|
Standard |
Details |
|
Requirement 1 |
Install and maintain a firewall
configuration to protect cardholder data |
|
1.1 |
Establish firewall configuration standards
that include:- |
|
1.1.1 |
A formal
process for approving and testing all external network
connections and changes to the firewall configuration |
|
ISO 27002
Reference
11.4.1,
15.2.2 |
Firewall Management Policy 1.3 Firewall configuration changes
are subject to strict change control process
|
|
1.1.2 |
A current network diagram with all connections to cardholder
data, including any wireless networks |
|
ISO 27002
Reference
12.6.1 |
Network
Management Policy 2.1 Inventory of network access points |
|
1.1.3 |
Requirements for a firewall at each internet connection and
between any demilitarized zone and the internal network zone |
|
ISO 27002
Reference
11.4.7 |
E-Commerce Policy
2.1 Storing information on web or e-commerce servers
requires authorisation and an approved multi-layered protection
regime
Firewall Management Policy 1.2 Webservers housed internally must
be protected by a firewall |
|
1.1.4 |
Description of
groups, roles and responsibilities for logical management of
network components |
|
ISO 27002
Reference
8.1.1
|
Access Control Policy 1.1.1 Authorised Access for Users
Access Control Policy 2.1.1 Management to determine Access
Control standards
Personnel Management Policy 2.2.1 Responsibility for security
included in job descriptions and terms and conditions of
employment and consequences of non compliance |
|
1.1.5 |
Documented
list of services and ports necessary for business |
|
ISO 27002
Reference
11.4.1 |
Firewall Management Policy 1.3 Firewall configuration changes
are subject to strict change control process |
|
1.1.6 |
Justification
and documentation for any available protocols besides hypertext
transfer protocol (HTTP), and secure sockets layer (SSL), secure
shell (SSH), and virtual private network (VPN) |
|
ISO 27002
Reference
6.2.2,
10.6.1,
10.9.1,
10.9.2,
11.4.1, |
Firewall Management Policy 1.2 Webservers housed internally must
be protected by a firewall
Remote Access
Policy 3.4.1 Systems connecting remotely must not permit telnet,
ftp or any other real-time inbound access that may circumvent
the authentication process |
|
1.1.7 |
Justification
and documentation for any risky protocols allowed (for example
FTP) which includes reason for use of protocol and security
features implemented |
|
ISO 27002
Reference
6.2.2,
10.6.1,
10.9.1,
10.9.2,
11.4.1, |
Firewall Management Policy 1.2 Webservers housed internally must
be protected by a firewall
Remote Access
Policy 3.4.1 Systems connecting remotely must not permit telnet,
ftp or any other real-time inbound access that may circumvent
the authentication process |
|
1.1.8 |
Quarterly
review of firewall and router rule sets |
|
ISO 27002
Reference
15.2.2 |
|
|
1.1.9 |
Configuration
standards for routers |
|
ISO 27002
Reference
10.3,
10.6.2,
11.4.1, |
Firewall Management Policy 1.3 Firewall configuration changes
are subject to strict change control process |
|
1.2 |
Build a
firewall configuration that denies all traffic from untrusted
networks and hosts except for protocols necessary for the
cardholder data environment |
|
ISO 27002
Reference
11.4.1, |
|
|
1.3 |
Build a
firewall configuration that restricts connections between
publicly accessible servers and any system component storing
cardholder data, including any connections from wireless
networks. |
|
1.3.1 |
Restrict
inbound internet traffic to internet protocol (IP) addresses
within the DMZ (ingress filters) |
|
ISO 27002
Reference
6.2.1,
10.6.1,
10.9.1,
10.9.3,
11.4.1,
11.4.5,
11.4.6,
11.4.7, |
E-Commerce Policy
2.1 Storing information on web or e-commerce servers
requires authorisation and an approved multi-layered protection
regime
|
|
1.3.2 |
Not allowing
internal addresses to pass from the internet into the DMZ |
|
ISO 27002
Reference
6.2.1,
10.6.1,
10.9.1,
10.9.3,
11.4.5,
11.4.6,
11.4.7,
15.1.3, |
E-Commerce Policy
2.1 Storing information on web or e-commerce servers
requires authorisation and an approved multi-layered protection
regime
|
|
1.3.3 |
Implementing
stateful inspection also known as dynamic packet filtering (that
is, only "established" connections are allowed into the network) |
|
ISO 27002
Reference
11.4.1, |
|
|
1.3.4 |
Placing the databases in an internal
network zone segregated from the DMZ |
|
ISO 27002
Reference
6.2.1,
10.6.1,
10.9.1,
10.9.3,
11.4.5,
11.4.6,
11.4.7,
15.1.3, |
E-Commerce Policy
2.1 Storing information on web or e-commerce servers
requires authorisation and an approved multi-layered protection
regime
|
|
1.3.5 |
Restricting
inbound and outbound traffic to that which is necessary for the
cardholder data environment |
|
ISO 27002
Reference
6.2.1,
10.6.1,
10.9.1,
10.9.3,
11.4.1,
11.4.5,
11.4.6,
11.4.7, |
|
|
1.3.6 |
Securing and
synchronizing router configuration files. |
|
ISO 27002
Reference
11.4.1,
12.5.1 |
Firewall Management Policy 1.3 Firewall configuration changes
are subject to strict change control process |
|
1.3.7 |
Denying all
other inbound and outbound traffic not specifically allowed |
|
ISO 27002
Reference
6.2.1,
10.6.1,
10.9.1,
10.9.3,
11.4.1,
11.4.5,
11.4.6,
11.4.7, |
|
|
1.3.8 |
Installing
perimeter firewalls between any wireless networks and the
cardholder data environment and configuring these firewalls to
deny any traffic from the wireless environment or from
controlling any traffic. |
|
ISO 27002
Reference
10.6.1,
10.8.1,
11.4.5, |
|
|
1.3.9 |
Installing
personal firewall software on any mobile and employee-owned
computers with direct connectivity to the internet which are
also used to access the organisation's network |
|
ISO 27002
Reference
6.2.1,
6.2.3,
7.1.3,
10.4.1.
