PCI DSS 12.5 “Assign to an individual or team the following information  security management responsibilities” is not just about putting somebody's name down to pass an audit and us QSAs are clamping down hard on those whom pay governance lip service, then forget about it for a year until the next audit is due.

Even in smaller organisations, governance and oversight of physical, network, software and human security is critical to making any information security programme a success.  Assigning sole information security responsbility to your infrastructure team is rarely a good idea and it needs a holisitc approach and input from all personnel involved to be effective.

As a recommendation for those that might need it, why not form a Security Committee, that can provide independent oversight of information security throughout the organisation? Monthly minuted meetings are essential to demonstrate that your company takes information security governance seriously, and thus to comfortably mark PCI DSS Control 12.5 in place.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top