Requirement 5.1.1 is about effectively managing and maintaining the various policies and procedures specified throughout Requirement 5. While it is important to define the specific policies or procedures called out in Requirement 5, it is equally important to ensure they are properly documented, maintained, and disseminated.
It is important to update policies and procedures as needed to address changes in processes, technologies, and business objectives. For these reasons, consider updating these documents as soon as possible after a change occurs and not only on a periodic cycle.
Security policies define the entity's security objectives and principles. Operational procedures describe how to perform activities, and define the controls, methods, and processes that are followed to achieve the desired result in a consistent manner and in accordance with policy objectives.
If roles and responsibilities are not formally assigned, personnel may not be aware of their day-to-day responsibilities and critical activities may not occur.
Roles and responsibilities may be documented within policies and procedures or maintained within separate documents. As part of communicating roles and responsibilities, entities can consider having personnel acknowledge their acceptance and understanding of their assigned roles and responsibilities.
A method to document roles and responsibilities is a responsibility assignment matrix that includes who is responsible, accountable, consulted, and informed (also called a RACI matrix).
Requirement 5.1.1 is about effectively managing and maintaining the various policies and procedures specified throughout Requirement 5. While it is important to define the specific policies or procedures called out in Requirement 5, it is equally important to ensure they are properly documented, maintained, and disseminated.
It is important to update policies and procedures as needed to address changes in processes, technologies, and business objectives. For these reasons, consider updating these documents as soon as possible after a change occurs and not only on a periodic cycle.
Security policies define the entity's security objectives and principles. Operational procedures describe how to perform activities, and define the controls, methods, and processes that are followed to achieve the desired result in a consistent manner and in accordance with policy objectives.
If roles and responsibilities are not formally assigned, personnel may not be aware of their day-to-day responsibilities and critical activities may not occur.
Roles and responsibilities may be documented within policies and procedures or maintained within separate documents. As part of communicating roles and responsibilities, entities can consider having personnel acknowledge their acceptance and understanding of their assigned roles and responsibilities.
A method to document roles and responsibilities is a responsibility assignment matrix that includes who is responsible, accountable, consulted, and informed (also called a RACI matrix).
Anti-malware solutions provide a critical layer of defense against malicious software that can compromise system components and cardholder data. Deploying anti-malware on all system components helps ensure comprehensive protection.
Anti-malware solutions should be deployed on all system components that are commonly affected by malware, including servers, workstations, and mobile devices. The type of anti-malware solution should be appropriate for the operating system and environment.
Not all system components are commonly affected by malware. Periodic evaluations help determine which system components require anti-malware protection based on current threat information and the system's exposure.
Evaluations should be performed at least annually and should consider the latest threat intelligence, the system's function, and its connectivity to other systems. The results and conclusions of each evaluation should be documented.
System components that are not commonly affected by malware should be periodically re-evaluated to confirm that anti-malware protection is not needed. Threats evolve, and a system that was not previously at risk may become a target.
Re-evaluations should be performed periodically, at a frequency defined by the entity's targeted risk analysis. If the re-evaluation determines that anti-malware protection is now needed, it should be deployed promptly.
The frequency of periodic re-evaluations should be based on a risk analysis that considers factors such as the threat landscape, the system's exposure, and the potential impact of a malware infection.
The targeted risk analysis should be documented and should define the frequency of re-evaluation. The analysis should be reviewed and updated as the threat landscape changes.
Anti-malware solutions provide a critical layer of defense against malicious software that can compromise system components and cardholder data. Deploying anti-malware on all system components helps ensure comprehensive protection.
Anti-malware solutions should be deployed on all system components that are commonly affected by malware, including servers, workstations, and mobile devices. The type of anti-malware solution should be appropriate for the operating system and environment.
Not all system components are commonly affected by malware. Periodic evaluations help determine which system components require anti-malware protection based on current threat information and the system's exposure.
Evaluations should be performed at least annually and should consider the latest threat intelligence, the system's function, and its connectivity to other systems. The results and conclusions of each evaluation should be documented.
System components that are not commonly affected by malware should be periodically re-evaluated to confirm that anti-malware protection is not needed. Threats evolve, and a system that was not previously at risk may become a target.
Re-evaluations should be performed periodically, at a frequency defined by the entity's targeted risk analysis. If the re-evaluation determines that anti-malware protection is now needed, it should be deployed promptly.
The frequency of periodic re-evaluations should be based on a risk analysis that considers factors such as the threat landscape, the system's exposure, and the potential impact of a malware infection.
The targeted risk analysis should be documented and should define the frequency of re-evaluation. The analysis should be reviewed and updated as the threat landscape changes.
