PCI Internal Control Review Procedures
Purpose
As part of our Continuous Control Monitoring and to support PCI requirements 12.4.1 and 12.4.1.1, we conduct internal control reviews for selected controls.
Process
Quarterly, issues are created to confirm that specified activities are performed as required, including testing of the Change Management process, and confirmation that log reviews and configuration reviews occur, alerts are responded to, and configurations are applied to systems per the standards. Procedures for conducting the review activity are detailed in the quarterly issues.
Requirements
12.4.1: 12.4.1 Reviews are performed at least once every three months to confirm that personnel are performing their tasks in accordance with all security policies and operational procedures. Reviews are performed by personnel other than those responsible for performing the given task and include, but are not limited to, the following tasks:
• Daily log reviews. • Configuration reviews for network security controls. • Applying configuration standards to new systems. • Responding to security alerts. • Change-management processes.
12.4.2.1: 12.4.2.1 Additional requirement for service providers only: Reviews conducted in accordance with Requirement 12.4.2 are documented to include:
• Results of the reviews. • Documented remediation actions taken for any tasks that were found to not be performed at Requirement 12.4.2. • Review and sign-off of results by personnel assigned responsibility for the PCI DSS compliance program.
9310c1db
)