10.6.1,
10.8.1,
11.4.1
11.4.2,
11.4.5,
11.4.6,
11.4.7,
11.7.1,
11.7.2 |
|
|
1.4 |
Prohibit direct public access between external networks and
any system component that stores cardholder data |
|
1.4.1 |
Implement a
DMZ to filter and screen all traffic and to prohibit direct
routes for inbound and outbound internet traffic |
|
ISO 27002
Reference
6.2.1,
10.6.1,
10.9.1,
10.9.3,
11.4.1,
11.4.5,
11.4.6,
11.4.7, |
E-Commerce Policy
2.1 Storing information on web or e-commerce servers
requires authorisation and an approved multi-layered protection
regime
|
|
1.4.2 |
Restrict
outbound traffic from payment card applications to IP addresses
within the DMZ |
|
ISO 27002
Reference
6.2.1,
10.6.1,
10.9.1,
10.9.3,
11.4.1,
11.4.5,
11.4.6,
11.4.7, |
E-Commerce Policy
2.1 Storing information on web or e-commerce servers
requires authorisation and an approved multi-layered protection
regime
|
|
1.5 |
Implement IP
masquerading to prevent internal addresses from being translated
and revealed on the internet. |
|
ISO 27002
Reference
11.4.1,
11.4.6, |
|
|
Requirement 2. |
Do not use vendor-supplied defaults for
system passwords and other security parameters |
|
2.1 |
Always change
vendor-supplied defaults before installing a system on the
network. (Include passwords, simple network management
protocol, community strings, and elimination of unnecessary
accounts). |
|
ISO 27002
Reference
11.1.1,
11.2.3,
11.3.1,
11.4.4,
11.4.6,
11.5.3, |
Password and Authentication Policy 2.3.1 Vendor passwords to be
changed |
|
2.1.1 |
For Wireless
environments change wireless vendor defaults including, but not
limited to, WEP keys, SSID passwords and SNMP community strings.
Disable SSID broadcasts, enable WiFi protected access technology
for encryption and authentication when WPA capable. |
|
ISO 27002
Reference
10.6.1,
10.8.1,
11.2.3,
11.4.1,
11.4.4,
11.4.6,
12.3.1,
|
Network
Management Policy 5.1 Wireless sessions must be encrypted |
|
2.2 |
Develop
configuration standards for all system components. Assure
that these standards address all known security vulnerabilities
and are consistent with industry-accepted system hardening
standards. |
|
ISO 27002
Reference
6.2.2,
10.1.1,
10.1.2,
10.3,
10.6.1,
10.6.2,
10.9.1,
10.9.2,
11.4.1 |
|
|
2.2.1 |
Implement only
one primary function per server - eg: webservers, dns, databases
all on individual servers |
|
ISO 27002
Reference
6.2.2,
10.6.1,
10.9.1,
10.9.2,
11.4.1 |
|
|
2.2.2 |
Disable all
unnecessary and insecure services and protocols |
|
ISO 27002
Reference
6.2.2,
10.9.1,
10.9.2,
11.4.1,
11.4.6,
11.5.4,
12.1.1,
12.4.1,
12.4.2,
12.5.1,
|
|
|
2.2.3 |
Configure
Systems Security parameters to prevent misuse |
|
ISO 27002
Reference
6.2.2,
10.4.1,
10.6.2,
10.9.1,
10.9.2,
10.9.3,
11.4.1,
11.4.6,
11.5.4,
11.5.4,
12.4.2,
12.5.1,
|
|
|
2.2.4 |
Remove all
unnecessary functionality, such as scripts, drivers, features,
subsystems, file systems and unnecessary web servers |
|
ISO 27002
Reference
11.5.4,
12.1.1,
12.4.1,
12.4.2,
12.5.1,
12.6.1,
|
|
|
2.3 |
Encrypt all
non-console administrative access using technologies such as SSH,
VPN or SSL/TSL for web based management and other non console
administrative access |
|
ISO 27002
Reference
10.6.1,
10.8.1,
11.4.1,
11.4.5,
11.4.7, |
Firewall
Management Policy 1.1 Termination requirements for site to site
VPN tunnels |
|
2.4 |
Hosting
providers must protect each entity's hosted environment and
data. These providers must meet specific requirements as
detailed in Appenxdix A |
|
ISO 27002
Reference
6.2.2,
6.2.3,
10.7.3,
10.9.1,
10.9.2,
10.9.3 |
E-Commerce Policy
2.1 Storing information on web or e-commerce servers
requires authorisation and an approved multi-layered protection
regime
Remote
Access Policy 1.4.1 Responsibilities with regard to handling
data
|
|
Requirement 3. |
Protect stored cardholder data |
|
3.1 |
Keep cardholder data storage to a minimum. Develop a
data retention and disposal policy. Limit storage amount
and retention time to that which is required for business, legal
and/or regulatory purposes, as documented in the data retention
policy. |
|
ISO 27002
Reference
10.1.1,
10.8.5,
15.1.3, |
|
|
3.2 |
Do not store
sensitive authentication data subsequent to authorisation even
if encrypted |
|
3.2.1 |
Do not store
the full contents of any track from the magnetic stripe. |
|
ISO 27002
Reference
10.8.5, |
|
|
3.2.2 |
Do not store
the card validation code or value used to verify
card-not-present transactions. |
|
ISO 27002
Reference
10.8.5, |
|
|
3.2.3 |
Do not store
the personal identification number or the encrypted PIN block. |
|
ISO 27002
Reference
10.8.5, |
|
|
3.3 |
Mask PAN when
displayed (the first six and last four digits are the maximum
number of digits to be displayed). |
|
ISO 27002
Reference
10.9.1, |
|
|
3.4 |
Render PAN, at
minimum, unreadable anywhere it is stored |
|
ISO 27002
Reference
10.9.1,
10.9.2,
12.3.1,
15.1.3,
15.1.4, |
|
|
3.5 |
Protect
encryption keys used for encryption of cardholder data against
both disclosure and misuse |
|
3.5.1 |
Restrict
access to keys to the fewest number of custodians necessary |
|
ISO 27002
Reference
12.3.1,
12.3.2, |
Encryption Policy 3.1 Non-disclosure of cryptographic keys
|
|
3.5.2 |
Store keys
securely in the fewest possible locations and forms |
|
ISO 27002
Reference
12.3.1,
12.3.2, |
|
|
3.6 |
Fully document
and implement all key management processes and procedures for
keys used for encryption of cardholder data, including the
following: |
|
3.6.1 |
Generation of
Strong Keys |
|
ISO 27002
Reference
12.3.1,
12.3.2, |
|
|
3.6.2 |
Secure key
distribution |
|
ISO 27002
Reference
12.3.1,
12.3.2, |
Encryption Policy 4.1 No one person
has full
knowledge of any cryptographic key
Encryption Policy 5.1 Key to be sent separate from data it is
protecting
|
|
3.6.3 |
Secure key
storage |
|
ISO 27002
Reference
12.3.1,
12.3.2, |
|
|
3.6.4 |
Periodic
changing of keys |
|
ISO 27002
Reference
12.3.1,
12.3.2, |
|
|
3.6.5 |
Destruction of
old keys |
|
ISO 27002
Reference
12.3.1,
12.3.2, |
|
|
3.6.6 |
Split
knowledge and establishment of dual control of keys |
|
ISO 27002
Reference
12.3.1,
12.3.2, |
Encryption Policy 4.1 No one person
