Requirement 12: Maintain a policy that addresses information security for all personnel.
A risk assessment must be performed annually and after significant changes to identify critical assets, threats, and vulnerabilities. A documented analysis of risks should be produced and retained for reference and progress tracking in risk mitigation efforts.
Usage policies should be established for critical technologies to match the requirements of 12.3. These policies help to ensure that remote access devices and technologies are used only in approved ways.
Information security responsibilities should be defined clearly in the security policy (see 12.4 and 12.5 for more detail on this). Service providers must also define a charter for a PCI DSS compliance program and assign overall accountability for maintaining compliance with the PCI DSS.
A formal security awareness training program must be used to ensure that all employees are trained upon hire and at least annually on the importance of cardholder data security. Multiple methods of training should be in place, such as security awareness posters, email notifications, and/or computer-based training.
Screen new employees (or employees promoted to a role that requires access the CDE) with background checks to minimize the risk of attacks from inside sources.
Use a vendor management program to ensure that PCI Compliance is verified annually for all partners and service providers with whom cardholder data is sent, or who could impact the security of your cardholder data.
Establish an incident response plan, and test it at least annually. Specific incident response plan requirements are listed in requirement 12.10.
Go on to PCI Data Security Standard - What is it?.
Go back to Requirement 11 - Regular Security Testing.