SlideShare uma empresa Scribd logo

Compliance poster

Rui Gomes
Rui Gomes
1 de 1
Baixar para ler offline
IT Controls Reference Standards ISO 17799 (2005) Regulations Laws Assessing security risks Identify, quantify, and prioritise risks against criteria for risk acceptance relevant to the organisation 4.2 Treating security risks Determine risk treatment options: apply appropriate controls, accept risks, avoid risks or transfer risk to other parties Information security policy An information security policy document should be approved by management, and published and communicated to all employees and relevant external parties. The information security policy should be reviewed at planned intervals Internal organisation A management framework should be established to initiate and control the implementation of information security within the organisation 6.2 External parties To maintain the security of information and information processing facilities that are accessed, processed, communicated to, or managed by external parties Responsibility for assets All assets should be accounted for and have a nominated owner 7.2 Information classification Information should be classified to indicate the need, priorities and expected degree of protection Prior to employment To ensure that employees, contractors and third party users understand responsibilities, and are suitable for their roles 8.2 During employment To ensure that employees, contractors and third party users are aware of information security threats and concerns, and are equipped to support security policy in the course of their normal work 8.3 Termination or change of employment To ensure that employees, contractors and third party users exit an organisation or change employment in an orderly manner Secure areas To prevent unauthorised physical access, damage, and interference to the organisation’s premises and information 9.2 Equipment security To prevent loss, damage, theft or compromise of assets and interruption to the organisation’s activities Operational procedures and responsibilities To ensure the correct and secure operation of information processing facilities including segregation of duties and change management functions 10.2 Third party service delivery management To implement and maintain the appropriate level of information security and service delivery in line with third party service delivery agreements 10.3 System planning and acceptance To minimise the risk of systems failures 10.4 Protection against malicious and mobile code Precautions are required to prevent and detect the introduction of malicious code and unauthorised mobile code 10.5 Back-up Routine procedures for implementing the back-up policy and strategy 10.6 Network security management To ensure the protection of information in networks and the protection of the supporting infrastructure 10.7 Media handling To prevent unauthorised disclosure, modification, removal or destruction of assets, and interruption to business activities 10.8 Exchange of information To maintain the security of information and software exchanged within an organisation and with any external entity 10.9 Electronic commerce services To ensure the security of electronic commerce services, and their secure use 10.10 Monitoring To detect unauthorised information processing activities including review of operator logs and fault logging Business requirement for access control Establish, document and review access control policies and rules 11.2 User access management Formal procedures to control the allocation of access rights to information systems and services 11.3 User responsibilities User awareness, particularly with the use of passwords and the security of equipment 11.4 Network access control Ensure that appropriate interfaces and authentication mechanisms to networked services are in place 11.5 Operating system access control To ensure authorised access to operating systems. Some methods include: ensure quality passwords, user authentication, and the recording of successful and failed system accesses 11.6 Application and information access control To prevent unauthorised access to information held in application systems 11.7 Mobile computing and teleworking To ensure information security when using mobile computing and teleworking facilities Security requirements of information systems To ensure that security is built into information systems, including infrastructure, business applications and user-developed applications 12.2 Correct processing in applications To prevent errors, loss, unauthorised modification or misuse of information in applications 12.3 Cryptographic controls To protect the confidentiality, authenticity or integrity of information by cryptographic means 12.4 Security of system files To ensure security of system files 12.5 Security in development and support processes Project and support environments should be strictly controlled 12.6 Technical vulnerability management To reduce risks resulting from exploitation of published technical vulnerabilities Reporting information security events and weaknesses To ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken 13.2 Management of information security incidents and improvements To ensure a consistent and effective approach is applied to the management of information security incidents Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data Article 7 – Risk management: Establish, implement and maintain adequate risk management policies and procedures which identify the risks relating to the firm’s activities, processes and systems • Risk assessment • Objective setting • Event identification Plan and organise: PO9 Assess and manage IT risks Monitor and evaluate: ME1 Monitor and evaluate IT performance ME2 Monitor and evaluate internal control 4.1.1 Establish a management framework to initiate and manage information security (c) Protection of records throughout the records retention period N/A • Risk management – Organisational management First principle: Personal data shall be processed fairly and lawfully Second principle: Personal data shall be obtained only for one or more specified and lawful purposes Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Risk response • Event identification Plan and organise: PO1 Define a strategic IT plan PO4 Define the IT processes, organisation and relationships PO6 Communicate management aims and direction PO7 Manage IT human resources 4.1.1 Identify the risks arising from the links with third parties (c) Protection of records throughout the records retention period Maintain an information security policy: 12. Maintain a policy that addresses information security N/A Second principle: Personal data shall be obtained only for one or more specified and lawful purposes Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data Eighth principle: Personal data shall not be transferred to a country or territory outside the European economic area, unless adequate level of protection for personal data is ensured Article 5 – Organisational requirements: Require investment firms to establish, implement and maintain systems and procedures that are adequate to safeguard the security, integrity and confidentiality of information, taking into account the nature of the information in question • Internal environment • Objective setting • Risk assessment Deliver and support: DS5 Ensure systems security N/A (c) Protection of records throughout the records retention period Maintain an information security policy: 12. Maintain a policy that addresses information security • Policy management – Outsourcing policy Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Internal environment • Control activities • Information and communication Plan and organise: PO8 Manage quality Deliver and support: DS1 Define and manage service levels DS2 Manage third-party services DS5 Ensure systems security N/A (c) Protection of records throughout the records retention period Maintain an information security policy: 12. Maintain a policy that addresses information security • Policy management – Outsourcing policy Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Internal environment • Risk assessment • Control activities • Information and communication • Monitoring Plan and organise: PO4 Define the IT processes, organisation and relationships 3.3.1 Configuration and asset management process 4.2.1 Ensure there is an overview of the most important information sources and systems; allocate responsibility for all information and systems (c) Protection of records throughout the records retention period N/A • Risk management – Asset management Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Control activities Plan and organise: PO2 Define the information architecture PO4 Assess and manage IT risks Deliver and support: DS5 Ensure systems security 4.2.1 Rules for classification are outside the sphere of ITIL (c) Protection of records throughout the records retention period N/A • Risk management – Asset management Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data Eighth principle: Personal data shall not be transferred to a country or territory outside the European economic area, unless adequate level of protection for personal data is ensured Article 51 – Retention of records: Require investment firms to retain all the records required under Directive 2004/39/EC and its implementing measures for a period of at least five years • Risk assessment • Event identification Plan and organise: PO7 Manage IT human resources Deliver and support: DS12 Manage the physical environment 4.2.2 Includes job descriptions; applicant screening; confidentiality agreements (c) Protection of records throughout the records retention period Implement strong access control measures: 8. Assign a unique ID to each person with computer access Maintain an information security policy: 12. Maintain a policy that addresses information security • Policy management – Personnel policy Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Internal environment • Control activities • Information and communication Plan and organise: PO7 Manage IT human resources Deliver and support: DS7 Educate and train users 4.2.2 Includes training to make employees aware of security threats and of the importance of information security (c) Protection of records throughout the records retention period (i) Users of electronic record/electronic signature systems have appropriate education, training and experience Maintain an information security policy: 12. Maintain a policy that addresses information security • Policy management – Personnel policy Second principle: Personal data shall be obtained only for one or more specified and lawful purposes Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Internal environment • Control activities • Information and communication Plan and organise: PO4 Define the IT processes, organisation and relationships PO7 Manage IT human resources 4.2.2 Includes job descriptions; applicant screening; confidentiality agreements (c) Protection of records throughout the records retention period Implement strong access control measures: 8. Assign a unique ID to each person with computer access • Policy management – Personnel policy Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A N/A Deliver and support: DS5 Ensure systems security DS11 Manage data DS12 Manage the physical environment ITIL Environmental Strategy Set ITIL Environmental Management Set (c) Protection of records throughout the records retention period Implement strong access control measures: 9. Restrict physical access to cardholder data • Policy management – Physical security policy Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Control activities • Information and communication • Monitoring Deliver and support: DS12 Manage the physical environment Select locations for installing equipment that involve the least risk from outside (c) Protection of records throughout