Security Testing and Monitoring Policy

Home Security Testing and Monitoring Policy

NEED SUPPORT?

Security Testing & Monitoring Policy

Updated: January 1, 2026
Approved By: Jennifer Lyssy, CEO

1. Purpose
The purpose of this policy is to define the processes and responsibilities for regularly testing the security of systems and networks to ensure the protection of cardholder data and compliance with PCI DSS requirements.

Regular testing ensures that vulnerabilities are identified, prioritized, and remediated before they can be exploited, thereby reducing the risk of security incidents.

2. Scope
This policy applies to all systems, networks, applications, and personnel involved in storing, processing, or transmitting cardholder data, including all components of the Cardholder Data Environment (CDE).

## 3. Policy Statement
[Company Name] will maintain a structured and ongoing security testing program that includes vulnerability scanning, penetration testing, intrusion detection, and change monitoring to protect systems and data from unauthorized access or compromise.

All security testing activities will be documented, maintained, actively used, and communicated to relevant personnel.

4. Roles and Responsibilities

### Security Officer / IT Lead
– Owns and maintains this policy
– Ensures all testing is completed and documented
– Reviews results and ensures remediation

### IT / Technical Personnel
– Perform or coordinate scans and monitoring
– Maintain systems and tools
– Address identified vulnerabilities

### All Personnel
– Report suspicious activity
– Follow security procedures and training

## 5. Security Testing Requirements

### 5.1 Security Testing Plan
A formal security testing plan will:
– Identify all systems and processes requiring testing
– Define testing frequency
– Specify testing methods (scans, penetration tests, monitoring)
– Be reviewed and updated at least annually

### 5.2 Wireless Access Point Monitoring
– All wireless access points must be inventoried and approved
– The environment must be scanned for unauthorized wireless devices at least quarterly (every 3 months)
– Unauthorized devices must be investigated and removed

### 5.3 Vulnerability Scanning

#### Internal Scans
– Performed at least quarterly
– Performed after any significant system change
– Must identify and remediate high-risk and critical vulnerabilities
– Rescans must confirm remediation

#### External Scans
– Performed at least quarterly
– Conducted by a PCI-approved scanning vendor (ASV)
– Must meet passing scan requirements
– Rescans required until passing

### 5.4 Penetration Testing
– Conducted at least annually and after significant changes
– Includes both external and internal testing
– Covers network-layer and application-layer vulnerabilities
– Includes validation of segmentation (if used)
– Results must be documented and retained for at least 12 months
– All findings must be remediated and retested

### 5.5 Intrusion Detection & Prevention
– Intrusion detection and/or prevention systems (IDS/IPS) must be implemented
– Monitoring must occur at the perimeter of the CDE and at critical internal network points
– Alerts must be generated for suspicious activity
– Systems must be kept up to date

### 5.6 File Integrity Monitoring
– Tools must detect unauthorized changes to critical files
– Monitoring must include file changes, additions, and deletions
– File comparisons must occur at least weekly
– Alerts must be sent to appropriate personnel

### 5.7 Payment Page Integrity Monitoring
– Mechanisms must detect unauthorized changes to payment page scripts and HTTP headers
– Monitoring must occur at least weekly or based on defined risk analysis
– Alerts must be generated for any unauthorized modifications

## 6. Vulnerability Management
– All vulnerabilities must be identified, prioritized based on risk, and remediated in a timely manner
– High-risk and critical vulnerabilities must be addressed immediately
– Lower-risk vulnerabilities must be managed based on defined risk tolerance

## 7. Documentation & Recordkeeping
– All testing activities must be documented and retained for at least 12 months
– Documentation must be available for audit review
– Records include scan results, penetration test reports, remediation actions, and monitoring logs

## 8. Compliance
Failure to comply with this policy may result in disciplinary action and potential legal consequences.

## 9. Policy Review
This policy will be reviewed at least annually and updated as needed to reflect changes in systems, risks, or regulatory requirements.

## 10. Acknowledgment
All applicable personnel must acknowledge and adhere to this policy.

© 2025-2026 Botanic, LLC

Physical: 22507 Felicia Drive, Spicewood, TX 78669

Mailing: 15511 Hwy 71 West, Suite 110, #420, Bee Cave, TX 78738

(833) 722-8339 | Information: info@shopbotanic.co | Support: support@shopbotanic.co

Terms and Conditions | Privacy Policy | Data Protection Policy | Anti-Money Laundering (AML) Policy

Subscription Policy | Refund and Return Policy | Shipping Policy

Secure Online Identity and Age Verification Policy | Disclaimers | Certificates of Analysis

Information Security Policy | Security Testing and Monitoring Policy

Policies and Procedures | Compensation Plan | Income Disclosure Statement | Web Hosting Provider Notice

You must be 21+ to visit this website.

This website uses Secure Online Age Verification for all hemp products. We provide an easy checkout experience while following the latest age regulations. We match customer information from your checkout form against our identity networks to verify that you meet minimum age requirements. Our hemp-derived products are compliant with the 2018 Federal Farm Bill, containing less than 0.3% delta-9 THC by weight. All products are lab-tested for quality and compliance with legal standards. These statements have not been evaluated by the Food and Drug Administration. This product is not intended to diagnose, treat, cure, or prevent any disease. Always consult your physician before starting any wellness regimen. This content is for informational purposes only. It is not intended to take the place of medical advice or treatment from a personal physician. All readers of this content should consult their physician or qualified healthcare professional regarding specific health questions, especially those taking prescription or over-the-counter medications. We do not take responsibility for possible health consequences of any person reading and/or following this informational content. Income is not guaranteed. Earnings depend on individual effort and sales performance. Success stories are unique, and results vary depending on individual effort. All prices are in USD. Secured with TLS encryption. Botanic is a USA company that provides plant-based wellness products.

Select a location to get started!

Log in with your credentials

Forgot your details?