Commit 9310c1db authored by Sasha Gazlay's avatar Sasha Gazlay Committed by Corey Oas
Browse files

PCI Internal Control Review Updates

parent 5b0dd4ba

content/handbook/security/security-assurance/security-compliance/_index.md

+1 −0
Original line number Diff line number Diff line
@@ -24,6 +24,7 @@ We support the Security division's [mission and operating principles](/handbook/ 
   - [User Access Reviews](./access-reviews.md)

   - [Business Continuity Plan (BCP)](/handbook/business-technology/entapps-documentation/policies/gitlab-business-continuity-plan/) and [Information System Continuity (ISCP)](../../information-system-contingency-plan-iscp.md) testing

   - [Risk-based control testing](./risk-based-control-testing.md)

   - [PCI Internal Control Review](./pci-internal-control-review.md)

1. [Observation and Remediation Management](../observation-management-procedure.md)

   - Specific to Tier 3 (system-level) risks

   - Identify control weaknesses and gaps (observations)

content/handbook/security/security-assurance/security-compliance/pci-internal-control-review.md

0 → 100644
+28 −0
Original line number Diff line number Diff line 
---

title: "PCI Internal Control Review Procedures"

---



## Purpose



As part of our [Continuous Control Monitoring](./sec-controls.md) and to support PCI requirements 12.4.1 and 12.4.1.1, we conduct internal control reviews for selected controls.



## Process



Quarterly, issues are created to confirm that specified activities are performed as required, including testing of the Change Management process, and confirmation that log reviews and configuration reviews occur, alerts are responded to, and configurations are applied to systems per the standards. Procedures for conducting the review activity are detailed in the quarterly issues.    



## Requirements



12.4.1: 12.4.1 Reviews are performed at least once every three months to confirm that personnel are performing their tasks in accordance with all security policies and operational procedures. Reviews are performed by personnel other than those responsible for performing the given task and include, but are not limited to, the following tasks:



  • Daily log reviews.

  • Configuration reviews for network security controls.

  • Applying configuration standards to new systems.

  • Responding to security alerts.

  • Change-management processes.



12.4.2.1: 12.4.2.1 Additional requirement for service providers only: Reviews conducted in accordance with Requirement 12.4.2 are documented to include:



  • Results of the reviews.

  • Documented remediation actions taken for any tasks that were found to not be performed at Requirement 12.4.2.

  • Review and sign-off of results by personnel assigned responsibility for the PCI DSS compliance program.

  
 No newline at end of file