• Is performed at least annually and upon
significant changes to the environment (for
example, acquisition, merger, relocation,
etc.),
• Identifies critical assets, threats, and
vulnerabilities, and
• Results in a formal, documented analysis of
risk.
Examples of risk-assessment methodologies
include but are not limited to OCTAVE, ISO
27005 and NIST SP 800-30.
12.3 Develop usage policies for critical
technologies and define proper use of these
technologies.
Note: Examples of critical technologies
include, but are not limited to, remote access
and wireless technologies, laptops, tablets,
removable electronic media, e-mail usage
and Internet usage.
Ensure these usage policies require the
following:
12.3.1 Explicit approval by authorized parties
You are responsible for
maintaining appropriate
policies and processes.
12.3.2 Authentication for use of the
technology
You are responsible for
maintaining appropriate
policies and processes.
12.3.3 A list of all such devices and personnel
with access
You are responsible for
maintaining appropriate
policies and processes.
12.3.5 Acceptable uses of the technology
You are responsible for
maintaining appropriate
policies and processes.
12.3.6 Acceptable network locations for the
technologies
You are responsible for
maintaining appropriate
policies and processes.
12.3.8 Automatic disconnect of sessions for
remote-access technologies after a specific
period of inactivity
In the event our support personnel
require remote access for
troubleshooting, you will be provided with
instruction on secure connection and
disconnection.
You are responsible for
maintaining appropriate
policies and processes.
12.3.9 Activation of remote-access
technologies for vendors and business
partners only when needed by vendors and
In the event our support personnel
require remote access for
troubleshooting, you will be provided with
You are responsible for
maintaining appropriate
policies and processes.
PCI Instruction Guide
© Toast 2018
Page 40 of 44
To Next Page
Loading...
