment.
Organizations may be subject to compliance audits, either by their
standard internal and external auditors or by regulators or their
agents. For example, an organization’s financial auditors may conduct
an IT controls audit designed to ensure that the information security
controls for an organization’s financial systems are sufficient to ensure
compliance with the Sarbanes-Oxley Act (SOX). Some regulations,
such as PCI DSS, may require the organization to retain approved
independent auditors to verify controls and provide a report directly to
regulators.
In addition to formal audits, organizations often must report
