Куда я попал?
Framework № PCI DSS 4.0 от 01.03.2022
Payment Card Industry Data Security Standard (RU)
Requirement 5.2.3
Для проведения оценки соответствия по документу войдите в систему.
Список требований
Похожие требования
ГОСТ Р № 22301 от 01.01.2022 "Надежность в технике. Системы менеджмента непрерывности деятельности. Требования":
Р. 8 п. 3 пп. 2
8.3.2 Идентификация стратегий и решений
Идентификация стратегий и решений должна быть основана на уровне их полезности:
Идентификация стратегий и решений должна быть основана на уровне их полезности:
- а) при выполнении требований к продолжению и восстановлению приоритетных мероприятий в установленные сроки с установленным объемом производства;
- b) обеспечении защиты приоритетных направлений деятельности организации;
- с) снижении вероятности нарушения деятельности организации;
- d) сокращении продолжительности простоя при нарушении деятельности организации;
- е) ограничении влияния нарушения деятельности организации на продукцию и услуги организации;
- f) обеспечении необходимых ресурсов.
Framework № PCI DSS 4.0 от 01.03.2022 "Payment Card Industry Data Security Standard":
Requirement 5.2.3
5.2.3
Defined Approach Requirements:
Any system components that are not at risk for malware are evaluated periodically to include the following:
Defined Approach Requirements:
Any system components that are not at risk for malware are evaluated periodically to include the following:
- A documented list of all system components not at risk for malware.
- Identification and evaluation of evolving malware threats for those system components.
- Confirmation whether such system components continue to not require anti-malware protection.
Customized Approach Objective:
The entity maintains awareness of evolving malware threats to ensure that any systems not protected from malware are not at risk of infection.
Applicability Notes:
System components covered by this requirement are those for which there is no anti-malware solution deployed per Requirement 5.2.1.
Defined Approach Testing Procedures:
The entity maintains awareness of evolving malware threats to ensure that any systems not protected from malware are not at risk of infection.
Applicability Notes:
System components covered by this requirement are those for which there is no anti-malware solution deployed per Requirement 5.2.1.
Defined Approach Testing Procedures:
- 5.2.3.a Examine documented policies and procedures to verify that a process is defined for periodic evaluations of any system components that are not at risk for malware that includes all elements specified in this requirement.
- 5.2.3.b Interview personnel to verify that the evaluations include all elements specified in this requirement.
- 5.2.3.c Examine the list of system components identified as not at risk of malware and compare to the system components without an anti-malware solution deployed per Requirement 5.2.1 to verify that the system components match for both requirements.
Purpose:
Certain systems, at a given point in time, may not currently be commonly targeted or affected by malware. However, industry trends for malware can change quickly, so it is important for organizations to be aware of new malware that might affect their systems—for example, by monitoring vendor security notices and antimalware forums to determine whether its systems might be coming under threat from new and evolving malware.
Good Practice:
If an entity determines that a particular system is not susceptible to any malware, the determination should be supported by industry evidence, vendor resources, and best practices.
The following steps can help entities during their periodic evaluations:
Certain systems, at a given point in time, may not currently be commonly targeted or affected by malware. However, industry trends for malware can change quickly, so it is important for organizations to be aware of new malware that might affect their systems—for example, by monitoring vendor security notices and antimalware forums to determine whether its systems might be coming under threat from new and evolving malware.
Good Practice:
If an entity determines that a particular system is not susceptible to any malware, the determination should be supported by industry evidence, vendor resources, and best practices.
The following steps can help entities during their periodic evaluations:
- Identification of all system types previously determined to not require malware protection.
- Review of industry vulnerability alerts and notices to determine if new threats exist for any identified system.
- A documented conclusion about whether the system types remain not susceptible to malware.
- A strategy to add malware protection for any system types for which malware protection has become necessary.
Trends in malware should be included in the identification of new security vulnerabilities at Requirement 6.3.1, and methods to address new trends should be incorporated into the entity’s configuration standards and protection mechanisms as needed.
Связанные защитные меры
Ничего не найдено
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.