the records retention period Implement strong access control measures: 9. Restrict physical access to cardholder data • Policy management – Physical security policy Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Control activities • Information and communication Plan and organise: PO4 Assess and manage IT risks Acquire and implement: A16 Manage changes Deliver and support: DS4 Ensure continuous service DS13 Manage operations 4.2.3 Ensure there are established responsibilities for the management of all IT resources and all parts of the IT infrastructure including segregration of duties and security incident handling (a) Validation of systems and the ability to discern invalid or altered records (c) Protection of records throughout the records retention period (f) Use of operational system checks to enforce sequencing of steps and events as appropriate (k) Use of appropriate controls over systems documentation N/A • Intrusion detection • Incident response plan • Systems administration Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Internal environment • Risk response • Control activities • Monitoring Plan and organise: PO4 Define the IT processes, organisation and relationships PO8 Manage quality PO10 Manage projects Deliver and support: DS1 Define and manage service levels DS2 Manage third-party services N/A (c) Protection of records throughout the records retention period Maintain an information security policy: 12. Maintain a policy that addresses information security • Policy management – Outsourcing policy Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Internal environment • Control activities Deliver and support: DS3 Manage performance and capacity DS4 Ensure continuous service 3.3.4 Change management process 3.4.3 Improving performance in terms of throughput capacity and response times; other measures include resource, demand and workload management, application sizing and modelling (a) Validation of systems and the ability to discern invalid or altered records (c) Protection of records throughout the records retention period N/A N/A Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Control activities • Monitoring Deliver and support: DS5 Ensure systems security DS8 Manage service desk and incidents DS9 Manage the configuration DS10 Manage problems 3.3.2 Incident control/help desk 4.2.4 Access control; anti-virus control policy (c) Protection of records throughout the records retention period Maintain a vulnerability management program: 5. Use and regularly update anti-virus software • Cyber intelligence – Patch management • Firewalls • Active content filtering • Intrusion detection • Virus scanners • Incident response plan Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Control activities • Event identification • Information and communication Deliver and support: DS4 Ensure continuous service DS11 Manage data 3.4.2 Availability management 3.4.4 Fallback planning (c) Protection of records throughout the records retention period N/A • Incident response plan Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data Article 5 – Organisational requirements: Require investment firms to establish, implement and maintain systems and procedures that are adequate to safeguard the security, integrity and confidentiality of information, taking into account the nature of the information in question • Event identification • Control activities • Monitoring Deliver and support: DS5 Ensure systems security 4.2.3 Communications and operations management; security measures for networks (c) Protection of records throughout the records retention period Build and maintain a secure network: 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Maintain a vulnerability management program: 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications • Risk management – Asset management • Cyber intelligence – Patch management • Firewalls • Active content filtering – Web application security • Intrusion detection • Virus scanners Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Risk assessment • Control activities • Monitoring Deliver and support: DS11 Manage data 3.4.2 Availability management 3.4.4 Fallback planning 4.2.3 Communications and operations management; handling and security of data carriers Agreements should be included in the SLA (c) Protection of records throughout the records retention period (e) Use of secure, computer-generated audit trails, which are retained for a certain period of time Protect cardholder data: 3. Protect stored data Implement strong access control measures: 7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data • Physical security policy Fifth principle: Personal data processed shall not be kept for longer than is necessary Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Control activities • Information and communication Deliver and support: DS5 Ensure systems security 4.2.3 Communications and operations management; handling and security of data carriers Agreements should be included in the SLA (c) Protection of records throughout the records retention period Build and maintain a secure network: 1. Install and maintain a firewall configuration to protect data Protect cardholder data: 4. Encrypt transmissions of cardholder data and sensitive information across public networks Implement strong access control measures: 8. Assign a unique ID to each person with computer access • Active content filtering – Web application security • Firewalls • Virus scanners Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data Eighth principle: Personal data shall not be transferred to a country or territory outside the European economic area, unless adequate level of protection for personal data is ensured N/A • Risk assessment • Risk response • Control activities • Information and communication • Monitoring Deliver and support: DS5 Ensure systems security 4.2.3 Communications and operations management; handling and security of data carriers Agreements should be included in the SLA 4.2.4 Access control; application access control (c) Protection of records throughout the records retention period (e) Use of secure, computer-generated audit trails, which are retained for a certain period of time Build and maintain a secure network: 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect cardholder data: 4. Encrypt transmissions of cardholder data and sensitive information across public networks Maintain a vulnerability management program: 6. Develop and maintain secure systems and applications • Active content filtering Second principle: Personal data shall be obtained only for one or more specified and lawful purposes Fifth principle: Personal data processed shall not be kept for longer than is necessary Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data Eighth principle: Personal data shall not be transferred to a country or territory outside the European economic area, unless adequate level of protection for personal data is ensured N/A • Event identification • Control activities Deliver and support: DS5 Ensure systems security Monitor and evaluate: ME1 Monitor and evaluate IT performance ME2 Monitor and evaluate internal control 4.2.4 Access control; monitoring and auditing information system access (a) Validation of systems and the ability to discern invalid or altered records (c) Protection of records throughout the records retention period (d) Limiting system access to authorised individuals (g) Use of authority checks to ensure that only authorised individuals can use the system Implement strong access control measures: 8. Assign a unique ID to each person with computer access Regularly monitor and test networks: 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes • Access controls/authentication • Active content filtering – Web application security • Virus scanners Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Control activities • Monitoring Deliver and support: DS5 Ensure systems security Largely outside the scope of ITIL (c) Protection of records throughout the records retention period (d) Limiting system access to authorised individuals (g) Use of authority checks to ensure that only authorised individuals can use the system Implement strong access control measures: 8. Assign a unique ID to each person with computer access Maintain an information security policy: 12. Maintain a policy that addresses information security • Access controls/authentication • Systems administration Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Internal environment • Control activities Deliver and support: DS5 Ensure systems security 4.2.4 Access control; network, computer and application access control (c) Protection of records throughout the records retention period (d) Limiting system access to authorised individuals (g) Use of authority checks to ensure that only authorised individuals can use the system Implement strong access control measures: 7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access • Access controls/authentication • Active content filtering – Web application security • Virus scanners • Systems administration Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Control activities • Monitoring Deliver and support: DS5 Ensure systems security Outside the scope of ITIL, this is the responsibility of the user organisation (c) Protection of records throughout the records retention period (d) Limiting system access to authorised individuals (g) Use of authority checks to ensure that only authorised individuals can use the system (i) Users of electronic record/electronic signature systems have appropriate education, training and experience Build and maintain a secure network: 2. Do not use vendor-supplied defaults for system passwords and other security parameters Implement strong access control measures: 8. Assign a unique ID to each person with computer access Maintain an information security policy: 12. Maintain a policy that addresses information security • Access controls/authentication • Virus scanners • Systems administration Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Internal environment • Control activities Deliver and support: DS5 Ensure systems security 4.2.4 Access control; network, computer access control (c) Protection of records throughout the records retention period (d) Limiting system access to authorised individuals (g) Use of authority checks to ensure that only authorised individuals can use the system Build and maintain a secure network: 2. Do not use vendor-supplied defaults for system passwords and other security parameters Implement strong access control measures: 8. Assign a unique ID to each person with computer access • Access controls/authentication • Active content filtering – Web application security • Virus scanners • Systems administration Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Internal environment • Control activities • Monitoring Deliver and support: DS5 Ensure systems security 4.2.4 Access control; computer access control (c) Protection of records throughout the records retention period (d) Limiting system access to authorised individuals (g) Use of authority checks to ensure that only authorised individuals can use the system Build and maintain a secure network: 2. Do not use vendor-supplied defaults for system passwords and other security parameters Implement strong access control measures: 8. Assign a unique ID to each person with computer access Maintain an information security policy: 10. Track and monitor all access to network resources and cardholder data • Access controls/authentication • Active content filtering – Web application security • Intrusion detection • Virus scanners • Systems administration Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Internal environment • Control activities • Monitoring Deliver and support: DS5 Ensure systems security 4.2.4 Access control; application access control (c) Protection of records throughout the records retention period (d) Limiting system access to authorised individuals (g) Use of authority checks to ensure that only authorised individuals can use the system Build and maintain a secure network: 2. Do not use vendor-supplied defaults for system passwords and other security parameters Maintain a vulnerability management system: 6. Develop and maintain secure systems and applications Implement strong access control measures: 8. Assign a unique ID to each person with computer access • Access controls/authentication • Active content filtering – Web application security • Virus scanners Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Control activities • Monitoring Deliver and support: DS5 Ensure systems security N/A (c) Protection of records throughout the records retention period (d) Limiting system access to authorised individuals (g) Use of authority checks to ensure that only authorised individuals can use the system Build and maintain a secure network: 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Implement strong access control measures: 8. Assign a unique ID to each person with computer access • Policy management – Remote system • Access policy • Access controls/authentication • Active content filtering – Web application security Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Internal environment • Control activities • Monitoring Acquire and implement: A12 Acquire and maintain application software A13 Acquire and maintain technology infrastructure ITIL book software lifecycle support and the business perspective set ITIL is not specifically concerned with system development (c) Protection of records throughout the records retention period (e) Use of secure, computer-generated audit trails, which are retained for a certain period of time (k) Use of appropriate controls over systems documentation Maintain a vulnerability management system: 6. Develop and maintain secure systems and applications • Systems administration Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Control activities • Monitoring Acquire and implement: A12 Acquire and maintain application software ITIL book software lifecycle support and the business perspective set ITIL is not specifically concerned with system development (c) Protection of records throughout the records retention period (e) Use of secure, computer-generated audit trails, which are retained for a certain period of time (f) Use of operational system checks to enforce sequencing of steps and events as appropriate (k) Use of appropriate controls over systems documentation Maintain a vulnerability management system: 6. Develop and maintain secure systems and applications • Cyber intelligence – Patch management • Systems administration Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Control activities Deliver and support: DS5 Ensure systems security ITIL is not specifically concerned with system development (c) Protection of records throughout the records retention period (e) Use of secure, computer-generated audit trails, which are retained for a certain period of time (h) Use of device checks to determine validity of source data input or operational instruction (k) Use of appropriate controls over systems documentation Protect cardholder data: 4. Encrypt transmissions of cardholder data and sensitive information across public networks • Active content filtering – Web application security • Virus scanners • Systems administration Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Control activities • Monitoring Acquire and implement: A16 Manage changes Deliver and support: DS5 Ensure systems security ITIL is not primarily concerned with individual components, such as files, queues, data or messages (a) Validation of systems and the ability to discern invalid or altered records (c) Protection of records throughout the records retention period (e) Use of secure, computer-generated audit trails, which are retained for a certain period of time (k) Use of appropriate controls over systems documentation Build and maintain a secure network: 2. Do not use vendor-supplied defaults for system passwords and other security parameters • Systems administration Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Control activities • Information and communication • Monitoring Acquire and implement: A16 Manage changes Deliver and support: DS5 Ensure systems security ITIL is not specifically concerned with system development (c) Protection of records throughout the records retention period (k) Use of appropriate controls over systems documentation Maintain a vulnerability management system: 6. Develop and maintain secure systems and applications N/A Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Control activities • Monitoring Plan and organise: PO9 Assess and manage IT risks Deliver and support: DS2 Manage third-party services DS4 Ensure continuous service DS5 Ensure systems security DS9 Manage the configuration Monitor and evaluate: ME1 Monitor and evaluate IT performance ITIL is not specifically concerned with vulnerability management (a) Validation of systems and the ability to discern invalid or altered records (c) Protection of records throughout the records retention period (e) Use of secure, computer-generated audit trails, which are retained for a certain period of time (k) Use of appropriate controls over systems documentation Maintain a vulnerability management system: 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications • Active content filtering – Web application security • Virus scanners • Systems administration Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A N/A Deliver and support: DS5 Ensure systems security DS8 Manage service desk and incidents DS10 Manage problems Monitor and evaluate: ME1 Monitor and evaluate IT performance: ME2 Monitor and evaluate internal control 4.2.2 Includes responding to security incidents as quickly as possible through the right channels (a) Validation of systems and the ability to discern invalid or altered records (c) Protection of records throughout the records retention period Regularly monitor and test networks: 11. Regularly test security systems and processes Maintain an information security policy: 12. Maintain a policy that addresses information security • Policy management – Personnel policy • Virus scanners • Incident response plan Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A N/A Deliver and support: DS5 Ensure systems security DS8 Manage service desk and incidents DS10 Manage problems Monitor and evaluate: ME1 Monitor and evaluate IT performance: ME2 Monitor and evaluate internal control 4.2.2 Includes responding to security incidents as quickly as possible through the right channels 4.2.3 Ensure there are established responsibilities for the management of security incident handling (a) Validation of systems and the ability to discern invalid or altered records (c) Protection of records throughout the records retention period Maintain an information security policy: 12. Maintain a policy that addresses information security • Policy management – Personnel policy • Incident response plan Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A N/A Deliver and support: DS4 Ensure continuous service DS10 Manage problems DS11 Manage data 3.4.4 Business continuity planning; an entire ITIL book is dedicated to this topic (c) Protection of records throughout the records retention period N/A • Incident response plan Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data Article 14 – Conditions of outsourcing: The investment firm and the service provider must establish, implement and maintain a contingency plan for disaster recovery and periodic testing of back-up facilities • Event identification • Risk response • Control activities • Information and communication • Monitoring Monitor and evaluate: ME3 Ensure regulatory compliance ME4 Provide IT governance 4.3 Audit and evaluate: security reviews of IT systems (c) Protection of records throughout the records retention period N/A N/A Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Internal environment • Event identification • Risk response • Control activities • Information and communication • Monitoring Acquire and implement: AI7 Install and accredit solutions and changes Monitor and evaluate: ME1 Monitor and evaluate IT performance ME2 Monitor and evaluate internal control ME4 Provide IT governance 4.3 Audit and evaluate: security reviews of IT systems (a) Validation of systems and the ability to discern invalid or altered records (c) Protection of records throughout the records retention period (f) Use of operational system checks to enforce sequencing of steps and events as appropriate Regularly monitor and test networks: 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes • Risk management – Asset management • Intrusion detection • Vulnerability and penetration testing Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Internal environment • Control activities • Monitoring Monitor and evaluate: ME1 Monitor and evaluate IT performance ME2 Monitor and evaluate internal control ME4 Provide IT governance 4.3 Audit and evaluate: security reviews of IT systems (c) Protection of records throughout the records retention period Regularly monitor and test networks: 10. Track and monitor all access to network resources and cardholder data • Intrusion detection • Vulnerability and penetration testing Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data Article 8 – Internal audit: Establish, implement and maintain an audit plan to examine and evaluate the adequacy and effectiveness of the investment firm’s systems • Monitoring 14: Business continuity management 14.1 Information security aspects of business continuity management To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters and to ensure their timely resumption SECTION • Risk management – Organisational management • Policy management 13: Information security incident management 13.1 SECTION N/A 12: Information systems acquisition, development and maintenance 12.1 SECTION (c) Protection of records throughout the records retention period 11: Access control 11.1 SECTION 2.2.3 Responsibilities, powers and duties are clearly specified by policy processes, procedures and work instructions 10: Communications and operations management 10.1 SECTION Plan and organise: PO9 Assess and manage IT risks Monitor and evaluate: ME3 Ensure regulatory compliance ME4 Provide IT governance 9: Physical and environmental security 9.1 SECTION Sarbanes – Oxley COSO From 26 June 2006 draft version of: “Implementing Directive 2004/39/EC” 8: Human resources security 8.1 SECTION Bank of International Settlements Operational Risk Check List MiFID 7: Asset management 7.1 SECTION Data Security Standard EU Data Protection Directive 6: Organisation of information security 6.1 SECTION Basel II 5: Security policy 5.1 SECTION Payment Card Industry 4: Risk assessment and treatment 4.1 SECTION ITIL FDA 21 CFR Part 11 SECTION COBIT® 4.0 15: Compliance 15.1 Compliance with legal requirements To avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security requirements 15.2 Compliance with security policies and standards, and technical compliance To ensure compliance of systems with organisational security policies and standards 15.3 Information systems audit considerations To maximise the effectiveness of and to minimise interference to/from the information systems audit processes www.symantec.com This information is provided as guidance only and does not constitute legal advice. The information is subject to change and update at any time without prior written notice. See www.symantec.com for current details. Copyright © 2006 Symantec Corporation. All rights reserved. Symantec and the Symantec logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Windows is a registered trademark of Microsoft Corporation in the United States and/or other countries. Other names may be trademarks of their respective owners.

