Куда я попал?
Framework № PCI DSS 4.0 от 01.03.2022
Payment Card Industry Data Security Standard (RU)
Requirement 8.4.1
Для проведения оценки соответствия по документу войдите в систему.
Список требований
Похожие требования
CIS Critical Security Controls v8 (The 18 CIS CSC):
6.5
6.5 Require MFA for Administrative Access
Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a third-party provider.
Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a third-party provider.
ГОСТ Р № 57580.1-2017 от 01.01.2018 "Безопасность финансовых (банковских) операций. Защита информации финансовых организаций. Базовый состав организационных и технических мер. Раздел 7. Требования к системе защиты информации":
РД.4
РД.4 Идентификация и многофакторная аутентификация эксплуатационного персонала
3-Н 2-Т 1-Т
3-Н 2-Т 1-Т
ЗСВ.9
ЗСВ.9 Контроль и протоколирование доступа эксплуатационного персонала к серверным компонентам виртуализации и системе хранения данных с реализацией двухфакторной аутентификации
3-Н 2-Т 1-Т
3-Н 2-Т 1-Т
NIST Cybersecurity Framework (RU):
PR.AC-7
PR.AC-7: Пользователи, устройства и другие активы проходят аутентификацию (например, однофакторную, многофакторную), соизмеримую с риском транзакции (например, рисками безопасности и конфиденциальности отдельных лиц и другими организационными рисками)
Russian Unified Cyber Security Framework (на основе The 18 CIS CSC):
6.5
6.5 Требуется многофакторная аутентификация для доступа с использованием прав администратора
Запрашивать многофакторную аутентификацию для доступа с правами администратора.
Запрашивать многофакторную аутентификацию для доступа с правами администратора.
Framework № PCI DSS 4.0 от 01.03.2022 "Payment Card Industry Data Security Standard":
Requirement 8.4.1
8.4.1
Defined Approach Requirements:
MFA is implemented for all non-console access into the CDE for personnel with administrative access.
Customized Approach Objective:
Administrative access to the CDE cannot be obtained by the use of a single authentication factor.
Applicability Notes:
The requirement for MFA for non-console administrative access applies to all personnel with elevated or increased privileges accessing the CDE via a non-console connection—that is, via logical access occurring over a network interface rather than via a direct, physical connection.
MFA is considered a best practice for non-console administrative access to in-scope system components that are not part of the CDE.
Defined Approach Testing Procedures:
Defined Approach Requirements:
MFA is implemented for all non-console access into the CDE for personnel with administrative access.
Customized Approach Objective:
Administrative access to the CDE cannot be obtained by the use of a single authentication factor.
Applicability Notes:
The requirement for MFA for non-console administrative access applies to all personnel with elevated or increased privileges accessing the CDE via a non-console connection—that is, via logical access occurring over a network interface rather than via a direct, physical connection.
MFA is considered a best practice for non-console administrative access to in-scope system components that are not part of the CDE.
Defined Approach Testing Procedures:
- 8.4.1.a Examine network and/or system configurations to verify MFA is required for all nonconsole into the CDE for personnel with administrative access.
- 8.4.1.b Observe administrator personnel logging into the CDE and verify that MFA is required.
Purpose:
Requiring more than one type of authentication factor reduces the probability that an attacker can gain access to a system by masquerading as a legitimate user, because the attacker would need to compromise multiple authentication factors. This is especially true in environments where traditionally the single authentication factor employed was something a user knows such as a password or passphrase.
Definitions:
Using one factor twice (for example, using two separate passwords) is not considered multifactor authentication.
Requiring more than one type of authentication factor reduces the probability that an attacker can gain access to a system by masquerading as a legitimate user, because the attacker would need to compromise multiple authentication factors. This is especially true in environments where traditionally the single authentication factor employed was something a user knows such as a password or passphrase.
Definitions:
Using one factor twice (for example, using two separate passwords) is not considered multifactor authentication.
SWIFT Customer Security Controls Framework v2022:
4 - 4.2 Multi-Factor Authentication
4.2 Multi-Factor Authentication
NIST Cybersecurity Framework (EN):
PR.AC-7
PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)
Связанные защитные меры
Ничего не найдено
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.