Anti-malware solutions provide a critical layer of defense against malicious software that can compromise system components and cardholder data. Deploying anti-malware on all system components helps ensure comprehensive protection.
Anti-malware solutions should be deployed on all system components that are commonly affected by malware, including servers, workstations, and mobile devices. The type of anti-malware solution should be appropriate for the operating system and environment.
Not all system components are commonly affected by malware. Periodic evaluations help determine which system components require anti-malware protection based on current threat information and the system's exposure.
Evaluations should be performed at least annually and should consider the latest threat intelligence, the system's function, and its connectivity to other systems. The results and conclusions of each evaluation should be documented.
System components that are not commonly affected by malware should be periodically re-evaluated to confirm that anti-malware protection is not needed. Threats evolve, and a system that was not previously at risk may become a target.
Re-evaluations should be performed periodically, at a frequency defined by the entity's targeted risk analysis. If the re-evaluation determines that anti-malware protection is now needed, it should be deployed promptly.
The frequency of periodic re-evaluations should be based on a risk analysis that considers factors such as the threat landscape, the system's exposure, and the potential impact of a malware infection.
The targeted risk analysis should be documented and should define the frequency of re-evaluation. The analysis should be reviewed and updated as the threat landscape changes.
Anti-malware solutions provide a critical layer of defense against malicious software that can compromise system components and cardholder data. Deploying anti-malware on all system components helps ensure comprehensive protection.
Anti-malware solutions should be deployed on all system components that are commonly affected by malware, including servers, workstations, and mobile devices. The type of anti-malware solution should be appropriate for the operating system and environment.
Not all system components are commonly affected by malware. Periodic evaluations help determine which system components require anti-malware protection based on current threat information and the system's exposure.
Evaluations should be performed at least annually and should consider the latest threat intelligence, the system's function, and its connectivity to other systems. The results and conclusions of each evaluation should be documented.
System components that are not commonly affected by malware should be periodically re-evaluated to confirm that anti-malware protection is not needed. Threats evolve, and a system that was not previously at risk may become a target.
Re-evaluations should be performed periodically, at a frequency defined by the entity's targeted risk analysis. If the re-evaluation determines that anti-malware protection is now needed, it should be deployed promptly.
The frequency of periodic re-evaluations should be based on a risk analysis that considers factors such as the threat landscape, the system's exposure, and the potential impact of a malware infection.
The targeted risk analysis should be documented and should define the frequency of re-evaluation. The analysis should be reviewed and updated as the threat landscape changes.
Keeping anti-malware solutions current ensures they can detect and protect against the latest known malware threats. Anti-malware that is not updated may fail to detect newer malware variants.
Anti-malware solutions should be configured for automatic updates. The update process should be monitored to ensure updates are being applied successfully.
Periodic scans and active or real-time scanning provide complementary protection. Real-time scanning detects malware as it is introduced, while periodic scans can detect malware that may have been missed or introduced before real-time scanning was active.
Both periodic and real-time scanning should be enabled where supported. If continuous behavioral analysis is used as an alternative to periodic or real-time scans, it should be capable of detecting known and unknown malware.
Removable electronic media can introduce malware into the environment if not scanned. Scanning removable media when inserted helps prevent malware from being introduced through this vector.
Anti-malware solutions should be configured to automatically scan removable media when it is inserted, connected, or mounted. If automatic scanning is not feasible, removable media should be scanned manually before use.
Audit logs of anti-malware activity provide evidence that the solution is functioning properly and can help in investigating security incidents. Without logs, it may be impossible to determine when malware was detected or whether it was successfully removed.
Anti-malware logs should capture scan results, updates, and any detected malware. Logs should be retained in accordance with Requirement 10.7 and should be reviewed regularly.
If users can disable anti-malware solutions, systems are left vulnerable to malware attacks. Preventing users from disabling or altering anti-malware settings helps ensure continuous protection.
Anti-malware solutions should be configured so that they cannot be disabled or altered by users. If there is a legitimate business need to temporarily disable anti-malware, a formal process should be in place requiring management approval, and the solution should be re-enabled as soon as possible.
Management-authorized exceptions might include situations where anti-malware interferes with a specific business process. In such cases, the exception should be time-limited, documented, and approved by management on a case-by-case basis.
Keeping anti-malware solutions current ensures they can detect and protect against the latest known malware threats. Anti-malware that is not updated may fail to detect newer malware variants.
Anti-malware solutions should be configured for automatic updates. The update process should be monitored to ensure updates are being applied successfully.