Recomendados

ISO_27001___2005_OASIS
ISO_27001___2005_OASISISO_27001___2005_OASIS
ISO_27001___2005_OASIS
Dermot Clarke
 
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
IGN MANTRA
 
Security Industry Association Privacy Framework
Security Industry Association Privacy FrameworkSecurity Industry Association Privacy Framework
Security Industry Association Privacy Framework
- Mark - Fullbright
 
Domain 2 - Asset Security
Domain 2 - Asset SecurityDomain 2 - Asset Security
Domain 2 - Asset Security
Maganathin Veeraragaloo
 
GDPR vs ISO27001 en
GDPR vs ISO27001 enGDPR vs ISO27001 en
GDPR vs ISO27001 en
Walter Vannini
 
GDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliantGDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliant
Ilesh Dattani
 
General Data Protection Regulation (GDPR) and ISO 27001
General Data Protection Regulation (GDPR) and ISO 27001General Data Protection Regulation (GDPR) and ISO 27001
General Data Protection Regulation (GDPR) and ISO 27001
Owako Rodah
 
Compliance mapping GDPR vs ISO_en
Compliance mapping GDPR vs ISO_enCompliance mapping GDPR vs ISO_en
Compliance mapping GDPR vs ISO_en
Balázs Antók
 

Recomendados

ISO_27001___2005_OASIS
ISO_27001___2005_OASISISO_27001___2005_OASIS
ISO_27001___2005_OASIS
Dermot Clarke
 
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
IGN MANTRA
 
Security Industry Association Privacy Framework
Security Industry Association Privacy FrameworkSecurity Industry Association Privacy Framework
Security Industry Association Privacy Framework
- Mark - Fullbright
 
Domain 2 - Asset Security
Domain 2 - Asset SecurityDomain 2 - Asset Security
Domain 2 - Asset Security
Maganathin Veeraragaloo
 
GDPR vs ISO27001 en
GDPR vs ISO27001 enGDPR vs ISO27001 en
GDPR vs ISO27001 en
Walter Vannini
 
GDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliantGDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliant
Ilesh Dattani
 
General Data Protection Regulation (GDPR) and ISO 27001
General Data Protection Regulation (GDPR) and ISO 27001General Data Protection Regulation (GDPR) and ISO 27001
General Data Protection Regulation (GDPR) and ISO 27001
Owako Rodah
 
Compliance mapping GDPR vs ISO_en
Compliance mapping GDPR vs ISO_enCompliance mapping GDPR vs ISO_en
Compliance mapping GDPR vs ISO_en
Balázs Antók
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & process
Information Technology Society Nepal
 
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risks
IT Governance Ltd
 
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
PECB
 
Introduction to security
Introduction to securityIntroduction to security
Introduction to security
Mukesh Chinta
 
Information security and other issues
Information security and other issuesInformation security and other issues
Information security and other issues
Haseeb Ahmed Awan
 
Information Security Management 101
Information Security Management 101Information Security Management 101
Information Security Management 101
Jerod Brennen
 
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
IGN MANTRA
 
Data security
Data securityData security
Data security
AbdulBasit938
 
Information Security Lecture #1 ppt
Information Security Lecture #1 pptInformation Security Lecture #1 ppt
Information Security Lecture #1 ppt
vasanthimuniasamy
 
Tech Matrix 20080523
Tech Matrix 20080523Tech Matrix 20080523
Tech Matrix 20080523
samsontamwaiho
 
[null] Iso 27001 a business view by Sripathi
[null] Iso 27001 a business view by Sripathi[null] Iso 27001 a business view by Sripathi
[null] Iso 27001 a business view by Sripathi
Prajwal Panchmahalkar
 
Information Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Information Security Lesson 11 - Policies & Procedures - Eric VanderburgInformation Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Information Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Eric Vanderburg
 
Information Security Management. Security solutions copy
Information Security Management. Security solutions copyInformation Security Management. Security solutions copy
Information Security Management. Security solutions copy
yuliana_mar
 
Data Security
Data SecurityData Security
Data Security
ankita_kashyap
 
NIST 800-171 Simplifying CUI and DFARS Compliance
NIST 800-171 Simplifying CUI and DFARS ComplianceNIST 800-171 Simplifying CUI and DFARS Compliance
NIST 800-171 Simplifying CUI and DFARS Compliance
Government Technology & Services Coalition
 
DocomUSA Cyber Security
DocomUSA Cyber SecurityDocomUSA Cyber Security
DocomUSA Cyber Security
docomusa
 
Data protection and data integrity
Data protection and data integrity Data protection and data integrity
Data protection and data integrity
Axon Lawyers
 
Any Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsAny Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO Standards
PECB
 
InfoFort Profile (EN)
InfoFort Profile (EN)InfoFort Profile (EN)
InfoFort Profile (EN)
Mohammed Al Nahas
 
The adoption of it security standards in a healthcare environment
The adoption of it security standards in a healthcare environmentThe adoption of it security standards in a healthcare environment
The adoption of it security standards in a healthcare environment
Rui Gomes
 
Si deconomico
Si deconomicoSi deconomico
Si deconomico
Rui Gomes
 
Imia australia2007-mobil saude-ll-nov2006
Imia australia2007-mobil saude-ll-nov2006Imia australia2007-mobil saude-ll-nov2006
Imia australia2007-mobil saude-ll-nov2006
Rui Gomes
 

Mais conteúdo relacionado

Mais procurados

ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
PECB
 
Information Security Management 101
Information Security Management 101Information Security Management 101
Information Security Management 101
Jerod Brennen
 
[null] Iso 27001 a business view by Sripathi
[null] Iso 27001 a business view by Sripathi[null] Iso 27001 a business view by Sripathi
[null] Iso 27001 a business view by Sripathi
Prajwal Panchmahalkar
 
DocomUSA Cyber Security
DocomUSA Cyber SecurityDocomUSA Cyber Security
DocomUSA Cyber Security
docomusa
 

Mais procurados (19)

Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & process
 
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risks
 
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
 
Introduction to security
Introduction to securityIntroduction to security
Introduction to security
 
Information security and other issues
Information security and other issuesInformation security and other issues
Information security and other issues
 
Information Security Management 101
Information Security Management 101Information Security Management 101
Information Security Management 101
 
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
 
Data security
Data securityData security
Data security
 
Information Security Lecture #1 ppt
Information Security Lecture #1 pptInformation Security Lecture #1 ppt
Information Security Lecture #1 ppt
 
Tech Matrix 20080523
Tech Matrix 20080523Tech Matrix 20080523
Tech Matrix 20080523
 
[null] Iso 27001 a business view by Sripathi
[null] Iso 27001 a business view by Sripathi[null] Iso 27001 a business view by Sripathi
[null] Iso 27001 a business view by Sripathi
 
Information Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Information Security Lesson 11 - Policies & Procedures - Eric VanderburgInformation Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Information Security Lesson 11 - Policies & Procedures - Eric Vanderburg
 
Information Security Management. Security solutions copy
Information Security Management. Security solutions copyInformation Security Management. Security solutions copy
Information Security Management. Security solutions copy
 
Data Security
Data SecurityData Security
Data Security
 
NIST 800-171 Simplifying CUI and DFARS Compliance
NIST 800-171 Simplifying CUI and DFARS ComplianceNIST 800-171 Simplifying CUI and DFARS Compliance
NIST 800-171 Simplifying CUI and DFARS Compliance
 
DocomUSA Cyber Security
DocomUSA Cyber SecurityDocomUSA Cyber Security
DocomUSA Cyber Security
 
Data protection and data integrity
Data protection and data integrity Data protection and data integrity
Data protection and data integrity
 
Any Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsAny Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO Standards
 
InfoFort Profile (EN)
InfoFort Profile (EN)InfoFort Profile (EN)
InfoFort Profile (EN)
 

Destaque

The adoption of it security standards in a healthcare environment
The adoption of it security standards in a healthcare environmentThe adoption of it security standards in a healthcare environment
The adoption of it security standards in a healthcare environment
Rui Gomes
 
Si deconomico
Si deconomicoSi deconomico
Si deconomico
Rui Gomes
 
Imia australia2007-mobil saude-ll-nov2006
Imia australia2007-mobil saude-ll-nov2006Imia australia2007-mobil saude-ll-nov2006
Imia australia2007-mobil saude-ll-nov2006
Rui Gomes
 