has full
knowledge of any cryptographic key
|
|
3.6.7 |
Prevention of
unauthorised substitution of keys |
|
ISO 27002
Reference
12.3.1,
12.3.2, |
Encryption Policy 3.1 Non-disclosure of cryptographic keys
Encryption Policy 6.1 Cryptographic key delegation of management
to trusted personnel
|
|
3.6.8 |
Replacement of
known or suspected compromised keys |
|
ISO 27002
Reference
12.3.1,
12.3.2, |
|
|
3.6.9 |
Revocation of
old or invalid keys |
|
ISO 27002
Reference
12.3.1,
12.3.2, |
|
|
3.6.10 |
Requirement
for key custodians to sign a form stating that they understand
and accept their key custodian responsibilities |
|
ISO 27002
Reference
12.3.1,
12.3.2, |
Encryption Policy 6.1 Cryptographic key delegation of management
to trusted personnel |
|
Requirement 4. |
Encrypt transmission of cardholder data
across open, public networks |
|
4.1 |
Use strong
cryptography and security protocols such as secure sockets layer
(SSL) / transport layer security (TLS) and internet protocol
security (IPSEC) to safeguard sensitive cardholder data during
transmission over open public networks |
|
ISO 27002
Reference
10.8.1,
10.9.1,
10.9.2,
10.9.3,
12.3.1, |
Encryption Policy 1.1 Use of Encryption
Network
Management Policy 5.1 Wireless sessions must be encrypted
Remote Access Policy 3.3.1 Remote connections transmitting
sensitive information should be encrypted |
|
4.1.1 |
For wireless
networks transmitting cardholder data, encrypt the transmissions
by using WiFi protected access technology, IPSEC VPN or SSL/TLS.
|
|
ISO 27002
Reference
10.6.1,
10.8.1,
11.4.1,
11.4.7,
12.3.1, |
Network
Management Policy 5.1 Wireless sessions must be encrypted |
|
4.2 |
Never send
unencrypted PANS by email |
|
ISO 27002
Reference
10.8.4,
10.9.1,
10.9.2,
10.9.3,
12.3.1, |
Encryption Policy 1.1 Use of Encryption
|
|
Requirement 5. |
Use and regularly update anti-virus
software or programs |
|
5.1 |
Deploy
anti-virus software on all systems commonly affected by viruses |
|
ISO 27002
Reference
10.4.1,
10.6.1,
12.6.1,
|
Anti-Virus Policy 2.1 Anti-Virus Software must be Installed
Computer Systems and Equipment Use Policy 3.3.1 Equipment used
to access computer systems and networks must meet requirements
of Anti-Virus policy
Remote Access Policy 1.3.1
Anti Virus Software must be installed |
|
5.1.1 |
Ensure that
anti-virus programs are capable of detecting, removing and
protecting against other forms of malicious software including
spyware |
|
ISO 27002
Reference
10.4.1,
10.4.2,
10.8.1,
|
|
|
5.2 |
Ensure that
Anti-Virus mechanisms are current, actively running and capable
of generating audit logs |
|
ISO 27002
Reference
10.4.1,
10.8.1,
10.10.1,
12.6.1 |
|
|
Requirement 6. |
Develop and maintain secure systems and
applications |
|
6.1 |
Ensure that
all system components and software have the latest
vendor-supplied security patches installed. Install
relevant security patches within one month of release |
|
ISO 27002
Reference
9.2.4,
10.4.1,
10.8.1,
12.6.1 |
Software Management Policy 4.1 Operating system fixes and
patches update procedure and requirement for updates to be
logged
|
|
6.2 |
Establish a
process to identify newly discovered security vulnerabilities.
Update standards to address new vulnerability issues. |
|
ISO 27002
Reference
10.4.1,
12.6.1 |
|
|
6.3 |
Develop
software applications based on industry best practices and
incorporate information security throughout the software
development life cycle. |
|
6.3.1 |
Testing of all
security patches and system and software configuration changes
before deployment |
|
ISO 27002
Reference
10.4.1,
10.4.2,
12.4.1,
12.5.5,
12.6.1 |
Software Management Policy 3.1 Vendor code to be tested prior to
implementation |
|
6.3.2 |
Separate
development, test and production environments |
|
ISO 27002
Reference
10.1.4, |
|
|
6.3.3 |
Separation of
duties between development, test and production environments |
|
ISO 27002
Reference
11.1.1,
11.2.1,
11.6.1,
12.4.1,
12.4.2,
12.4.3, |
Software Management Policy 1.1 Access to live applications for
software developers
|
|
6.3.4 |
Production
data are not used for testing or development |
|
ISO 27002
Reference
10.1.2,
10.1.4,
11.5.4,
12.4.1,
12.4.2,
12.5.1, |
|
|
6.3.5 |
Removal of
test data and accounts before production systems become active |
|
ISO 27002
Reference
10.1.2,
10.1.4,
11.5.4,
12.4.1,
12.4.2,
12.5.1, |
|
|
6.3.6 |
Removal of
custom application accounts, usernames and passwords before
applications become active or are released to customers |
|
ISO 27002
Reference
11.3.1,
11.5.3,
12.4.1,
12.5.1, |
Password and Authentication Policy 2.3.1 Vendor passwords to be
changed |
|
6.3.7 |
Review of
custom code prior to release to production or customers in order
to identify any potential coding vulnerabilities |
|
ISO 27002
Reference
10.1.2,
10.3.2,
12.4.1,
12.5.1, |
Software Management Policy 3.1 Vendor code to be tested prior to
implementation |
|
6.4 |
Follow change
control procedures for all systems and software configuration
changes |
|
6.4.1 |
Documentation
of impact |
|
ISO 27002
Reference
12.5.1, |
|
|
6.4.2 |
Management
sign off by appropriate parties |
|
ISO 27002
Reference
12.4.1,
12.5.1, |
Software Management Policy 2.1 Formal change control procedure
for live systems |
|
6.4.3 |
Testing of
Operational Functionality |
|
ISO 27002
Reference
10.1.2,
10.3.2,
12.4.1,
12.5.1, |
Software Management Policy 3.1 Vendor code to be tested prior to
implementation |
|
6.4.4 |
Back out
procedures |
|
ISO 27002
Reference
10.1.2,
10.3.2, |
|
|
6.5 |
Develop all
web applications based on secure coding guidelines such as OWASP
guidelines. Review custom application code to identify
coding vulnerabilities. Cover prevention of common coding
vulnerabilities in software development processes. |
|
6.5.1 |
Unvalidated
input |
|
ISO 27002
Reference
10.4.1,
10.9.1,
12.2.1,
15.2.1,
15.2.2, |
|
|
6.5.2 |
Broken access
control |
|
ISO 27002
Reference
10.4.1,
10.9.1,
12.2.1,
15.2.1,
15.2.2, |
|
|
6.5.3 |
Broken
authentication and session management |
|
ISO 27002
Reference
10.4.1,
10.9.1,
12.2.1,
15.2.1,
15.2.2, |
|
|
6.5.4 |
Cross site
scripting attacks |
|
ISO 27002
Reference
10.4.1,
