Back

Include documenting the duration of the failure of a security control in the Responding to Failures in Security Controls procedure.


CONTROL ID
12517
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain Responding to Failures in Security Controls procedures., CC ID: 12514

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Additional requirement for service providers only: Respond to failures of any critical security controls in a timely manner. Processes for responding to failures in security controls must include: - Restoring security functions - Identifying and documenting the duration (date and time start to end) … (10.8.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Identifying and documenting the duration (date and time start to end) of the security failure (A3.3.1.1 Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Respond to failures of any critical security controls in a timely manner. Processes for responding to failures in security controls must include: - Restoring security functions - Identifying and documenting the duration (date and time start to end) of the security failure - Identifying and documen… (10.8.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Are processes for responding to critical security control failures defined and implemented, and include: - Restoring security functions - Identifying and documenting the duration (date and time start to end) of the security failure - Identifying and documenting cause(s) of failure, including root ca… (10.8.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Are failures in critical security controls documented, including: - Identification of cause(s) of the failure, including root cause - Duration (date and time start and end) of the security failure - Details of the remediation required to address the root cause? (10.8.1(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Examine documented policies and procedures and interview personnel to verify processes are defined and implemented to respond to a security control failure, and include: - Restoring security functions - Identifying and documenting the duration (date and time start to end) of the security failure - I… (10.8.1.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Examine records to verify that security control failures are documented to include: - Identification of cause(s) of the failure, including root cause - Duration (date and time start and end) of the security failure - Details of the remediation required to address the root cause (10.8.1.b, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Identifying and documenting the duration (date and time from start to end) of the security failure. (A3.3.1.2 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Identifying and documenting the duration (date and time from start to end) of the security failure. (10.7.3 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Duration (date and time start and end) of the security failure. (A3.3.1.2.b Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Duration (date and time start and end) of the security failure. (10.7.3.b Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Identifying and documenting the duration (date and time from start to end) of the security failure. (10.7.3 Bullet 2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Identifying and documenting the duration (date and time from start to end) of the security failure. (10.7.3 Bullet 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)