Which statement best describes the requirement for security policies and procedures to monitor access to network resources and cardholder data?

• A. Security policies and procedures for monitoring all access to network resources and cardholder data are documented, in use, and known to all affected parties.
• B. Only management-approved security policies exist; not required to be known by staff.
• C. Policies exist but are not required to be used.
• D. Policies are on paper only and not communicated.

Answer: (A)

Security policies and procedures for monitoring access to network resources and cardholder data must be documented, actively used, and communicated to all affected parties. When policies are written and then put into practice, they create a clear standard for how access is granted, reviewed, and audited, and they establish what personnel are expected to do. Communicating these policies to the people whose roles involve handling or protecting cardholder data ensures everyone understands their responsibilities and how monitoring will be applied, which makes enforcement consistent and traceable. If policies exist only on paper or are not shared with staff, there’s no real guidance or accountability, and monitoring efforts can’t be properly aligned with documented expectations. Similarly, policies that aren’t actually used won’t influence daily security practices, and requiring only management approval without broad awareness leaves front-line workers uninformed about how access should be monitored.