10.9.1,
12.2.1,
15.2.1,
15.2.2, |
|
|
6.5.5 |
Buffer
overflows |
|
ISO 27002
Reference
10.4.1,
10.9.1,
12.2.1,
15.2.1,
15.2.2, |
|
|
6.5.6 |
Injection
flaws |
|
ISO 27002
Reference
10.4.1,
10.9.1,
12.2.1,
15.2.1,
15.2.2, |
|
|
6.5.7 |
Improper error
handling |
|
ISO 27002
Reference
10.4.1,
10.9.1,
12.2.1,
15.2.1,
15.2.2, |
|
|
6.5.8 |
Insecure
storage |
|
ISO 27002
Reference
10.4.1,
10.9.1,
12.2.1,
15.2.1,
15.2.2, |
E-Commerce Policy
2.1 Storing information on web or e-commerce servers
requires authorisation and an approved multi-layered protection
regime |
|
6.5.9 |
Denial of
Service |
|
ISO 27002
Reference
10.4.1,
10.9.1,
12.2.1,
15.2.1,
15.2.2, |
|
|
6.5.10 |
Insecure
configuration management |
|
ISO 27002
Reference
10.4.1,
10.9.1,
12.2.1,
15.2.1,
15.2.2, |
E-Commerce Policy
2.1 Storing information on web or e-commerce servers
requires authorisation and an approved multi-layered protection
regime |
|
6.6 |
Ensure that
all web facing applications are protected against known attacks
by having all custom application code reviewed for common
vulnerabilities by an organisation that specialises in
application security and by installing an application layer
firewall in front of web applications. |
|
ISO 27002
Reference
10.9.3,
11.4.5,
11.4.7,
15.2.1,
15.2.2, |
Firewall Management Policy 1.2 Webservers housed internally must
be protected by a firewall |
|
Requirement 7. |
Restrict access to cardholder data by
business need to know |
|
7.1 |
Limit access
to computing resources and cardholder information only to those
individuals whose job requires such access |
|
ISO 27002
Reference
10.8.5,
11.1.1,
11.2.1,
11.2.2,
11.6.1, |
Access Control Policy 1.1.1 Authorised Access for Users
Access
Control Policy 2.1.1 Management to determine Access Control
standards
|
|
7.2 |
Establish a
mechanism for systems with multiple users that restricts access
based on a user's need to know and is set to deny all unless
specifically allowed |
|
ISO 27002
Reference
10.8.5,
11.1.1,
11.2.1,
11.2.2,
11.5.1,
11.6.1, |
Access Control Policy 1.1.1 Authorised Access for Users
Access
Control Policy 2.1.1 Management to determine Access Control
standards
Password and Authentication Policy 2.7.1 No access without
authentication |
|
Requirement 8. |
Assign a unique user ID to each person
with computer access |
|
8.1 |
Identify all
users with a unique user name before allowing them to access
system components or cardholder data |
|
ISO 27002
Reference
11.2.1,
11.2.2,
11.2.3,
11.3.1,
11.5.2,
11.5.3, |
Network
Management Policy 4.1 User must login before executing commands
Password and Authentication Policy 1.2.1 No group passwords.
Passwords must be unique to individual users
|
|
8.2 |
In addition to
assigning a unique ID, employ at least one of the following
methods to authenticate all users: Password, Token
devices, Biometrics |
|
ISO 27002
Reference
11.4.2,
11.5.1,
11.5.2,
|
Password and Authentication Policy 2.1.1 One time, two factor
authentication for remote access
Remote Access Policy 1.1.1 Access controls must be used |
|
8.3 |
Implement two
factor authentication for remote access to the network by
employees, administrators and third parties. Use
technologies such as remote authentication and dial-in service
or terminal access controller access control system with tokens
or VPN with individual certificates. |
|
ISO 27002
Reference
11.4.1,
11.4.2,
11.5.1,
11.5.2, |
Access Control Policy 3.5.1 Remote Administration Permitted with
Additional Security
Network
Management Policy 4.1 User must login before executing commands
Password and Authentication Policy 2.1.1 One time, two factor
authentication for remote access
Password and Authentication Policy 2.7.1 No access without
authentication
Remote Access Policy 1.1.1 Access controls must be used
Remote Access
Policy 3.4.1 Systems connecting remotely must not permit telnet,
ftp or any other real-time inbound access that may circumvent
the authentication process |
|
8.4 |
Encrypt all
passwords during transmission and storage on all system
components |
|
ISO 27002
Reference
11.2.3,
11.3.1,
11.5.1,
11.5.3,
12.3.1 |
|
|
8.5 |
Ensure proper
user authentication and password management for non consumer
users and administrators on all system components as follows: |
|
8.5.1 |
Control
addition, deletion and modification of user IDs, credentials and
other identifier objects |
|
ISO 27002
Reference
11.2.1, |
Access
Control Policy 2.2.1 Remote access Approval Process
Access Control
Policy 2.4.1 Reporting changes of duties affecting user
privileges
Access Control Policy 3.2.1 IT Staff must not allocate
User IDs or grant
privileges without written approval
Access Control Policy 3.3.1 Prompt Termination of Users
Personnel Management Policy
3.1.1 Change to access rights
controlled by provisions of Access Control Policy
|
|
8.5.2 |
Verify user
identify before performing password resets |
|
ISO 27002
Reference
11.2.3, |
|
|
8.5.3 |
Set first-time
passwords to a unique value for each user and change immediately
after the first use |
|
ISO 27002
Reference
11.2.3,
11.3.1,
11.5.3, |
|
|
8.5.4 |
Immediately
revoke access for any terminated users |
|
ISO 27002
Reference
11.2.1, |
Access Control
Policy 2.4.1 Reporting changes of duties affecting user
privileges
Access Control Policy 3.3.1 Prompt Termination of Users |
|
8.5.5 |
Remove
inactive user accounts at least every 90 days |
|
ISO 27002
Reference
11.2.1, |
|
|
8.5.6 |
Enable
accounts used by vendors for remote maintenance only during the
time period needed |
|
ISO 27002
Reference
11.2.1,
11.2.2,
11.5.6, |
Remote
Access Policy 1.5.1 Specified hours for third party access
Remote
Access Policy 3.2.1 Vendor access disabled by default
|
|
8.5.7 |
Communicate
password procedures and policies to all users who have access to
cardholder data |
|
ISO 27002
Reference
5.1.1,
6.1.1,
6.1.2, |
Acceptable Use Policy 1.1
Computer users required to comply with IT security policies
Company obligations |
|
8.5.8 |
Do not use
group, shared or generic accounts and passwords |
|
ISO 27002
Reference
11.2.1,
11.2.2,
11.3.1,
11.5.4, |
Password and Authentication Policy 1.2.1 No group passwords.