Heroes happen here book 2008
Heroes happen here book 2008Heroes happen here book 2008
Heroes happen here book 2008
Rui Gomes
 
Itil assessment in a healthcare environment the role of it governance at hosp...
Itil assessment in a healthcare environment the role of it governance at hosp...Itil assessment in a healthcare environment the role of it governance at hosp...
Itil assessment in a healthcare environment the role of it governance at hosp...
Rui Gomes
 
Paper pxe 23 03 20004
Paper pxe 23 03 20004Paper pxe 23 03 20004
Paper pxe 23 03 20004
Rui Gomes
 
Heroes happen
Heroes happenHeroes happen
Heroes happen
Rui Gomes
 
Ruigomes thesis
Ruigomes thesisRuigomes thesis
Ruigomes thesis
Rui Gomes
 
Herzig preview
Herzig previewHerzig preview
Herzig preview
Rui Gomes
 
Nota biográfica rg up
Nota biográfica rg upNota biográfica rg up
Nota biográfica rg up
Rui Gomes
 

Destaque (12)

The adoption of it security standards in a healthcare environment
The adoption of it security standards in a healthcare environmentThe adoption of it security standards in a healthcare environment
The adoption of it security standards in a healthcare environment
 
Si deconomico
Si deconomicoSi deconomico
Si deconomico
 
Imia australia2007-mobil saude-ll-nov2006
Imia australia2007-mobil saude-ll-nov2006Imia australia2007-mobil saude-ll-nov2006
Imia australia2007-mobil saude-ll-nov2006
 
Heroes happen here book 2008
Heroes happen here book 2008Heroes happen here book 2008
Heroes happen here book 2008
 
Itil assessment in a healthcare environment the role of it governance at hosp...
Itil assessment in a healthcare environment the role of it governance at hosp...Itil assessment in a healthcare environment the role of it governance at hosp...
Itil assessment in a healthcare environment the role of it governance at hosp...
 
Paper pxe 23 03 20004
Paper pxe 23 03 20004Paper pxe 23 03 20004
Paper pxe 23 03 20004
 
Heroes happen
Heroes happenHeroes happen
Heroes happen
 
Ruigomes thesis
Ruigomes thesisRuigomes thesis
Ruigomes thesis
 
Herzig preview
Herzig previewHerzig preview
Herzig preview
 
Louvor n 178 2015
Louvor n 178 2015 Louvor n 178 2015
Louvor n 178 2015
 
Louvor n 178 2015
Louvor n 178 2015 Louvor n 178 2015
Louvor n 178 2015
 
Nota biográfica rg up
Nota biográfica rg upNota biográfica rg up
Nota biográfica rg up
 

Semelhante a Compliance poster

Data Privacy Protection Competrency Guide by a Data Subject
Data Privacy Protection Competrency Guide by a Data SubjectData Privacy Protection Competrency Guide by a Data Subject
Data Privacy Protection Competrency Guide by a Data Subject
John Macasio
 
Information System Security Policy Studies as a Form of Company Privacy Prote...
Information System Security Policy Studies as a Form of Company Privacy Prote...Information System Security Policy Studies as a Form of Company Privacy Prote...
Information System Security Policy Studies as a Form of Company Privacy Prote...
Editor IJCATR
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Sirius
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to compliance
IT Governance Ltd
 
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Frank Dawson
 
Keep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR SuccessKeep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR Success
Sirius
 

Semelhante a Compliance poster (20)

Data Privacy Protection Competrency Guide by a Data Subject
Data Privacy Protection Competrency Guide by a Data SubjectData Privacy Protection Competrency Guide by a Data Subject
Data Privacy Protection Competrency Guide by a Data Subject
 
GDPR Are you ready for auditing privacy ?
GDPR Are you ready for auditing privacy ?GDPR Are you ready for auditing privacy ?
GDPR Are you ready for auditing privacy ?
 
04 - Annexe 20sdsdsdsadsadsdsdsad22.pptx
04 - Annexe 20sdsdsdsadsadsdsdsad22.pptx04 - Annexe 20sdsdsdsadsadsdsdsad22.pptx
04 - Annexe 20sdsdsdsadsadsdsdsad22.pptx
 
Ppt IT Infrastructure.ppt
Ppt IT Infrastructure.pptPpt IT Infrastructure.ppt
Ppt IT Infrastructure.ppt
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
 
Information System Security Policy Studies as a Form of Company Privacy Prote...
Information System Security Policy Studies as a Form of Company Privacy Prote...Information System Security Policy Studies as a Form of Company Privacy Prote...
Information System Security Policy Studies as a Form of Company Privacy Prote...
 
Privacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationPrivacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program Implementation
 
Cybersecurity Measures and Privacy Protection.pdf
Cybersecurity Measures and Privacy Protection.pdfCybersecurity Measures and Privacy Protection.pdf
Cybersecurity Measures and Privacy Protection.pdf
 
Data Privacy Assessment Checklist.pdf...
Data Privacy Assessment Checklist.pdf...Data Privacy Assessment Checklist.pdf...
Data Privacy Assessment Checklist.pdf...
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to compliance
 
Are You GDPR Ready?
Are You GDPR Ready?Are You GDPR Ready?
Are You GDPR Ready?
 
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
 
Data Privacy Laws: A Global Overview and Compliance Strategies
Data Privacy Laws: A Global Overview and Compliance StrategiesData Privacy Laws: A Global Overview and Compliance Strategies
Data Privacy Laws: A Global Overview and Compliance Strategies
 
Data Privacy Assessment Checklist
Data Privacy Assessment ChecklistData Privacy Assessment Checklist
Data Privacy Assessment Checklist
 
pr Privacy Principles 230405 small.pdf
pr Privacy Principles 230405 small.pdfpr Privacy Principles 230405 small.pdf
pr Privacy Principles 230405 small.pdf
 
The Future of the Modern Workplace Event 2019 - Data Security and Protection
The Future of the Modern Workplace Event 2019 - Data Security and ProtectionThe Future of the Modern Workplace Event 2019 - Data Security and Protection
The Future of the Modern Workplace Event 2019 - Data Security and Protection
 
Group 10 - PDPA II.pptx
Group 10 - PDPA II.pptxGroup 10 - PDPA II.pptx
Group 10 - PDPA II.pptx
 
Keep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR SuccessKeep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR Success
 
Security and privacy in cloud computing.pptx
Security and privacy in cloud computing.pptxSecurity and privacy in cloud computing.pptx
Security and privacy in cloud computing.pptx
 

Mais de Rui Gomes

Healthcare IT Governance
Healthcare IT GovernanceHealthcare IT Governance
Healthcare IT Governance
Rui Gomes
 
Sacyl symposium 2013_30092013
Sacyl symposium 2013_30092013Sacyl symposium 2013_30092013
Sacyl symposium 2013_30092013
Rui Gomes
 
IDC TECHDATA PUBLIC ADMINISTRATION CHALLENGES
IDC TECHDATA PUBLIC ADMINISTRATION CHALLENGESIDC TECHDATA PUBLIC ADMINISTRATION CHALLENGES
IDC TECHDATA PUBLIC ADMINISTRATION CHALLENGES
Rui Gomes
 
Presentation barroso european council 25 october 2013
Presentation barroso european council 25 october 2013Presentation barroso european council 25 october 2013
Presentation barroso european council 25 october 2013
Rui Gomes
 
Pr ieee f ed rg-iechair
Pr ieee f ed rg-iechairPr ieee f ed rg-iechair
Pr ieee f ed rg-iechair
Rui Gomes
 
Ieee healthcom convite organizacoes de saude_diretores_v14_09_13
Ieee healthcom convite organizacoes de saude_diretores_v14_09_13Ieee healthcom convite organizacoes de saude_diretores_v14_09_13
Ieee healthcom convite organizacoes de saude_diretores_v14_09_13
Rui Gomes
 
Healthcom 2013 invite_s
Healthcom 2013 invite_sHealthcom 2013 invite_s
Healthcom 2013 invite_s
Rui Gomes
 
