Куда я попал?
Framework № PCI DSS 4.0 от 01.03.2022
Payment Card Industry Data Security Standard (RU)
Requirement 2.2.2
Для проведения оценки соответствия по документу войдите в систему.
Список требований
Похожие требования
ГОСТ Р № 57580.1-2017 от 01.01.2018 "Безопасность финансовых (банковских) операций. Защита информации финансовых организаций. Базовый состав организационных и технических мер. Раздел 7. Требования к системе защиты информации":
РД.9
РД.9 Запрет использования учетных записей субъектов логического доступа с незаданными аутентификационными данными или заданными по умолчанию разработчиком ресурса доступа, в том числе разработчиком АС
3-О 2-О 1-О
3-О 2-О 1-О
NIST Cybersecurity Framework (RU):
PR.AC-1
PR.AC-1: Для авторизованных устройств, пользователей и процессов выдаются, управляются, верифицируются, аннулируются и проверяются идентификационные и учетные данные
Приказ ФСТЭК России № 21 от 18.02.2013 "Состав и содержание мер по обеспечению безопасности персональных данных, необходимых для обеспечения каждого из уровней защищенности персональных данных":
АНЗ.5
АНЗ.5 Контроль правил генерации и смены паролей пользователей, заведения и удаления учетных записей пользователей, реализации правил разграничения доступа, полномочий пользователей в информационной системе
Framework № PCI DSS 4.0 от 01.03.2022 "Payment Card Industry Data Security Standard":
Requirement 2.2.2
Customized Approach Objective:
System components cannot be accessed using default passwords.
Applicability Notes:
This applies to ALL vendor default accounts and passwords, including, but not limited to, those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, and Simple Network Management Protocol (SNMP) defaults.
This requirement also applies where a system component is not installed within an entity’s environment, for example, software and applications that are part of the CDE and are accessed via a cloud subscription service.
Defined Approach Testing Procedures:
2.2.2
Defined Approach Requirements:
Vendor default accounts are managed as follows:
Defined Approach Requirements:
Vendor default accounts are managed as follows:
- If the vendor default account(s) will be used, the default password is changed per Requirement 8.3.6.
- If the vendor default account(s) will not be used, the account is removed or disabled.
Customized Approach Objective:
System components cannot be accessed using default passwords.
Applicability Notes:
This applies to ALL vendor default accounts and passwords, including, but not limited to, those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, and Simple Network Management Protocol (SNMP) defaults.
This requirement also applies where a system component is not installed within an entity’s environment, for example, software and applications that are part of the CDE and are accessed via a cloud subscription service.
Defined Approach Testing Procedures:
- 2.2.2.a Examine system configuration standards to verify they include managing vendor default accounts in accordance with all elements specified in this requirement.
- 2.2.2.b Examine vendor documentation and observe a system administrator logging on using vendor default accounts to verify accounts are implemented in accordance with all elements specified in this requirement.
- 2.2.2.c Examine configuration files and interview personnel to verify that all vendor default accounts that will not be used are removed or disabled.
Purpose:
Malicious individuals often use vendor default account names and passwords to compromise operating systems, applications, and the systems on which they are installed.
Because these default settings are often published and are well known, changing these settings will make systems less vulnerable to attack.
Good Practice:
All vendor default accounts should be identified, and their purpose and use understood. It is important to establish controls for application and system accounts, including those used to deploy and maintain cloud services so that they do not use default passwords and are not usable by unauthorized individuals.
Where a default account is not intended to be used, changing the default password to a unique password that meets PCI DSS Requirement 8.3.6, removing any access to the default account, and then disabling the account, will prevent a malicious individual from re-enabling the account and gaining access with the default password.
Using an isolated staging network to install and configure new systems is recommended and can also be used to confirm that default credentials have not been introduced into production environments.
Examples:
Defaults to be considered include user IDs, passwords, and other authentication credentials commonly used by vendors in their products.
Malicious individuals often use vendor default account names and passwords to compromise operating systems, applications, and the systems on which they are installed.
Because these default settings are often published and are well known, changing these settings will make systems less vulnerable to attack.
Good Practice:
All vendor default accounts should be identified, and their purpose and use understood. It is important to establish controls for application and system accounts, including those used to deploy and maintain cloud services so that they do not use default passwords and are not usable by unauthorized individuals.
Where a default account is not intended to be used, changing the default password to a unique password that meets PCI DSS Requirement 8.3.6, removing any access to the default account, and then disabling the account, will prevent a malicious individual from re-enabling the account and gaining access with the default password.
Using an isolated staging network to install and configure new systems is recommended and can also be used to confirm that default credentials have not been introduced into production environments.
Examples:
Defaults to be considered include user IDs, passwords, and other authentication credentials commonly used by vendors in their products.
Guideline for a healthy information system v.2.0 (EN):
12 STANDARD
/STANDARD
It is essential to consider that the default settings of the information systems are known by the hackers, even if these are not known to the general public. These settings are (too) often trivial (password the same as the username, not long enough or common to all the devices and services for example) and are often easy to obtain by hackers capable of pretending to be a legitimate user.
The default authentication settings of the components of the system must therefore be changed when they are set up and, in terms of passwords, be in accordance with the previous recommendations in terms of choice, size and storage.
If changing a default password is impossible due, for example, to a password or certificate being "hardcoded" onto a device, this critical problem must be raised with the product supplier so that it can correct this vulnerability as fast as possible.
It is essential to consider that the default settings of the information systems are known by the hackers, even if these are not known to the general public. These settings are (too) often trivial (password the same as the username, not long enough or common to all the devices and services for example) and are often easy to obtain by hackers capable of pretending to be a legitimate user.
The default authentication settings of the components of the system must therefore be changed when they are set up and, in terms of passwords, be in accordance with the previous recommendations in terms of choice, size and storage.
If changing a default password is impossible due, for example, to a password or certificate being "hardcoded" onto a device, this critical problem must be raised with the product supplier so that it can correct this vulnerability as fast as possible.
Приказ ФСТЭК России № 17 от 11.02.2013 "Требования о защите информации, не составляющей государственную тайну, содержащейся в государственных информационных системах":
АНЗ.5
АНЗ.5 Контроль правил генерации и смены паролей пользователей, заведения и удаления учетных записей пользователей, реализации правил разграничения доступом, полномочий пользователей в информационной системе
SWIFT Customer Security Controls Framework v2022:
4 - 4.1 Password Policy
4.1 Password Policy
NIST Cybersecurity Framework (EN):
PR.AC-1
PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
Связанные защитные меры
Ничего не найдено
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.