Passwords must be unique to individual users |
|
8.5.9 |
Change user
passwords at least every 90 days |
|
ISO 27002
Reference
11.3.1,
11.5.3, |
|
|
8.5.10 |
Require a
minimum password length of at least seven characters |
|
ISO 27002
Reference
11.3.1,
11.5.3, |
Password and Authentication Policy 1.1.1 Number of characters in
passwords |
|
8.5.11 |
Use passwords
containing both numeric and alphabetic characters |
|
ISO 27002
Reference
11.3.1,
11.5.3, |
|
|
8.5.12 |
Do not allow
an individual to submit a new password that is the same as any
of the last four passwords he or she has used |
|
ISO 27002
Reference
11.5.3, |
|
|
8.5.13 |
Limit repeated
access attempts by locking out the user ID after not more than
six attempts |
|
ISO 27002
Reference
11.5.1,
|
Password and Authentication Policy 2.4.1 Unsuccessful login
attempts |
|
8.5.14 |
Set the
lockout duration to thirty minutes or until administrator
enables the user ID |
|
ISO 27002
Reference
11.5.1, |
Password and Authentication Policy 2.4.1 Unsuccessful login
attempts |
|
8.5.15 |
If a session
has been idle for more than 15 minutes, require the user to
re-enter the password to re-activate the terminal |
|
ISO 27002
Reference
11.5.5,
|
|
|
8.5.16 |
Authenticate
all access to any database containing cardholder data.
This includes access by applications, administrators and all
other users |
|
ISO 27002
Reference
11.4.2,
11.5.1 |
|
|
Requirement 9. |
Restrict physical access to cardholder
data |
|
9.1 |
Use
appropriate facility entry controls to limit and monitor
physical access to systems that store, process or transmit
cardholder data |
|
9.1.1 |
Use cameras to
monitor sensitive areas. Audit collected data and
correlate with other entries. Store for at least three
months unless otherwise restricted by law. |
|
ISO 27002
Reference
9.1.1, |
|
|
9.1.2 |
Restrict
physical access to publicly accessible network jacks. |
|
ISO 27002
Reference
9.1.2,
9.2.1,
9.2.3, |
Physical Access Policy
3.1.1 Physical access to Server Rooms and
the like must be restricted to authorised personnel with the
keys or codes required for access |
|
9.1.3 |
Restrict
physical access to wireless access points, gateways and handheld
devices. |
|
ISO 27002
Reference
9.1.2,
9.2.1, |
Physical Access Policy
3.1.1 Physical access to Server Rooms and
the like must be restricted to authorised personnel with the
keys or codes required for access |
|
9.2 |
Develop
procedures to help all personnel easily distinguish between
employees and visitors especially in areas where cardholder data
is accessible |
|
ISO 27002
Reference
9.1.2,
13.1.1, |
|
|
9.3 |
Make sure
visitors are handled correctly |
|
9.3.1 |
Authorised
before entering areas where cardholder data is processed or
maintained. |
|
ISO 27002
Reference
9.1.1,
9.1.2, |
Physical Access Policy
2.1.1
Managers responsible for staff working in secure areas |
|
9.3.2 |
Given a
physical token that expires and identifies the visitors as
non-employees. |
|
ISO 27002
Reference
9.1.1,
9.1.2,
9.1.3,
9.1.6, |
|
|
9.3.3 |
Asked to
surrender the physical access token before leaving the facility
or at the date of expiration. |
|
ISO 27002
Reference
9.1.1,
9.1.2,
9.1.3,
9.1.6, |
|
|
9.4 |
Use a visitor
log to maintain a physical audit trail of visitor activity.