Periodic scans and active or real-time scanning provide complementary protection. Real-time scanning detects malware as it is introduced, while periodic scans can detect malware that may have been missed or introduced before real-time scanning was active.
Both periodic and real-time scanning should be enabled where supported. If continuous behavioral analysis is used as an alternative to periodic or real-time scans, it should be capable of detecting known and unknown malware.
Removable electronic media can introduce malware into the environment if not scanned. Scanning removable media when inserted helps prevent malware from being introduced through this vector.
Anti-malware solutions should be configured to automatically scan removable media when it is inserted, connected, or mounted. If automatic scanning is not feasible, removable media should be scanned manually before use.
Audit logs of anti-malware activity provide evidence that the solution is functioning properly and can help in investigating security incidents. Without logs, it may be impossible to determine when malware was detected or whether it was successfully removed.
Anti-malware logs should capture scan results, updates, and any detected malware. Logs should be retained in accordance with Requirement 10.7 and should be reviewed regularly.
If users can disable anti-malware solutions, systems are left vulnerable to malware attacks. Preventing users from disabling or altering anti-malware settings helps ensure continuous protection.
Anti-malware solutions should be configured so that they cannot be disabled or altered by users. If there is a legitimate business need to temporarily disable anti-malware, a formal process should be in place requiring management approval, and the solution should be re-enabled as soon as possible.
Management-authorized exceptions might include situations where anti-malware interferes with a specific business process. In such cases, the exception should be time-limited, documented, and approved by management on a case-by-case basis.
Keeping anti-malware solutions current ensures they can detect and protect against the latest known malware threats. Anti-malware that is not updated may fail to detect newer malware variants.
Anti-malware solutions should be configured for automatic updates. The update process should be monitored to ensure updates are being applied successfully.
Periodic scans and active or real-time scanning provide complementary protection. Real-time scanning detects malware as it is introduced, while periodic scans can detect malware that may have been missed or introduced before real-time scanning was active.
Both periodic and real-time scanning should be enabled where supported. If continuous behavioral analysis is used as an alternative to periodic or real-time scans, it should be capable of detecting known and unknown malware.
Removable electronic media can introduce malware into the environment if not scanned. Scanning removable media when inserted helps prevent malware from being introduced through this vector.
Anti-malware solutions should be configured to automatically scan removable media when it is inserted, connected, or mounted. If automatic scanning is not feasible, removable media should be scanned manually before use.
Audit logs of anti-malware activity provide evidence that the solution is functioning properly and can help in investigating security incidents. Without logs, it may be impossible to determine when malware was detected or whether it was successfully removed.
Anti-malware logs should capture scan results, updates, and any detected malware. Logs should be retained in accordance with Requirement 10.7 and should be reviewed regularly.
If users can disable anti-malware solutions, systems are left vulnerable to malware attacks. Preventing users from disabling or altering anti-malware settings helps ensure continuous protection.
Anti-malware solutions should be configured so that they cannot be disabled or altered by users. If there is a legitimate business need to temporarily disable anti-malware, a formal process should be in place requiring management approval, and the solution should be re-enabled as soon as possible.
Management-authorized exceptions might include situations where anti-malware interferes with a specific business process. In such cases, the exception should be time-limited, documented, and approved by management on a case-by-case basis.
Keeping anti-malware solutions current ensures they can detect and protect against the latest known malware threats. Anti-malware that is not updated may fail to detect newer malware variants.
Anti-malware solutions should be configured for automatic updates. The update process should be monitored to ensure updates are being applied successfully.
Periodic scans and active or real-time scanning provide complementary protection. Real-time scanning detects malware as it is introduced, while periodic scans can detect malware that may have been missed or introduced before real-time scanning was active.
Both periodic and real-time scanning should be enabled where supported. If continuous behavioral analysis is used as an alternative to periodic or real-time scans, it should be capable of detecting known and unknown malware.
Removable electronic media can introduce malware into the environment if not scanned. Scanning removable media when inserted helps prevent malware from being introduced through this vector.
Anti-malware solutions should be configured to automatically scan removable media when it is inserted, connected, or mounted. If automatic scanning is not feasible, removable media should be scanned manually before use.
Audit logs of anti-malware activity provide evidence that the solution is functioning properly and can help in investigating security incidents. Without logs, it may be impossible to determine when malware was detected or whether it was successfully removed.
Anti-malware logs should capture scan results, updates, and any detected malware. Logs should be retained in accordance with Requirement 10.7 and should be reviewed regularly.
If users can disable anti-malware solutions, systems are left vulnerable to malware attacks. Preventing users from disabling or altering anti-malware settings helps ensure continuous protection.