Healthcom 2013 invite_s
Healthcom 2013 invite_sHealthcom 2013 invite_s
Healthcom 2013 invite_s
Rui Gomes
 
iscte_palestra_SI
iscte_palestra_SIiscte_palestra_SI
iscte_palestra_SI
Rui Gomes
 
Apdsi gestao equipamentos_moveis_2
Apdsi gestao equipamentos_moveis_2Apdsi gestao equipamentos_moveis_2
Apdsi gestao equipamentos_moveis_2
Rui Gomes
 
Apdsi gestao equipamentos_moveis_vf
Apdsi gestao equipamentos_moveis_vfApdsi gestao equipamentos_moveis_vf
Apdsi gestao equipamentos_moveis_vf
Rui Gomes
 
Hff oracle vdi
Hff oracle vdiHff oracle vdi
Hff oracle vdi
Rui Gomes
 
Hff eif energy_saving_final
Hff eif energy_saving_finalHff eif energy_saving_final
Hff eif energy_saving_final
Rui Gomes
 
Dis defesa abordagem relacional modelo seguranca
Dis defesa abordagem relacional modelo segurancaDis defesa abordagem relacional modelo seguranca
Dis defesa abordagem relacional modelo seguranca
Rui Gomes
 
Apdsi gestao risco
Apdsi gestao riscoApdsi gestao risco
Apdsi gestao risco
Rui Gomes
 
Saude governance rg
Saude governance rgSaude governance rg
Saude governance rg
Rui Gomes
 

Mais de Rui Gomes (18)

Hff 1e psos_visit
Hff 1e psos_visitHff 1e psos_visit
Hff 1e psos_visit
 
Healthcare IT Governance
Healthcare IT GovernanceHealthcare IT Governance
Healthcare IT Governance
 
Articulate
ArticulateArticulate
Articulate
 
Sacyl symposium 2013_30092013
Sacyl symposium 2013_30092013Sacyl symposium 2013_30092013
Sacyl symposium 2013_30092013
 
IDC TECHDATA PUBLIC ADMINISTRATION CHALLENGES
IDC TECHDATA PUBLIC ADMINISTRATION CHALLENGESIDC TECHDATA PUBLIC ADMINISTRATION CHALLENGES
IDC TECHDATA PUBLIC ADMINISTRATION CHALLENGES
 
Presentation barroso european council 25 october 2013
Presentation barroso european council 25 october 2013Presentation barroso european council 25 october 2013
Presentation barroso european council 25 october 2013
 
Pr ieee f ed rg-iechair
Pr ieee f ed rg-iechairPr ieee f ed rg-iechair
Pr ieee f ed rg-iechair
 
Ieee healthcom convite organizacoes de saude_diretores_v14_09_13
Ieee healthcom convite organizacoes de saude_diretores_v14_09_13Ieee healthcom convite organizacoes de saude_diretores_v14_09_13
Ieee healthcom convite organizacoes de saude_diretores_v14_09_13
 
Healthcom 2013 invite_s
Healthcom 2013 invite_sHealthcom 2013 invite_s
Healthcom 2013 invite_s
 
Healthcom 2013 invite_s
Healthcom 2013 invite_sHealthcom 2013 invite_s
Healthcom 2013 invite_s
 
iscte_palestra_SI
iscte_palestra_SIiscte_palestra_SI
iscte_palestra_SI
 
Apdsi gestao equipamentos_moveis_2
Apdsi gestao equipamentos_moveis_2Apdsi gestao equipamentos_moveis_2
Apdsi gestao equipamentos_moveis_2
 
Apdsi gestao equipamentos_moveis_vf
Apdsi gestao equipamentos_moveis_vfApdsi gestao equipamentos_moveis_vf
Apdsi gestao equipamentos_moveis_vf
 
Hff oracle vdi
Hff oracle vdiHff oracle vdi
Hff oracle vdi
 
Hff eif energy_saving_final
Hff eif energy_saving_finalHff eif energy_saving_final
Hff eif energy_saving_final
 
Dis defesa abordagem relacional modelo seguranca
Dis defesa abordagem relacional modelo segurancaDis defesa abordagem relacional modelo seguranca
Dis defesa abordagem relacional modelo seguranca
 
