Куда я попал?
Framework № PCI DSS 4.0 от 01.03.2022
Payment Card Industry Data Security Standard (RU)
Requirement 9.3.2
Для проведения оценки соответствия по документу войдите в систему.
Список требований
Похожие требования
NIST Cybersecurity Framework (RU):
PR.IP-5
PR.IP-5: Соблюдаются политика и положения физической безопасности для организационных активов
Framework № PCI DSS 4.0 от 01.03.2022 "Payment Card Industry Data Security Standard":
Requirement 9.3.2
9.3.2
Defined Approach Requirements:
Procedures are implemented for authorizing and managing visitor access to the CDE, including:
Defined Approach Requirements:
Procedures are implemented for authorizing and managing visitor access to the CDE, including:
- Visitors are authorized before entering.
- Visitors are escorted at all times.
- Visitors are clearly identified and given a badge or other identification that expires.
- Visitor badges or other identification visibly distinguishes visitors from personnel.
Customized Approach Objective:
Requirements for visitor access to the CDE are defined and enforced. Visitors cannot exceed any authorized physical access allowed while in the CDE.
Defined Approach Testing Procedures:
Requirements for visitor access to the CDE are defined and enforced. Visitors cannot exceed any authorized physical access allowed while in the CDE.
Defined Approach Testing Procedures:
- 9.3.2.a Examine documented procedures and interview personnel to verify procedures are defined for authorizing and managing visitor access to the CDE in accordance with all elements specified in this requirement.
- 9.3.2.b Observe processes when visitors are present in the CDE and interview personnel to verify that visitors are:
- Authorized before entering the CDE.
- Escorted at all times within the CDE.
- 9.3.2.c Observe the use of visitor badges or other identification to verify that the badge or other identification does not permit unescorted access to the CDE.
- 9.3.2.d Observe visitors in the CDE to verify that:
- Visitor badges or other identification are being used for all visitors.
- Visitor badges or identification easily distinguish visitors from personnel.
- 9.3.2.e Examine visitor badges or other identification and observe evidence in the badging system to verify visitor badges or other identification expires.
Purpose:
Visitor controls are important to reduce the ability of unauthorized and malicious persons to gain access to facilities and potentially to cardholder data.
Visitor controls ensure visitors are identifiable as visitors so personnel can monitor their activities, and that their access is restricted to just the duration of their legitimate visit.
Visitor controls are important to reduce the ability of unauthorized and malicious persons to gain access to facilities and potentially to cardholder data.
Visitor controls ensure visitors are identifiable as visitors so personnel can monitor their activities, and that their access is restricted to just the duration of their legitimate visit.
Guideline for a healthy information system v.2.0 (EN):
26 STANDARD
/STANDARD
Physical security mechanisms must be a key part of information systems security and be up to date to ensure that they cannot be bypassed easily by a hacker. It is, therefore, advisable to identify the suitable physical security measures and to raise users’ awareness continuously of the risks caused by bypassing these rules.
Access to server rooms and technical areas must be controlled with the assistance of locks or access control mechanisms such as badges. The unaccompanied access of external service providers to sever rooms and technical areas must be prohibited, except if it is possible to strictly monitor the access and limit it to given time intervals. A regular review of the access rights must be carried out, in order to identify any unauthorised access.
When an employee leaves or there is a change of service provider, the access rights must be withdrawn or the access codes changed.
Finally, the network sockets in areas open to the public (meeting room, reception hall, corridors, etc.) must be restricted or deactivated in order to stop a hacker easily gaining access to the company’s network.
Physical security mechanisms must be a key part of information systems security and be up to date to ensure that they cannot be bypassed easily by a hacker. It is, therefore, advisable to identify the suitable physical security measures and to raise users’ awareness continuously of the risks caused by bypassing these rules.
Access to server rooms and technical areas must be controlled with the assistance of locks or access control mechanisms such as badges. The unaccompanied access of external service providers to sever rooms and technical areas must be prohibited, except if it is possible to strictly monitor the access and limit it to given time intervals. A regular review of the access rights must be carried out, in order to identify any unauthorised access.
When an employee leaves or there is a change of service provider, the access rights must be withdrawn or the access codes changed.
Finally, the network sockets in areas open to the public (meeting room, reception hall, corridors, etc.) must be restricted or deactivated in order to stop a hacker easily gaining access to the company’s network.
Стандарт Банка России № СТО БР ИББС-1.4-2018 от 01.07.2018 "Управление риском нарушения информационной безопасности при аутсорсинге":
Р. 6 п. 4
6.4. Основное требование 3. Организация БС РФ должна обеспечить выполнение своих обязательств перед клиентами и контрагентами, а также возможность проведения эффективного контроля выполнения требований в области защиты информации со стороны Банка России и уполномоченных органов исполнительной власти в рамках выполнения надзорных (контрольных) мероприятий в области защиты информации.
Организации БС РФ рекомендуется реализовать:
- регламентацию и применение организационных мер и технических средств, реализующих контроль доступа работников поставщика услуг и иных лиц к защищаемой информации, а также информационным (автоматизированным) обрабатывающим ее системам;
- обязательное сохранение за организацией БС РФ функций управления предоставлением доступа к защищаемой информации, а при технической невозможности (например, при использовании облачных вычислений по модели SaaS) - контроль выполнения функций по управлению предоставлением доступа к защищаемой информации поставщиком услуг.
Привлечение поставщиков услуг для выполнения работ не должно оказывать влияния на законодательно закрепленные права клиентов по отношению к организации БС РФ, включая право на возврат денежных средств при использовании электронного средства платежа без согласия клиента, установленное статьей 9 Федерального закона от 27 июня 2011 года N 161-ФЗ "О национальной платежной системе".
NIST Cybersecurity Framework (EN):
PR.IP-5
PR.IP-5: Policy and regulations regarding the physical operating environment for organizational assets are met
Связанные защитные меры
Ничего не найдено
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.