Куда я попал?
Framework № PCI DSS 4.0 от 01.03.2022
Payment Card Industry Data Security Standard (RU)
Requirement 3.5.1.2
Для проведения оценки соответствия по документу войдите в систему.
Список требований
Похожие требования
CIS Critical Security Controls v8 (The 18 CIS CSC):
3.6
3.6 Encrypt Data on End-User Devices
Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt.
Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt.
3.9
3.9 Encrypt Data on Removable Media
Encrypt data on removable media.
Encrypt data on removable media.
ГОСТ Р № 57580.1-2017 от 01.01.2018 "Безопасность финансовых (банковских) операций. Защита информации финансовых организаций. Базовый состав организационных и технических мер. Раздел 7. Требования к системе защиты информации":
ПУИ.27
ПУИ.27 Шифрование информации конфиденциального характера при ее хранении на МНИ, выносимых за пределы финансовой организации
3-Н 2-Н 1-Т
3-Н 2-Н 1-Т
NIST Cybersecurity Framework (RU):
PR.DS-1
PR.DS-1: Защищены данные находящиеся в состоянии покоя
Russian Unified Cyber Security Framework (на основе The 18 CIS CSC):
3.6
3.6 Реализовано шифрование данных на устройствах конечных пользователей
Примеры решений: Windows BitLocker, Apple FileVault, Linux dm-crypt.
Примеры решений: Windows BitLocker, Apple FileVault, Linux dm-crypt.
3.9
3.9 Реализовано шифрование данных на съемных носителях
Шифровать данные на съемных носителях
Шифровать данные на съемных носителях
Framework № PCI DSS 4.0 от 01.03.2022 "Payment Card Industry Data Security Standard":
Requirement 3.5.1.2
3.5.1.2
Defined Approach Requirements:
If disk-level or partition-level encryption (rather than file-, column-, or field-level database encryption) is used to render PAN unreadable, it is implemented only as follows:
Defined Approach Requirements:
If disk-level or partition-level encryption (rather than file-, column-, or field-level database encryption) is used to render PAN unreadable, it is implemented only as follows:
- On removable electronic media
OR
- If used for non-removable electronic media, PAN is also rendered unreadable via another mechanism that meets Requirement 3.5.1.
Customized Approach Objective:
This requirement is not eligible for the customized approach.
Applicability Notes:
While disk encryption may still be present on these types of devices, it cannot be the only mechanism used to protect PAN stored on those systems. Any stored PAN must also be rendered unreadable per Requirement 3.5.1—for example, through truncation or a data-level encryption mechanism. Full disk encryption helps to protect data in the event of physical loss of a disk and therefore its use is appropriate only for removable electronic media storage devices.
Media that is part of a data center architecture (for example, hot-swappable drives, bulk tape-backups) is considered non-removable electronic media to which Requirement 3.5.1 applies
Disk or partition encryption implementations must also meet all other PCI DSS encryption and keymanagement requirements
Defined Approach Testing Procedures:
This requirement is not eligible for the customized approach.
Applicability Notes:
While disk encryption may still be present on these types of devices, it cannot be the only mechanism used to protect PAN stored on those systems. Any stored PAN must also be rendered unreadable per Requirement 3.5.1—for example, through truncation or a data-level encryption mechanism. Full disk encryption helps to protect data in the event of physical loss of a disk and therefore its use is appropriate only for removable electronic media storage devices.
Media that is part of a data center architecture (for example, hot-swappable drives, bulk tape-backups) is considered non-removable electronic media to which Requirement 3.5.1 applies
Disk or partition encryption implementations must also meet all other PCI DSS encryption and keymanagement requirements
Defined Approach Testing Procedures:
- 3.5.1.2.a Examine encryption processes to verify that, if disk-level or partition-level encryption is used to render PAN unreadable, it is implemented only as follows:
- On removable electronic media, OR
- If used for non-removable electronic media, examine encryption processes used to verify that PAN is also rendered unreadable via another method that meets Requirement 3.5.1.
- 3.5.1.2.b Examine configurations and/or vendor documentation and observe encryption processes to verify the system is configured according to vendor documentation the result is that the disk or the partition is rendered unreadable.
Purpose:
Disk-level and partition-level encryption typically encrypts the entire disk or partition using the same key, with all data automatically decrypted when the system runs or when an authorized user requests it. For this reason, disk-level encryption is not appropriate to protect stored PAN on computers, laptops, servers, storage arrays, or any other system that provides transparent decryption upon user authentication.
Further Information:
Where available, following vendors’ hardening and industry best practice guidelines can assist in securing PAN on these devices.
Disk-level and partition-level encryption typically encrypts the entire disk or partition using the same key, with all data automatically decrypted when the system runs or when an authorized user requests it. For this reason, disk-level encryption is not appropriate to protect stored PAN on computers, laptops, servers, storage arrays, or any other system that provides transparent decryption upon user authentication.
Further Information:
Where available, following vendors’ hardening and industry best practice guidelines can assist in securing PAN on these devices.
Guideline for a healthy information system v.2.0 (EN):
31 STANDARD
/STANDARD
Frequent journeys in a professional context and the miniaturisation of IT hardware often lead to their loss or theft in a public space. This may put the sensitive data of the organization which is stored on it at risk.
Therefore, on all mobile hardware (laptops, smartphones, USB keys, external hard drives, etc.), only data that has already been encrypted must be stored, in order to maintain its confidentiality. Only confidential information (password, smart card, PIN code, etc.) will allow the person who has it to access this data.
A partition, archive or file encryption solution may be considered depending on the needs. Here, once again, it is essential to ensure the uniqueness and robustness of the decryption method used.
As far as possible, it is advisable to start by a complete disk encryption before considering archive and file encryption. These last two respond to different needs and can potentially leave the data storage medium unencrypted (backup files from office suites for example).
Frequent journeys in a professional context and the miniaturisation of IT hardware often lead to their loss or theft in a public space. This may put the sensitive data of the organization which is stored on it at risk.
Therefore, on all mobile hardware (laptops, smartphones, USB keys, external hard drives, etc.), only data that has already been encrypted must be stored, in order to maintain its confidentiality. Only confidential information (password, smart card, PIN code, etc.) will allow the person who has it to access this data.
A partition, archive or file encryption solution may be considered depending on the needs. Here, once again, it is essential to ensure the uniqueness and robustness of the decryption method used.
As far as possible, it is advisable to start by a complete disk encryption before considering archive and file encryption. These last two respond to different needs and can potentially leave the data storage medium unencrypted (backup files from office suites for example).
CIS Critical Security Controls v7.1 (SANS Top 20):
CSC 13.9
CSC 13.9 Encrypt Data on USB Storage Devices
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
NIST Cybersecurity Framework (EN):
PR.DS-1
PR.DS-1: Data-at-rest is protected
Связанные защитные меры
Ничего не найдено
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.