Apdsi gestao risco
Apdsi gestao riscoApdsi gestao risco
Apdsi gestao risco
 
Saude governance rg
Saude governance rgSaude governance rg
Saude governance rg
 

Compliance poster

  • 1. IT Controls Reference Standards ISO 17799 (2005) Regulations Laws Assessing security risks Identify, quantify, and prioritise risks against criteria for risk acceptance relevant to the organisation 4.2 Treating security risks Determine risk treatment options: apply appropriate controls, accept risks, avoid risks or transfer risk to other parties Information security policy An information security policy document should be approved by management, and published and communicated to all employees and relevant external parties. The information security policy should be reviewed at planned intervals Internal organisation A management framework should be established to initiate and control the implementation of information security within the organisation 6.2 External parties To maintain the security of information and information processing facilities that are accessed, processed, communicated to, or managed by external parties Responsibility for assets All assets should be accounted for and have a nominated owner 7.2 Information classification Information should be classified to indicate the need, priorities and expected degree of protection Prior to employment To ensure that employees, contractors and third party users understand responsibilities, and are suitable for their roles 8.2 During employment To ensure that employees, contractors and third party users are aware of information security threats and concerns, and are equipped to support security policy in the course of their normal work 8.3 Termination or change of employment To ensure that employees, contractors and third party users exit an organisation or change employment in an orderly manner Secure areas To prevent unauthorised physical access, damage, and interference to the organisation’s premises and information 9.2 Equipment security To prevent loss, damage, theft or compromise of assets and interruption to the organisation’s activities Operational procedures and responsibilities To ensure the correct and secure operation of information processing facilities including segregation of duties and change management functions 10.2 Third party service delivery management To implement and maintain the appropriate level of information security and service delivery in line with third party service delivery agreements 10.3 System planning and acceptance To minimise the risk of systems failures 10.4 Protection against malicious and mobile code Precautions are required to prevent and detect the introduction of malicious code and unauthorised mobile code 10.5 Back-up Routine procedures for implementing the back-up policy and strategy 10.6 Network security management To ensure the protection of information in networks and the protection of the supporting infrastructure 10.7 Media handling To prevent unauthorised disclosure, modification, removal or destruction of assets, and interruption to business activities 10.8 Exchange of information To maintain the security of information and software exchanged within an organisation and with any external entity 10.9 Electronic commerce services To ensure the security of electronic commerce services, and their secure use 10.10 Monitoring To detect unauthorised information processing activities including review of operator logs and fault logging Business requirement for access control Establish, document and review access control policies and rules 11.2 User access management Formal procedures to control the allocation of access rights to information systems and services 11.3 User responsibilities User awareness, particularly with the use of passwords and the security of equipment 11.4 Network access control Ensure that appropriate interfaces and authentication mechanisms to networked services are in place 11.5 Operating system access control To ensure authorised access to operating systems. Some methods include: ensure quality passwords, user authentication, and the recording of successful and failed system accesses 11.6 Application and information access control To prevent unauthorised access to information held in application systems 11.7 Mobile computing and teleworking To ensure information security when using mobile computing and teleworking facilities Security requirements of information systems To ensure that security is built into information systems, including infrastructure, business applications and user-developed applications 12.2 Correct processing in applications To prevent errors, loss, unauthorised modification or misuse of information in applications 12.3 Cryptographic controls To protect the confidentiality, authenticity or integrity of information by cryptographic means 12.4 Security of system files To ensure security of system files 12.5 Security in development and support processes Project and support environments should be strictly controlled 12.6 Technical vulnerability management To reduce risks resulting from exploitation of published technical vulnerabilities Reporting information security events and weaknesses To ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken 13.2 Management of information security incidents and improvements To ensure a consistent and effective approach is applied to the management of information security incidents Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data Article 7 – Risk management: Establish, implement and maintain adequate risk management policies and procedures which identify the risks relating to the firm’s activities, processes and systems • Risk assessment • Objective setting • Event identification Plan and organise: PO9 Assess and manage IT risks Monitor and evaluate: ME1 Monitor and evaluate IT performance ME2 Monitor and evaluate internal control 4.1.1 Establish a management framework to initiate and manage information security (c) Protection of records throughout the records retention period N/A • Risk management – Organisational management First principle: Personal data shall be processed fairly and lawfully Second principle: Personal data shall be obtained only for one or more specified and lawful purposes Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Risk response • Event identification Plan and organise: PO1 Define a strategic IT plan PO4 Define the IT processes, organisation and relationships PO6 Communicate management aims and direction PO7 Manage IT human resources 4.1.1 Identify the risks arising from the links with third parties (c) Protection of records throughout the records retention period Maintain an information security policy: 12. Maintain a policy that addresses information security N/A Second principle: Personal data shall be obtained only for one or more specified and lawful purposes Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data Eighth principle: Personal data shall not be transferred to a country or territory outside the European economic area, unless adequate level of protection for personal data is ensured Article 5 – Organisational requirements: Require investment firms to establish, implement and maintain systems and procedures that are adequate to safeguard the security, integrity and confidentiality of information, taking into account the nature of the information in question • Internal environment • Objective setting • Risk assessment Deliver and support: DS5 Ensure systems security N/A (c) Protection of records throughout the records retention period Maintain an information security policy: 12. Maintain a policy that addresses information security • Policy management – Outsourcing policy Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Internal environment • Control activities • Information and communication Plan and organise: PO8 Manage quality Deliver and support: DS1 Define and manage service levels DS2 Manage third-party services DS5 Ensure systems security N/A (c) Protection of records throughout the records retention period Maintain an information security policy: 12. Maintain a policy that addresses information security • Policy management – Outsourcing policy Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Internal environment • Risk assessment • Control activities • Information and communication • Monitoring Plan and organise: PO4 Define the IT processes, organisation and relationships 3.3.1 Configuration and asset management process 4.2.1 Ensure there is an overview of the most important information sources and systems; allocate responsibility for all information and systems (c) Protection of records throughout the records retention period N/A • Risk management – Asset management Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Control activities Plan and organise: PO2 Define the information architecture PO4 Assess and manage IT risks Deliver and support: DS5 Ensure systems security 4.2.1 Rules for classification are outside the sphere of ITIL (c) Protection of records throughout the records retention period N/A • Risk management – Asset management Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data Eighth principle: Personal data shall not be transferred to a country or territory outside the European economic area, unless adequate level of protection for personal data is ensured Article 51 – Retention of records: Require investment firms to retain all the records required under Directive 2004/39/EC and its implementing measures for a period of at least five years • Risk assessment • Event identification Plan and organise: PO7 Manage IT human resources Deliver and support: DS12 Manage the physical environment 4.2.2 Includes job descriptions; applicant screening; confidentiality agreements (c) Protection of records throughout the records retention period Implement strong access control measures: 8. Assign a unique ID to each person with computer access Maintain an information security policy: 12. Maintain a policy that addresses information security • Policy management – Personnel policy Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Internal environment • Control activities • Information and communication Plan and organise: PO7 Manage IT human resources Deliver and support: DS7 Educate and train users 4.2.2 Includes training to make employees aware of security threats and of the importance of information security (c) Protection of records throughout the records retention period (i) Users of electronic record/electronic signature systems have appropriate education, training and experience Maintain an information security policy: 12. Maintain a policy that addresses information security • Policy management – Personnel policy Second principle: Personal data shall be obtained only for one or more specified and lawful purposes Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Internal environment • Control activities • Information and communication Plan and organise: PO4 Define the IT processes, organisation and relationships PO7 Manage IT human resources 4.2.2 Includes job descriptions; applicant screening; confidentiality agreements (c) Protection of records throughout the records retention period Implement strong access control measures: 8. Assign a unique ID to each person with computer access • Policy management – Personnel policy Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A N/A Deliver and support: DS5 Ensure systems security DS11 Manage data DS12 Manage the physical environment ITIL Environmental Strategy Set ITIL Environmental Management Set (c) Protection of records throughout the records retention period Implement strong access control measures: 9. Restrict physical access to cardholder data • Policy management – Physical security policy Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Control activities • Information and communication • Monitoring Deliver and support: DS12 Manage the physical environment Select locations for installing equipment that involve the least risk from outside (c) Protection of records throughout the records retention period Implement strong access control measures: 9. Restrict physical access to cardholder data • Policy management – Physical security policy Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Control activities • Information and communication Plan and organise: PO4 Assess and manage IT risks Acquire and implement: A16 Manage changes Deliver and support: DS4 Ensure continuous service DS13 Manage operations 4.2.3 Ensure there are established responsibilities for the management of all IT resources and all parts of the IT infrastructure including segregration of duties and security incident handling (a) Validation of systems and the ability to discern invalid or altered records (c) Protection of records throughout the records retention period (f) Use of operational system checks to enforce sequencing of steps and events as appropriate (k) Use of appropriate controls over systems documentation N/A • Intrusion detection • Incident response plan • Systems administration Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Internal environment • Risk response • Control activities • Monitoring Plan and organise: PO4 Define the IT processes, organisation and relationships PO8 Manage quality PO10 Manage projects Deliver and support: DS1 Define and manage service levels DS2 Manage third-party services N/A (c) Protection of records throughout the records retention period Maintain an information security policy: 12. Maintain a policy that addresses information security • Policy management – Outsourcing policy Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Internal environment • Control activities Deliver and support: DS3 Manage performance and capacity DS4 Ensure continuous service 3.3.4 Change management process 3.4.3 Improving performance in terms of throughput capacity and response times; other measures include resource, demand and workload management, application sizing and modelling (a) Validation of systems and the ability to discern invalid or altered records (c) Protection of records throughout the records retention period N/A N/A Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Control activities • Monitoring Deliver and support: DS5 Ensure systems security DS8 Manage service desk and incidents DS9 Manage the configuration DS10 Manage problems 3.3.2 Incident control/help desk 4.2.4 Access control; anti-virus control policy (c) Protection of records throughout the records retention period Maintain a vulnerability management program: 5. Use and regularly update anti-virus software • Cyber intelligence – Patch management • Firewalls • Active content filtering • Intrusion detection • Virus scanners • Incident response plan Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Control activities • Event identification • Information and communication Deliver and support: DS4 Ensure continuous service DS11 Manage data 3.4.2 Availability management 3.4.4 Fallback planning (c) Protection of records throughout the records retention period N/A • Incident response plan Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data Article 5 – Organisational requirements: Require investment firms to establish, implement and maintain systems and procedures that are