Retain this log for a minimum of three months unless otherwise
restricted by law. |
|
ISO 27002
Reference
9.1.1,
9.1.2,
9.1.3,
9.1.6, |
|
|
9.5 |
Store media
backups in a secure location preferably in an off-site facility
such as an alternate or backup site or a commercial storage
facility |
|
ISO 27002
Reference
10.5.1,
10.7.1, |
Information Management Policy 3.2.1 Archived data to be managed
in accordance with corporate record keeping conventions
|
|
9.6 |
Physically
secure all paper and electronic media that contain cardholder
data. Eg: computers, electronic media, networking and
communications hardware, telecommunications lines, paper
receipts, paper reports and faxes. |
|
ISO 27002
Reference
9.1.1,
9.1.4,
10.5.1,
10.8.5, |
Information Management Policy 3.2.1 Archived data to be managed
in accordance with corporate record keeping conventions
Physical Access Policy
3.1.1 Physical access to Server Rooms and
the like must be restricted to authorised personnel with the
keys or codes required for access
Physical Access Policy 3.2.1 Sensitive system isolation |
|
9.7 |
Maintain
strict control over the internal or external distribution of any
kind of media that contains cardholder data including the
following: |
|
9.7.1 |
Classify the
media so that it can be identified as confidential. |
|
ISO 27002
Reference
7.2.1,
7.2.2, |
Legal Compliance Policy 1.4.1 Information must be labelled with
appropriate disclaimer |
|
9.7.2 |
Send the media
by secured courier or other delivery method that can be
accurately tracked |
|
ISO 27002
Reference
10.8.3, |
|
|
9.8 |
Ensure
management approves any and all media that is moved from a
secured area |
|
ISO 27002
Reference
10.7.1,
10.8.3, |
|
|
9.9 |
Maintain
strict control over the storage and accessibility of media that
contains cardholder data |
|
9.9.1 |
Properly
inventory all media and ensure that it is securely stored |
|
ISO 27002
Reference
10.7.1, |
Information Management Policy 3.2.1 Archived data to be managed
in accordance with corporate record keeping conventions
|
|
9.10 |
Destroy media
containing cardholder data when it is no longer needed for
business or legal reasons as follows: |
|
9.10.1 |
Cross cut
shred, incinerate or pulp hardcopy materials |
|
ISO 27002
Reference
10.7.2, |
|
|
9.10.2 |
Purge,
degauss, shred or otherwise destroy electronic media so that
cardholder data cannot be reconstructed |
|
ISO 27002
Reference
10.7.2, |
|
|
Requirement 10. |
Track and monitor all access to network
resources and cardholder data |
|
10.1 |
Establish a
process for linking all access to system components to each
individual user |
|
ISO 27002
Reference
11.2.1,
11.2.2,
11.3.1, |
Access Control Policy 2.1.1 Management to determine Access
Control standards
Access
Control Policy 3.1.1 Special Access Privileges
Password and Authentication Policy 1.2.1 No group passwords.
Passwords must be unique to individual users
Special Access Policy 1.2 Control on issuing enhanced privileges |
|
10.2 |
Implement
audit trails for all system components to reconstruct the
following events |
|
10.2.1 |
All individual
user accesses to cardholder data |
|
ISO 27002
Reference
10.10.1, |
Password and Authentication Policy 2.6.1 Audit logs for login
attempts
Remote Access Policy 1.6.1 Monitoring use of remote connections
Remote Access Policy 3.5.1
Right to audit remote access systems, equipment, device or link
on contracted parties premises by the company or its designated
agent |
|
10.2.2 |
All actions
taken by any individual with root or administrative privileges |
|
ISO 27002
Reference
10.10.2, |
|
|
10.2.3 |
Access to all
audit trails |
|
ISO 27002
Reference
10.10.3,
10.10.4, |
|
|
10.2.4 |
Invalid login
attempts |
|
ISO 27002
Reference
10.10.1, |
Password and Authentication Policy 2.6.1 Audit logs for login
attempts |
|
10.2.5 |
Use of
identification and authentication mechanisms |
|
ISO 27002
Reference
10.10.1,
15.2.2, |
Remote Access Policy 3.5.1
Right to audit remote access systems, equipment, device or link
on contracted parties premises by the company or its designated
agent |
|
10.2.6 |
Initialisation
of the audit logs |
|
ISO 27002
Reference
10.10.3, |
|
|
10.2.7 |
Creation and
deletion of system level objects |
|
ISO 27002
Reference
10.10.4, |
|
|
10.3 |
Record at
least the following audit trail entries for all system
components for each event: |
|
10.3.1 |
User
identification |
|
ISO 27002
Reference
10.10.1, |
|
|
10.3.2 |
Type of event |
|
ISO 27002
Reference
10.10.1, |
|
|
10.3.3 |
Date and time |
|
ISO 27002
Reference
10.10.1, |
|
|
10.3.4 |
Success or
failure indication |
|
ISO 27002
Reference
10.10.1, |
|
|
10.3.5 |
Origination of
event |
|
ISO 27002
Reference
10.10.1, |
|
|
10.3.6 |
Identify or
name of affected data, system component, or resource |
|
ISO 27002
Reference
10.10.1, |
|
|
10.4 |
Synchronise
all critical system clocks and times |
|
ISO 27002
Reference
10.10.6, |
|
|
10.5 |
Secure audit
trails so they cannot be altered |
|
10.5.1 |
Limit viewing
of audit trails to those with a job-related need |
|
ISO 27002
Reference
10.10.3, |
|
|
10.5.2 |
Protect audit
trail files from unauthorised modifications |
|
ISO 27002
Reference
10.10.3, |
|
|
10.5.3 |
Promptly back
up audit trail files to a centralized log server or media that
is difficult to alter |
|
ISO 27002
Reference
10.10.3, |
|
|
10.5.4 |
Copy logs for
wireless networks onto a log server on the internal LAN |
|
ISO 27002
Reference
10.10.3, |
|
|
10.5.5 |
Use file
integrity monitoring and change detection software on logs to
ensure that existing log data cannot be changed without
generating alerts |
|
ISO 27002
Reference
10.10.3, |
|
|
10.6 |
Review logs
for all system components at least daily. Log reviews must
include those servers that perform security functions like
intrusion detection systems and authentication, authorisation
and accounting protocol servers - eg RADIUS |
|
ISO 27002
Reference
10.10.2, |
|
|
10.7 |
Retain audit
trail history for at least one year with a minimum of three
months online availability |
|
ISO 27002
Reference
10.10.3, |
|
|
Requirement 11. |
Regularly test security systems and
processes |
|
11.1 |
Test security
controls, limitations, network connections and restrictions
annually to assure the ability to adequately identify and to
stop any unauthorised access attempts. Use a wireless
analyzer at least quarterly to identify all wireless devices in
use. |
|
ISO 27002
Reference
6.1.8,
15.2.2, |
Business Continuity Policy 3.3.1 Independent Audit of Systems to
ascertain BCM competence
Remote
Access Policy 3.5.1 Right to audit remote access systems,
equipment, device or link on contracted parties premises by the
company or its designated agent |
|
