Requirement 12: Maintain a policy that addresses information security for all personnel.
PCI DDS Quick Reference Guide description: A strong security policy sets the security tone for an entire organization’, and it informs employees of their expected duties related to security. All employees should be aware of the sensitivity of cardholder data and their responsibilities for protecting it.
Solution: The spirit of this requirement is to ensure the adoption of a Corporate Information Security Policy (CISP). Although policy-based, F5 solutions don’t, by themselves, meet this requirement in context. F5 products facilitate adherence to the CISP, but they do not actually comprise a CISP. That said, F5 products can help organizations roll out business policies and security policies together. Applications needn’t be built and deployed in a vacuum; F5 technologies can be implemented in conjunction with corporate policies that address information security.
Since the inception of the PCI DSS, organizations have been laboring to understand, implement, and comply with its guidelines. Often, achieving that goal requires deploying and managing several different types of devices. The BIG-IP platform enables organizations to understand inherent threats and take specific measures to protect their web application infrastructures and to satisfy many PCI DSS requirements.