Requirement 4.1.1 is about effectively managing and maintaining the various policies and procedures specified throughout Requirement 4. While it is important to define the specific policies or procedures called out in Requirement 4, it is equally important to ensure they are properly documented, maintained, and disseminated.
It is important to update policies and procedures as needed to address changes in processes, technologies, and business objectives. For these reasons, consider updating these documents as soon as possible after a change occurs and not only on a periodic cycle.
Security policies define the entity's security objectives and principles. Operational procedures describe how to perform activities, and define the controls, methods, and processes that are followed to achieve the desired result in a consistent manner and in accordance with policy objectives.
If roles and responsibilities are not formally assigned, personnel may not be aware of their day-to-day responsibilities and critical activities may not occur.
Roles and responsibilities may be documented within policies and procedures or maintained within separate documents. As part of communicating roles and responsibilities, entities can consider having personnel acknowledge their acceptance and understanding of their assigned roles and responsibilities.
A method to document roles and responsibilities is a responsibility assignment matrix that includes who is responsible, accountable, consulted, and informed (also called a RACI matrix).
Requirement 4.1.1 is about effectively managing and maintaining the various policies and procedures specified throughout Requirement 4. While it is important to define the specific policies or procedures called out in Requirement 4, it is equally important to ensure they are properly documented, maintained, and disseminated.
It is important to update policies and procedures as needed to address changes in processes, technologies, and business objectives. For these reasons, consider updating these documents as soon as possible after a change occurs and not only on a periodic cycle.
Security policies define the entity's security objectives and principles. Operational procedures describe how to perform activities, and define the controls, methods, and processes that are followed to achieve the desired result in a consistent manner and in accordance with policy objectives.
If roles and responsibilities are not formally assigned, personnel may not be aware of their day-to-day responsibilities and critical activities may not occur.
Roles and responsibilities may be documented within policies and procedures or maintained within separate documents. As part of communicating roles and responsibilities, entities can consider having personnel acknowledge their acceptance and understanding of their assigned roles and responsibilities.
A method to document roles and responsibilities is a responsibility assignment matrix that includes who is responsible, accountable, consulted, and informed (also called a RACI matrix).
Transmitting PAN over open, public networks without strong cryptography exposes the data to interception by malicious individuals. Strong cryptography and security protocols protect PAN during transmission and help ensure that attackers cannot read the data even if they intercept the transmission.
Only trusted keys and certificates should be accepted. Certificates should be confirmed as valid and not expired or revoked. The protocol version and cipher suites used should be current and secure. Systems should be configured to not fall back to insecure protocols or cipher suites.
Open, public networks include the Internet, wireless technologies (including Wi-Fi, Bluetooth, cellular, and satellite), and other public or untrusted network technologies.
Trusted certificates help verify the identity of the server and ensure that communications are encrypted with a legitimate entity. Using certificates from trusted Certificate Authorities (CAs) helps prevent man-in-the-middle attacks.
Certificates should be obtained from trusted CAs and should be kept current. The certificate chain of trust should be verified during each connection. Self-signed certificates should not be used for production environments.
Wireless networks transmitting PAN are particularly vulnerable to eavesdropping because the signals travel through the air. Using strong cryptography to protect wireless transmissions helps prevent unauthorized interception of PAN.
Strong encryption should be used for all wireless transmissions of PAN. WPA2 or WPA3 with strong encryption algorithms should be used. WEP should never be used to protect wireless transmissions of PAN.
PAN sent via end-user messaging technologies such as email, instant messaging, or SMS can easily be intercepted or stored in cleartext by messaging systems. Securing PAN transmitted via these technologies helps prevent unauthorized access.
Strong cryptography should be used to protect PAN whenever it is sent via end-user messaging technologies. Consider whether the use of such technologies for sending PAN is necessary and whether alternative, more secure methods are available.
Transmitting PAN over open, public networks without strong cryptography exposes the data to interception by malicious individuals. Strong cryptography and security protocols protect PAN during transmission and help ensure that attackers cannot read the data even if they intercept the transmission.
Only trusted keys and certificates should be accepted. Certificates should be confirmed as valid and not expired or revoked. The protocol version and cipher suites used should be current and secure. Systems should be configured to not fall back to insecure protocols or cipher suites.
Open, public networks include the Internet, wireless technologies (including Wi-Fi, Bluetooth, cellular, and satellite), and other public or untrusted network technologies.