11.2 |
Run internal
and external network vulnerability scans at least quarterly and
after any significant change in the network. |
|
ISO 27002
Reference
6.1.8,
15.2.2, |
Remote
Access Policy 3.5.1 Right to audit remote access systems,
equipment, device or link on contracted parties premises by the
company or its designated agent |
|
11.3 |
Perform
penetration testing at least once a year and after any
significant infrastructure of application upgrade or
modification. Testing must include network layer
penetration tests and application layer penetration tests. |
|
ISO 27002
Reference
6.1.8,
15.2.2, |
Remote
Access Policy 3.5.1 Right to audit remote access systems,
equipment, device or link on contracted parties premises by the
company or its designated agent |
|
11.4 |
Use network
intrusion detection systems, host based intrusion detections
systems and intrusion prevention systems to monitor all network
traffic and alert personnel to suspected compromises. Keep
all intrusion detection and prevention engines up to date. |
|
ISO 27002
Reference
10.4.1, |
|
|
11.5 |
Deploy file
integrity monitoring software to alert personnel to unauthorised
modification of critical system or content files and configure
the software to perform critical file comparisons at least
weekly |
|
ISO 27002
Reference
10.4.1, |
|
|
Requirement 12. |
Maintain an information security policy |
|
12.1 |
Establish,
publish, maintain and disseminate a security policy that
accomplishes the following: |
|
12.1.1 |
Addresses all
requirements in this specification |
|
ISO 27002
Reference
5.1.1,
10.9.1,
10.9.2,
10.9.3, |
Acceptable Use Policy 1.1
Computer users required to comply with IT security policies
IT Security Policy System |
|
12.1.2 |
Includes an
annual process that identifies threats and vulnerabilities and
results in a formal risk assessment |
|
ISO 27002
Reference
5.1.2,
6.1.8,
15.2.2,
|
Business Continuity Policy 3.3.1 Independent Audit of Systems to
ascertain BCM competence
Monitoring and
Review
|
|
12.1.3 |
Includes a
review at least once a year and updates when the environment
change |
|
ISO 27002
Reference
6.1.8,
15.2.2, |
Business Continuity Policy 3.3.1 Independent Audit of Systems to
ascertain BCM competence
Monitoring and
Review
Remote
Access Policy 3.5.1 Right to audit remote access systems,
equipment, device or link on contracted parties premises by the
company or its designated agent |
|
12.2 |
Develop daily
operational security procedures that are consistent with
requirements in this specification |
|
ISO 27002
Reference
10.1, |
Company Obligations |
|
12.3 |
Develop usage
policies for critical employee facing technologies such as
modems and wireless to define proper use of these technologies
for all employees and contractors. Ensure these usage
policies require the following: |
|
12.3.1 |
Explicit
management approval |
|
ISO 27002
Reference
11.1.1, |
Acceptable Use Policy 3.1
Access to Systems
Access
Control Policy 2.2.1 Remote access Approval Process
Access Control Policy 3.2.1 IT Staff must not allocate
User IDs or grant
privileges without written approval
Communications Equipment Policy 3.2.1 Authorisation for third
party connections to business systems
Computer Systems and Equipment Use Policy 3.1.1 Authorisation
required before equipment issued
Email
Policy 2.1.1 Authorisation required prior to gaining access to
email |
|
12.3.2 |
Authentication
for use of the technology |
|
ISO 27002
Reference
11.4.1,
11.4.2,
11.5.1,
|
Password and Authentication Policy 2.1.1 One time, two factor
authentication for remote access
Password and Authentication Policy 2.7.1 No access without
authentication
Remote Access
Policy 3.4.1 Systems connecting remotely must not permit telnet,
ftp or any other real-time inbound access that may circumvent
the authentication process |
|
12.3.3 |
List of all
such devices and personnel with access |
|
ISO 27002
Reference
7.1.1, |
Network Management Policy
2.1 Inventory of network access points |
|
12.3.4 |
Labelling of
devices with owner, contact information and purpose |
|
ISO 27002
Reference
No Match |
Communications Equipment
Policy 3.3.1 Labelling of communications equipment
|
|
12.3.5 |
Acceptable
uses of the technologies |
|
ISO 27002
Reference
7.1.3, |
Acceptable Use Policy 1.1
Computer users required to comply with IT security policies
Communications Equipment Policy 1.1.1
Acceptable Use of Communications Equipment
Communications Equipment Policy 1.3.1 Hand-held devices susceptible to information leakage or
interception and should not be used for transmitting sensitive
information
Computer Systems and Equipment Use Policy 1.1.1 User
Responsibilities
Computer Systems and Equipment Use Policy 1.3.1 Equipment
allocated to user is only for business use
Computers for Councillors Policy - Acceptable Use
Laptop
Security Policy 1.4 Laptops must not be altered.
Maintenance to be carried out by authorised technical staff
Staff Obligations |
|
12.3.6 |
Acceptable
network locations for the technologies |
|
ISO 27002
Reference
9.2.1,
9.2.3,
11.7.1 |
Physical Access Policy 2.2.1 Environmental protection systems
must be installed to mitigate damage to critical computer
systems
Physical Access Policy 2.4.1 Management approving new facilities
to take environmental risks into consideration
Physical Access Policy
3.1.1 Physical access to Server Rooms and
the like must be restricted to authorised personnel with the
keys or codes required for access
Physical Access Policy 3.2.1 Sensitive system isolation |
|
12.3.7 |
List of
company approved products |
|
ISO 27002
Reference
10.1.2 |
Hardware Management Policy 1.1.1 Division Managers to ensure
purchase of computer equipment has the approval of IT Manager |
|
12.3.8 |
Automatic
disconnect of modem sessions after a specific period of
inactivity |
|
ISO 27002
Reference
11.5.5, |
|
|
12.3.9 |
Activation of
modems for vendors only when needed by vendors with immediate
deactivation after use |
|
ISO 27002
Reference
11.5.6, |
Remote
Access Policy 3.2.1 Vendor access disabled by default |
|
12.3.10 |
When accessing
cardholder data remotely via modem, prohibition of storage of
cardholder data onto local hard drives, floppy disks or other
external media. Prohibition of cut and past and print
functions during remote access |
|
ISO 27002
Reference
7.2.1,
10.7.1, |
|
|
12.4 |
Ensure that
security policy and procedures clearly define information
security responsibilities for all employees and contractors |
|
ISO 27002
Reference
5.1.1, |
Company Obligations
for IT Security
Staff obligations for IT Security |
|
12.5 |
Assign to an
individual or team the following information security management
responsibilities |
|
12.5.1 |
Establish,
