Куда я попал?
Framework № PCI DSS 4.0 от 01.03.2022
Payment Card Industry Data Security Standard (RU)
Requirement 8.4.2
Для проведения оценки соответствия по документу войдите в систему.
Список требований
Похожие требования
CIS Critical Security Controls v8 (The 18 CIS CSC):
6.5
6.5 Require MFA for Administrative Access
Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a third-party provider.
Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a third-party provider.
6.3
6.3 Require MFA for Externally-Exposed Applications
Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard.
Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard.
ГОСТ Р № 57580.1-2017 от 01.01.2018 "Безопасность финансовых (банковских) операций. Защита информации финансовых организаций. Базовый состав организационных и технических мер. Раздел 7. Требования к системе защиты информации":
ЗСВ.9
ЗСВ.9 Контроль и протоколирование доступа эксплуатационного персонала к серверным компонентам виртуализации и системе хранения данных с реализацией двухфакторной аутентификации
3-Н 2-Т 1-Т
3-Н 2-Т 1-Т
РД.2
РД.2 Идентификация и многофакторная аутентификация пользователей
3-Н 2-Н 1-Т
3-Н 2-Н 1-Т
РД.4
РД.4 Идентификация и многофакторная аутентификация эксплуатационного персонала
3-Н 2-Т 1-Т
3-Н 2-Т 1-Т
NIST Cybersecurity Framework (RU):
PR.AC-7
PR.AC-7: Пользователи, устройства и другие активы проходят аутентификацию (например, однофакторную, многофакторную), соизмеримую с риском транзакции (например, рисками безопасности и конфиденциальности отдельных лиц и другими организационными рисками)
ГОСТ Р № 57580.4-2022 от 01.02.2023 "Безопасность финансовых (банковских) операций. Обеспечение операционной надежности. Базовый состав организационных и технических мер. Раздел 7":
ВПУ.13.1
ВПУ.13.1 Многофакторную аутентификацию субъектов доступа, осуществляющих удаленное техническое обслуживание и диагностику;
Russian Unified Cyber Security Framework (на основе The 18 CIS CSC):
6.5
6.5 Требуется многофакторная аутентификация для доступа с использованием прав администратора
Запрашивать многофакторную аутентификацию для доступа с правами администратора.
Запрашивать многофакторную аутентификацию для доступа с правами администратора.
6.3
6.3 Требуется многофакторная аутентификация для приложений, доступных извне
Для реализации требования может использоваться служба каталогов или технологии единого входа (SSO).
Для реализации требования может использоваться служба каталогов или технологии единого входа (SSO).
Framework № PCI DSS 4.0 от 01.03.2022 "Payment Card Industry Data Security Standard":
Requirement 8.4.2
8.4.2
Defined Approach Requirements:
MFA is implemented for all access into the CDE.
Customized Approach Objective:
Access into the CDE cannot be obtained by the use of a single authentication factor.
Applicability Notes:
This requirement does not apply to:
Defined Approach Requirements:
MFA is implemented for all access into the CDE.
Customized Approach Objective:
Access into the CDE cannot be obtained by the use of a single authentication factor.
Applicability Notes:
This requirement does not apply to:
- Application or system accounts performing automated functions.
- User accounts on point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction (such as IDs used by cashiers on point-of-sale terminals).
MFA is required for both types of access specified in Requirements 8.4.2 and 8.4.3. Therefore, applying MFA to one type of access does not replace the need to apply another instance of MFA to the other type of access. If an individual first connects to the entity’s network via remote access, and then later initiates a connection into the CDE from within the network, per this requirement the individual would authenticate using MFA twice, once when connecting via remote access to the entity’s network and once when connecting via non-console administrative access from the entity’s network into the CDE.
The MFA requirements apply for all types of system components, including cloud, hosted systems, and on-premises applications, network security devices, workstations, servers, and endpoints, and includes access directly to an entity’s networks or systems as well as web-based access to an application or function.
MFA for remote access into the CDE can be implemented at the network or system/application level; it does not have to be applied at both levels. For example, if MFA is used when a user connects to the CDE network, it does not have to be used when the user logs into each system or application within the CDE.
This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
Defined Approach Testing Procedures:
The MFA requirements apply for all types of system components, including cloud, hosted systems, and on-premises applications, network security devices, workstations, servers, and endpoints, and includes access directly to an entity’s networks or systems as well as web-based access to an application or function.
MFA for remote access into the CDE can be implemented at the network or system/application level; it does not have to be applied at both levels. For example, if MFA is used when a user connects to the CDE network, it does not have to be used when the user logs into each system or application within the CDE.
This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
Defined Approach Testing Procedures:
- 8.4.2.a Examine network and/or system configurations to verify MFA is implemented for all access into the CDE. 8.4.2.b Observe personnel logging in to the CDE and examine evidence to verify that MFA is required.
Purpose:
Requiring more than one type of authentication factor reduces the probability that an attacker can gain access to a system by masquerading as a legitimate user, because the attacker would need to compromise multiple authentication factors. This is especially true in environments where traditionally the single authentication factor employed was something a user knows such as a password or passphrase.
Definitions:
Using one factor twice (for example, using two separate passwords) is not considered multifactor authentication.
Requiring more than one type of authentication factor reduces the probability that an attacker can gain access to a system by masquerading as a legitimate user, because the attacker would need to compromise multiple authentication factors. This is especially true in environments where traditionally the single authentication factor employed was something a user knows such as a password or passphrase.
Definitions:
Using one factor twice (for example, using two separate passwords) is not considered multifactor authentication.
Guideline for a healthy information system v.2.0 (EN):
13 STANDARD
/STANDARD
The implementation of a two-factor authentication is strongly recommended, requiring the use of two different authentication factors from among the following:
The implementation of a two-factor authentication is strongly recommended, requiring the use of two different authentication factors from among the following:
- something I know (password, unlock pattern, signature);
- something I have (smart card, USB token, magnetic card, RFID, a phone to receive an SMS);
- something I am (a digital fingerprint)
NIST Cybersecurity Framework (EN):
PR.AC-7
PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)
Связанные защитные меры
Ничего не найдено
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.