Куда я попал?
Framework № PCI DSS 4.0 от 01.03.2022
Payment Card Industry Data Security Standard (RU)
Requirement 12.7.1
Для проведения оценки соответствия по документу войдите в систему.
Список требований
Похожие требования
NIST Cybersecurity Framework (RU):
PR.IP-11
PR.IP-11: Кибербезопасность включена в практику работы с персоналом (например, ограничение доступа, проверка персонала)
Framework № PCI DSS 4.0 от 01.03.2022 "Payment Card Industry Data Security Standard":
Requirement 12.7.1
12.7.1
Defined Approach Requirements:
Potential personnel who will have access to the CDE are screened, within the constraints of local laws, prior to hire to minimize the risk of attacks from internal sources.
Customized Approach Objective:
The risk related to allowing new members of staff access to the CDE is understood and managed.
Applicability Notes:
For those potential personnel to be hired for positions such as store cashiers, who only have access to one card number at a time when facilitating a transaction, this requirement is a recommendation only.
Defined Approach Testing Procedures:
Defined Approach Requirements:
Potential personnel who will have access to the CDE are screened, within the constraints of local laws, prior to hire to minimize the risk of attacks from internal sources.
Customized Approach Objective:
The risk related to allowing new members of staff access to the CDE is understood and managed.
Applicability Notes:
For those potential personnel to be hired for positions such as store cashiers, who only have access to one card number at a time when facilitating a transaction, this requirement is a recommendation only.
Defined Approach Testing Procedures:
- 12.7.1 Interview responsible Human Resource department management to verify that screening is conducted, within the constraints of local laws, prior to hiring potential personnel who will have access to the CDE.
Purpose:
Performing thorough screening prior to hiring potential personnel who are expected to be given access to the CDE provides entities with the information necessary to make informed risk decisions regarding personnel they hire that will have access to the CDE.
Other benefits of screening potential personnel include helping to ensure workplace safety and confirming information provided by prospective employees on their resumes.
Good Practice:
Entities should consider screening for existing personnel anytime they transfer into roles where they have access to the CDE from roles where they did not have this access.
To be effective, the level of screening should be appropriate for the position. For example, positions requiring greater responsibility or that have administrative access to critical data or systems may warrant more detailed or more frequent screening than positions with less responsibility and access.
Examples:
Screening options can include, as appropriate for the entity’s region, previous employment history, review of public information/social media resources, criminal record, credit history, and reference checks.
Performing thorough screening prior to hiring potential personnel who are expected to be given access to the CDE provides entities with the information necessary to make informed risk decisions regarding personnel they hire that will have access to the CDE.
Other benefits of screening potential personnel include helping to ensure workplace safety and confirming information provided by prospective employees on their resumes.
Good Practice:
Entities should consider screening for existing personnel anytime they transfer into roles where they have access to the CDE from roles where they did not have this access.
To be effective, the level of screening should be appropriate for the position. For example, positions requiring greater responsibility or that have administrative access to critical data or systems may warrant more detailed or more frequent screening than positions with less responsibility and access.
Examples:
Screening options can include, as appropriate for the entity’s region, previous employment history, review of public information/social media resources, criminal record, credit history, and reference checks.
Стандарт № ИСО/МЭК 27001:2022(E) от 25.10.2022 "Информационная безопасность, кибербезопасность и защита частной жизни — Системы управления информационной безопасностью — Требования. Приложение А":
А.6.1
А.6.1 Проверка
До приема на работу в организацию и на постоянной основе в отношении всех кандидатов на должность в организации должны проводиться проверки достоверности сведений об их прошлом; такие проверки должны проводиться с учетом применимых требований законодательства, нормативных документов и этических норм, а также должны соответствовать бизнес-требованиям, категории информации, к которой необходимо получить доступ, а также осознаваемым рискам.
До приема на работу в организацию и на постоянной основе в отношении всех кандидатов на должность в организации должны проводиться проверки достоверности сведений об их прошлом; такие проверки должны проводиться с учетом применимых требований законодательства, нормативных документов и этических норм, а также должны соответствовать бизнес-требованиям, категории информации, к которой необходимо получить доступ, а также осознаваемым рискам.
SWIFT Customer Security Controls Framework v2022:
5 - 5.3A Staff Screening Process
5.3A Staff Screening Process
NIST Cybersecurity Framework (EN):
PR.IP-11
PR.IP-11: Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)
Стандарт № ISO/IEC 27001:2022(E) от 25.10.2022 "Information security, cybersecurity and privacy protection — Information security management systems — Requirements. Annex A":
А.6.1
А.6.1 Screening
Background verification checks on all candidates to become personnel shall be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.
Background verification checks on all candidates to become personnel shall be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.
Связанные защитные меры
Ничего не найдено
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.