document and distribute security policies and procedures |
|
ISO 27002
Reference
5.1.1, |
Company Obligations
for IT Security |
|
12.5.2 |
Monitor and
analyse security alerts and information and distribute to
appropriate personnel |
|
ISO 27002
Reference
13.1.1,
13.1.2, |
Business Continuity Policy 1.1.1 Reporting of Conditions that
may affect Business Continuity
Cyber Crime and Incident Handling Policy 1.1.1 Errors and
anomalies in live applications to be reported
Cyber Crime and Incident Handling Policy 3.2.1 IT Manager to set
up notification and reporting structure |
|
12.5.3 |
Establish,
document and distribute security incident response and
escalation procedures to ensure timely and effective handling of
all situations |
|
ISO 27002
Reference
13.2.1, |
Cyber Crime and Incident Handling Policy 3.1.1
Development of procedural documentation for
handling security breach
Cyber Crime and Incident Handling Policy 3.2.1 IT Manager to set
up notification and reporting structure |
|
12.5.4 |
Administer
user accounts, including additions, deletions and modifications |
|
ISO 27002
Reference
11.2.1, |
Access
Control Policy 2.2.1 Remote access Approval Process
Access Control
Policy 2.4.1 Reporting changes of duties affecting user
privileges
Access Control Policy 3.2.1 IT Staff must not allocate
User IDs or grant
privileges without written approval
Access Control Policy 3.3.1 Prompt Termination of Users
Personnel Management Policy
3.1.1 Change to access rights
controlled by provisions of Access Control Policy
|
|
12.5.5 |
Monitor and
control all access to data |
|
ISO 27002
Reference
11.6.1, |
Access Control Policy 1.1.1 Authorised Access for Users
Access
Control Policy 2.1.1 Management to determine Access Control
standards
Hardware Management Policy 2.4.1 Protection of system
documentation
Legal
Compliance Policy 1.1.1 Transfer of information to third parties
Network Management Policy 3.1 Confidentiality of network
configuration details
Software Management Policy 1.1 Access to live applications for
software developers
Special Access Policy 1.2 Control on issuing enhanced privileges |
|
12.6 |
Implement a
formal security awareness program to make all employees aware of
the importance of cardholder data security |
|
12.6.1 |
Educate
employees upon hire and at least annually |
|
ISO 27002
Reference
5.1.1, |
Acceptable Use Policy 1.1
Computer users required to comply with IT security policies
Company Obligations
for IT Security |
|
12.6.2 |
Require
employees to acknowledge in writing that they have read and
understood the company's security policy and procedures |
|
ISO 27002
Reference
8.1.1,
8.1.3, |
Acceptable Use Policy Employee Acceptance Signoff |
|
12.7 |
Screen
potential employees to minimise the risk of attacks from
internal sources |
|
ISO 27002
Reference
8.1.2, |
Personnel Management Policy 1.1.1 Background check for
prospective staff to be employed in positions of trust
Personnel Management Policy 2.1.1
Managers responsible for ensuring a background check is carried
out
for all technical staff
Special Access Policy 1.2 Control on issuing enhanced privileges |
|
12.8 |
If cardholder
data is shared with service providers, then contractually the
following is required: |
|
12.8.1 |
Service
providers must adhere to the PCI DSS requirements |
|
ISO 27002
Reference
6.2.3, |
|
|
12.8.2 |
Agreement that
includes an acknowledgement that the service provider is
responsible for the security of cardholder data the
provider possesses |
|
ISO 27002
Reference
6.1.5,
6.2.3, |
Remote Access Policy 1.4.1 Responsibilities with regard to
handling data |
|
12.9 |
Implement an
incident response plan. Be prepared to respond immediately
to a system breach |
|
12.9.1 |
Create the
incident response plan to be implemented in the event of a
system compromise. Ensure the plan addresses at a minimum,
specific incident response procedures, business recovery and
continuity procedures, data backup procedures, roles and
responsibilities and communication and contact strategies |
|
ISO 27002
Reference
10.5.1,
14.1.1,
14.1.2,
14.1.3,
14.1.4,
14.1.5, |
Business Continuity Policy 1.2.1 Portable Devices must be Backed
Up
Business Continuity Policy 2.1.1 Ensuring Business Continuity
Planning is co-ordinated corporate wide
Business Continuity Policy 2.2.1 Management responsible for
ensuring computer equipment purchased can be supported by
corporate IT staff
Business Continuity Policy 2.3.1
Senior Management to agree the levels of self-insurance or seek
external insurance depending upon risk
Business Continuity Policy 2.4.1 Division
Manager responsible for backup of information not included in
regular information systems backups
Business Continuity Policy 3.1.1 Business Continuity Plan must
be prepared and regularly updated
Business Continuity Policy 3.2.1 Inventory of key personnel
contact details and skills reviewed and updated annually
Business Continuity Policy 3.4.1 Regular backups
Cyber Crime and Incident Handling Policy 3.1.1
Development of procedural documentation for
handling security breach |
|
12.9.2 |
Test the plan
at least annually |
|
ISO 27002
Reference
14.1.5, |
Business Continuity Policy 3.3.1 Independent Audit of Systems to
ascertain BCM competence |
|
12.9.3 |
Designate
specific personnel to be available on a 24x7 basis to respond to
alerts |
|
ISO 27002
Reference
14.1.1,
14.1.3,
14.1.4,
|
Business Continuity Policy 3.2.1 Inventory of key personnel
contact details and skills reviewed and updated annually
|
|
12.9.4 |
Provide
appropriate training to staff with security breach response
responsibilities |
|
ISO 27002
Reference
14.1.1,
14.1.3,
14.1.4, |
|
|
12.9.5 |
Include alerts
from intrusion detection, intrusion prevention and file
integrity monitoring systems |
|
ISO 27002
Reference
10.4.1,
13.1.1,
13.1.2, |
|
|
12.9.6 |
Develop
processes to modify and evolve the incident response plan
according to lessons learned and to incorporate industry
developments |
|
ISO 27002
Reference
13.2.2,
|
|
|
12.10 |
All processors
and service providers must maintain and implement policies and
procedures to managed connected entities to include the
following: |
|
12.10.1 |
Maintain a
list of connected entities |
|
ISO 27002
Reference
6.2.1,
11.1.1, |
|
|
12.10.2 |
Ensure proper
due diligence is conducted prior to connecting an entity |
|
ISO 27002
Reference
6.1.3,
6.1.4,
10.2.1, |
Access
Control Policy 2.2.1 Remote access Approval Process
Remote
Access Policy 2.1.1 Remote access approval |
|
12.10.3 |
Ensure the
entity is PCI DSS compliant |
|
ISO 27002
Reference
6.2.3,
10.2.1, |
|
|
12.10.4 |
Connect and
disconnect entities by following an established process |
|
ISO 27002
Reference
6.2.3,
11.2.1,
|
|