Anti-malware solutions should be configured so that they cannot be disabled or altered by users. If there is a legitimate business need to temporarily disable anti-malware, a formal process should be in place requiring management approval, and the solution should be re-enabled as soon as possible.
Management-authorized exceptions might include situations where anti-malware interferes with a specific business process. In such cases, the exception should be time-limited, documented, and approved by management on a case-by-case basis.
Keeping anti-malware solutions current ensures they can detect and protect against the latest known malware threats. Anti-malware that is not updated may fail to detect newer malware variants.
Anti-malware solutions should be configured for automatic updates. The update process should be monitored to ensure updates are being applied successfully.
Periodic scans and active or real-time scanning provide complementary protection. Real-time scanning detects malware as it is introduced, while periodic scans can detect malware that may have been missed or introduced before real-time scanning was active.
Both periodic and real-time scanning should be enabled where supported. If continuous behavioral analysis is used as an alternative to periodic or real-time scans, it should be capable of detecting known and unknown malware.
Removable electronic media can introduce malware into the environment if not scanned. Scanning removable media when inserted helps prevent malware from being introduced through this vector.
Anti-malware solutions should be configured to automatically scan removable media when it is inserted, connected, or mounted. If automatic scanning is not feasible, removable media should be scanned manually before use.
Audit logs of anti-malware activity provide evidence that the solution is functioning properly and can help in investigating security incidents. Without logs, it may be impossible to determine when malware was detected or whether it was successfully removed.
Anti-malware logs should capture scan results, updates, and any detected malware. Logs should be retained in accordance with Requirement 10.7 and should be reviewed regularly.
If users can disable anti-malware solutions, systems are left vulnerable to malware attacks. Preventing users from disabling or altering anti-malware settings helps ensure continuous protection.
Anti-malware solutions should be configured so that they cannot be disabled or altered by users. If there is a legitimate business need to temporarily disable anti-malware, a formal process should be in place requiring management approval, and the solution should be re-enabled as soon as possible.
Management-authorized exceptions might include situations where anti-malware interferes with a specific business process. In such cases, the exception should be time-limited, documented, and approved by management on a case-by-case basis.
Keeping anti-malware solutions current ensures they can detect and protect against the latest known malware threats. Anti-malware that is not updated may fail to detect newer malware variants.
Anti-malware solutions should be configured for automatic updates. The update process should be monitored to ensure updates are being applied successfully.
Periodic scans and active or real-time scanning provide complementary protection. Real-time scanning detects malware as it is introduced, while periodic scans can detect malware that may have been missed or introduced before real-time scanning was active.
Both periodic and real-time scanning should be enabled where supported. If continuous behavioral analysis is used as an alternative to periodic or real-time scans, it should be capable of detecting known and unknown malware.
Removable electronic media can introduce malware into the environment if not scanned. Scanning removable media when inserted helps prevent malware from being introduced through this vector.
Anti-malware solutions should be configured to automatically scan removable media when it is inserted, connected, or mounted. If automatic scanning is not feasible, removable media should be scanned manually before use.
Audit logs of anti-malware activity provide evidence that the solution is functioning properly and can help in investigating security incidents. Without logs, it may be impossible to determine when malware was detected or whether it was successfully removed.
Anti-malware logs should capture scan results, updates, and any detected malware. Logs should be retained in accordance with Requirement 10.7 and should be reviewed regularly.
If users can disable anti-malware solutions, systems are left vulnerable to malware attacks. Preventing users from disabling or altering anti-malware settings helps ensure continuous protection.
Anti-malware solutions should be configured so that they cannot be disabled or altered by users. If there is a legitimate business need to temporarily disable anti-malware, a formal process should be in place requiring management approval, and the solution should be re-enabled as soon as possible.
Management-authorized exceptions might include situations where anti-malware interferes with a specific business process. In such cases, the exception should be time-limited, documented, and approved by management on a case-by-case basis.
Phishing attacks are a common method used by attackers to trick personnel into revealing credentials, clicking malicious links, or opening malicious attachments. Anti-phishing mechanisms help protect personnel against these attacks and reduce the risk of credential theft or malware infection.
Organizations should implement both technical and organizational anti-phishing measures. Technical measures may include email filtering, URL filtering, and browser-based protections. Organizational measures include security awareness training focused on identifying and reporting phishing attempts.
Technical anti-phishing mechanisms include server-side email filtering to detect and block phishing emails, DMARC/DKIM/SPF email authentication, URL rewriting and time-of-click analysis, and browser extensions that warn users about known phishing sites.