Data Security Resources

Policy Templates from the SANS institute.  Numerous sample policies to help you quickly write your own.  At a minimum, you’ll want an Acceptable Use policy that lays out what your employees can and cannot do on company systems.  Even if you don’t like having a lot of policies, it’s unfair to your employees to make them guess, for example, whether or not they can look at personal email during their lunch hour.  The SANS sample Acceptable Use policy is pretty solid and easy to modify if you want to tighten or loosen standards for your company.

PCI Security Standards Council.  Security standards related to the Payment Card Industry (credit/debit cards), for a variety of organizations related to payment cards including merchants who accept them.  PCI requires all such organizations to comply with their standards.  Since the PCI Council was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc, there is some weight behind that requirement.  PCI conduct audits to verify compliance, and the priority for audits is based on transaction volume (i.e., Amazon.com would be higher on the list than Jim-Bob’s Corner BBQ).  They have questionnaires to help you determine your level of security; start here to determine which questionaire to complete.

Update:  Heartland Payment Systems, which recently suffered a significant breach, has a publication which is somewhat clearer on PCI requirements than the PCI site.  Why PCI Compliance is Important.  Just to reiterate - PCI standards apply to any merchant that accepts credit cards.  It is not a government regulation but an industry standard.  You can still use it, though, as part of your compliance efforts.