Trusted certificates help verify the identity of the server and ensure that communications are encrypted with a legitimate entity. Using certificates from trusted Certificate Authorities (CAs) helps prevent man-in-the-middle attacks.
Certificates should be obtained from trusted CAs and should be kept current. The certificate chain of trust should be verified during each connection. Self-signed certificates should not be used for production environments.
Wireless networks transmitting PAN are particularly vulnerable to eavesdropping because the signals travel through the air. Using strong cryptography to protect wireless transmissions helps prevent unauthorized interception of PAN.
Strong encryption should be used for all wireless transmissions of PAN. WPA2 or WPA3 with strong encryption algorithms should be used. WEP should never be used to protect wireless transmissions of PAN.
PAN sent via end-user messaging technologies such as email, instant messaging, or SMS can easily be intercepted or stored in cleartext by messaging systems. Securing PAN transmitted via these technologies helps prevent unauthorized access.
Strong cryptography should be used to protect PAN whenever it is sent via end-user messaging technologies. Consider whether the use of such technologies for sending PAN is necessary and whether alternative, more secure methods are available.
Transmitting PAN over open, public networks without strong cryptography exposes the data to interception by malicious individuals. Strong cryptography and security protocols protect PAN during transmission and help ensure that attackers cannot read the data even if they intercept the transmission.
Only trusted keys and certificates should be accepted. Certificates should be confirmed as valid and not expired or revoked. The protocol version and cipher suites used should be current and secure. Systems should be configured to not fall back to insecure protocols or cipher suites.
Open, public networks include the Internet, wireless technologies (including Wi-Fi, Bluetooth, cellular, and satellite), and other public or untrusted network technologies.
Trusted certificates help verify the identity of the server and ensure that communications are encrypted with a legitimate entity. Using certificates from trusted Certificate Authorities (CAs) helps prevent man-in-the-middle attacks.
Certificates should be obtained from trusted CAs and should be kept current. The certificate chain of trust should be verified during each connection. Self-signed certificates should not be used for production environments.
Wireless networks transmitting PAN are particularly vulnerable to eavesdropping because the signals travel through the air. Using strong cryptography to protect wireless transmissions helps prevent unauthorized interception of PAN.
Strong encryption should be used for all wireless transmissions of PAN. WPA2 or WPA3 with strong encryption algorithms should be used. WEP should never be used to protect wireless transmissions of PAN.
PAN sent via end-user messaging technologies such as email, instant messaging, or SMS can easily be intercepted or stored in cleartext by messaging systems. Securing PAN transmitted via these technologies helps prevent unauthorized access.
Strong cryptography should be used to protect PAN whenever it is sent via end-user messaging technologies. Consider whether the use of such technologies for sending PAN is necessary and whether alternative, more secure methods are available.
Transmitting PAN over open, public networks without strong cryptography exposes the data to interception by malicious individuals. Strong cryptography and security protocols protect PAN during transmission and help ensure that attackers cannot read the data even if they intercept the transmission.
Only trusted keys and certificates should be accepted. Certificates should be confirmed as valid and not expired or revoked. The protocol version and cipher suites used should be current and secure. Systems should be configured to not fall back to insecure protocols or cipher suites.
Open, public networks include the Internet, wireless technologies (including Wi-Fi, Bluetooth, cellular, and satellite), and other public or untrusted network technologies.
Trusted certificates help verify the identity of the server and ensure that communications are encrypted with a legitimate entity. Using certificates from trusted Certificate Authorities (CAs) helps prevent man-in-the-middle attacks.
Certificates should be obtained from trusted CAs and should be kept current. The certificate chain of trust should be verified during each connection. Self-signed certificates should not be used for production environments.
Wireless networks transmitting PAN are particularly vulnerable to eavesdropping because the signals travel through the air. Using strong cryptography to protect wireless transmissions helps prevent unauthorized interception of PAN.
Strong encryption should be used for all wireless transmissions of PAN. WPA2 or WPA3 with strong encryption algorithms should be used. WEP should never be used to protect wireless transmissions of PAN.
PAN sent via end-user messaging technologies such as email, instant messaging, or SMS can easily be intercepted or stored in cleartext by messaging systems. Securing PAN transmitted via these technologies helps prevent unauthorized access.
Strong cryptography should be used to protect PAN whenever it is sent via end-user messaging technologies. Consider whether the use of such technologies for sending PAN is necessary and whether alternative, more secure methods are available.