Complying with PCI DSS–Part 6: Maintain an Information Security Policy

According to the PCI SSC, there are 12 PCI DSS requirements that satisfy a variety of security goals.  Areas of focus include building and maintaining a secure network, protecting stored cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks, and maintaining information security policies.  The essential framework of the PCI DSS encompasses assessment, remediation, and reporting.  We’re exploring how F5 can help organizations gain or maintain compliance and the last entry is Maintain an Information Security Policy which includes PCI Requirement 12To read Part 1, click: Complying with PCI DSS–Part 1: Build and Maintain a Secure Network, Part 2:Complying with PCI DSS–Part 2: Protect Cardholder Data, Part 3: Complying with PCI DSS–Part 3: Maintain a Vulnerability Management Program, Part 4: Complying with PCI DSS–Part 4: Implement Strong Access Control Measures and Part 5: Complying with PCI DSS–Part 5: Regularly Monitor and Test Networks.

Requirement 12: Maintain a policy that addresses information security for all personnel.

PCI DDS Quick Reference Guide description: A strong security policy sets the security tone for an entire organization’, and it informs employees of their expected duties related to security. All employees should be aware of the sensitivity of cardholder data and their responsibilities for protecting it.

Solution: The spirit of this requirement is to ensure the adoption of a Corporate Information Security Policy (CISP).  Although policy-based, F5 solutions don’t, by themselves, meet this requirement in context.  F5 products facilitate adherence to the CISP, but they do not actually comprise a CISP.  That said, F5 products can help organizations roll out business policies and security policies together.  Applications needn’t be built and deployed in a vacuum; F5 technologies can be implemented in conjunction with corporate policies that address information security.


Since the inception of the PCI DSS, organizations have been laboring to understand, implement, and comply with its guidelines.  Often, achieving that goal requires deploying and managing several different types of devices.  The BIG-IP platform enables organizations to understand inherent threats and take specific measures to protect their web application infrastructures and to satisfy many PCI DSS requirements.


Published Apr 25, 2012
Version 1.0

Was this article helpful?

No CommentsBe the first to comment