adequate to safeguard the security, integrity and confidentiality of information, taking into account the nature of the information in question • Event identification • Control activities • Monitoring Deliver and support: DS5 Ensure systems security 4.2.3 Communications and operations management; security measures for networks (c) Protection of records throughout the records retention period Build and maintain a secure network: 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Maintain a vulnerability management program: 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications • Risk management – Asset management • Cyber intelligence – Patch management • Firewalls • Active content filtering – Web application security • Intrusion detection • Virus scanners Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Risk assessment • Control activities • Monitoring Deliver and support: DS11 Manage data 3.4.2 Availability management 3.4.4 Fallback planning 4.2.3 Communications and operations management; handling and security of data carriers Agreements should be included in the SLA (c) Protection of records throughout the records retention period (e) Use of secure, computer-generated audit trails, which are retained for a certain period of time Protect cardholder data: 3. Protect stored data Implement strong access control measures: 7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data • Physical security policy Fifth principle: Personal data processed shall not be kept for longer than is necessary Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Control activities • Information and communication Deliver and support: DS5 Ensure systems security 4.2.3 Communications and operations management; handling and security of data carriers Agreements should be included in the SLA (c) Protection of records throughout the records retention period Build and maintain a secure network: 1. Install and maintain a firewall configuration to protect data Protect cardholder data: 4. Encrypt transmissions of cardholder data and sensitive information across public networks Implement strong access control measures: 8. Assign a unique ID to each person with computer access • Active content filtering – Web application security • Firewalls • Virus scanners Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data Eighth principle: Personal data shall not be transferred to a country or territory outside the European economic area, unless adequate level of protection for personal data is ensured N/A • Risk assessment • Risk response • Control activities • Information and communication • Monitoring Deliver and support: DS5 Ensure systems security 4.2.3 Communications and operations management; handling and security of data carriers Agreements should be included in the SLA 4.2.4 Access control; application access control (c) Protection of records throughout the records retention period (e) Use of secure, computer-generated audit trails, which are retained for a certain period of time Build and maintain a secure network: 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect cardholder data: 4. Encrypt transmissions of cardholder data and sensitive information across public networks Maintain a vulnerability management program: 6. Develop and maintain secure systems and applications • Active content filtering Second principle: Personal data shall be obtained only for one or more specified and lawful purposes Fifth principle: Personal data processed shall not be kept for longer than is necessary Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data Eighth principle: Personal data shall not be transferred to a country or territory outside the European economic area, unless adequate level of protection for personal data is ensured N/A • Event identification • Control activities Deliver and support: DS5 Ensure systems security Monitor and evaluate: ME1 Monitor and evaluate IT performance ME2 Monitor and evaluate internal control 4.2.4 Access control; monitoring and auditing information system access (a) Validation of systems and the ability to discern invalid or altered records (c) Protection of records throughout the records retention period (d) Limiting system access to authorised individuals (g) Use of authority checks to ensure that only authorised individuals can use the system Implement strong access control measures: 8. Assign a unique ID to each person with computer access Regularly monitor and test networks: 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes • Access controls/authentication • Active content filtering – Web application security • Virus scanners Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Control activities • Monitoring Deliver and support: DS5 Ensure systems security Largely outside the scope of ITIL (c) Protection of records throughout the records retention period (d) Limiting system access to authorised individuals (g) Use of authority checks to ensure that only authorised individuals can use the system Implement strong access control measures: 8. Assign a unique ID to each person with computer access Maintain an information security policy: 12. Maintain a policy that addresses information security • Access controls/authentication • Systems administration Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Internal environment • Control activities Deliver and support: DS5 Ensure systems security 4.2.4 Access control; network, computer and application access control (c) Protection of records throughout the records retention period (d) Limiting system access to authorised individuals (g) Use of authority checks to ensure that only authorised individuals can use the system Implement strong access control measures: 7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access • Access controls/authentication • Active content filtering – Web application security • Virus scanners • Systems administration Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Control activities • Monitoring Deliver and support: DS5 Ensure systems security Outside the scope of ITIL, this is the responsibility of the user organisation (c) Protection of records throughout the records retention period (d) Limiting system access to authorised individuals (g) Use of authority checks to ensure that only authorised individuals can use the system (i) Users of electronic record/electronic signature systems have appropriate education, training and experience Build and maintain a secure network: 2. Do not use vendor-supplied defaults for system passwords and other security parameters Implement strong access control measures: 8. Assign a unique ID to each person with computer access Maintain an information security policy: 12. Maintain a policy that addresses information security • Access controls/authentication • Virus scanners • Systems administration Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Internal environment • Control activities Deliver and support: DS5 Ensure systems security 4.2.4 Access control; network, computer access control (c) Protection of records throughout the records retention period (d) Limiting system access to authorised individuals (g) Use of authority checks to ensure that only authorised individuals can use the system Build and maintain a secure network: 2. Do not use vendor-supplied defaults for system passwords and other security parameters Implement strong access control measures: 8. Assign a unique ID to each person with computer access • Access controls/authentication • Active content filtering – Web application security • Virus scanners • Systems administration Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Internal environment • Control activities • Monitoring Deliver and support: DS5 Ensure systems security 4.2.4 Access control; computer access control (c) Protection of records throughout the records retention period (d) Limiting system access to authorised individuals (g) Use of authority checks to ensure that only authorised individuals can use the system Build and maintain a secure network: 2. Do not use vendor-supplied defaults for system passwords and other security parameters Implement strong access control measures: 8. Assign a unique ID to each person with computer access Maintain an information security policy: 10. Track and monitor all access to network resources and cardholder data • Access controls/authentication • Active content filtering – Web application security • Intrusion detection • Virus scanners • Systems administration Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Internal environment • Control activities • Monitoring Deliver and support: DS5 Ensure systems security 4.2.4 Access control; application access control (c) Protection of records throughout the records retention period (d) Limiting system access to authorised individuals (g) Use of authority checks to ensure that only authorised individuals can use the system Build and maintain a secure network: 2. Do not use vendor-supplied defaults for system passwords and other security parameters Maintain a vulnerability management system: 6. Develop and maintain secure systems and applications Implement strong access control measures: 8. Assign a unique ID to each person with computer access • Access controls/authentication • Active content filtering – Web application security • Virus scanners Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Control activities • Monitoring Deliver and support: DS5 Ensure systems security N/A (c) Protection of records throughout the records retention period (d) Limiting system access to authorised individuals (g) Use of authority checks to ensure that only authorised individuals can use the system Build and maintain a secure network: 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Implement strong access control measures: 8. Assign a unique ID to each person with computer access • Policy management – Remote system • Access policy • Access controls/authentication • Active content filtering – Web application security Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Internal environment • Control activities • Monitoring Acquire and implement: A12 Acquire and maintain application software A13 Acquire and maintain technology infrastructure ITIL book software lifecycle support and the business perspective set ITIL is not specifically concerned with system development (c) Protection of records throughout the records retention period (e) Use of secure, computer-generated audit trails, which are retained for a certain period of time (k) Use of appropriate controls over systems documentation Maintain a vulnerability management system: 6. Develop and maintain secure systems and applications • Systems administration Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Control activities • Monitoring Acquire and implement: A12 Acquire and maintain application software ITIL book software lifecycle support and the business perspective set ITIL is not specifically concerned with system development (c) Protection of records throughout the records retention period (e) Use of secure, computer-generated audit trails, which are retained for a certain period of time (f) Use of operational system checks to enforce sequencing of steps and events as appropriate (k) Use of appropriate controls over systems documentation Maintain a vulnerability management system: 6. Develop and maintain secure systems and applications • Cyber intelligence – Patch management • Systems administration Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Control activities Deliver and support: DS5 Ensure systems security ITIL is not specifically concerned with system development (c) Protection of records throughout the records retention period (e) Use of secure, computer-generated audit trails, which are retained for a certain period of time (h) Use of device checks to determine validity of source data input or operational instruction (k) Use of appropriate controls over systems documentation Protect cardholder data: 4. Encrypt transmissions of cardholder data and sensitive information across public networks • Active content filtering – Web application security • Virus scanners • Systems administration Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Control activities • Monitoring Acquire and implement: A16 Manage changes Deliver and support: DS5 Ensure systems security ITIL is not primarily concerned with individual components, such as files, queues, data or messages (a) Validation of systems and the ability to discern invalid or altered records (c) Protection of records throughout the records retention period (e) Use of secure, computer-generated audit trails, which are retained for a certain period of time (k) Use of appropriate controls over systems documentation Build and maintain a secure network: 2. Do not use vendor-supplied defaults for system passwords and other security parameters • Systems administration Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Control activities • Information and communication • Monitoring Acquire and implement: A16 Manage changes Deliver and support: DS5 Ensure systems security ITIL is not specifically concerned with system development (c) Protection of records throughout the records retention period (k) Use of appropriate controls over systems documentation Maintain a vulnerability management system: 6. Develop and maintain secure systems and applications N/A Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Control activities • Monitoring Plan and organise: PO9 Assess and manage IT risks Deliver and support: DS2 Manage third-party services DS4 Ensure continuous service DS5 Ensure systems security DS9 Manage the configuration Monitor and evaluate: ME1 Monitor and evaluate IT performance ITIL is not specifically concerned with vulnerability management (a) Validation of systems and the ability to discern invalid or altered records (c) Protection of records throughout the records retention period (e) Use of secure, computer-generated audit trails, which are retained for a certain period of time (k) Use of appropriate controls over systems documentation Maintain a vulnerability management system: 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications • Active content filtering – Web application security • Virus scanners • Systems administration Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A N/A Deliver and support: DS5 Ensure systems security DS8 Manage service desk and incidents DS10 Manage problems Monitor and evaluate: ME1 Monitor and evaluate IT performance: ME2 Monitor and evaluate internal control 4.2.2 Includes responding to security incidents as quickly as possible through the right channels (a) Validation of systems and the ability to discern invalid or altered records (c) Protection of records throughout the records retention period Regularly monitor and test networks: 11. Regularly test security systems and processes Maintain an information security policy: 12. Maintain a policy that addresses information security • Policy management – Personnel policy • Virus scanners • Incident response plan Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A N/A Deliver and support: DS5 Ensure systems security DS8 Manage service desk and incidents DS10 Manage problems Monitor and evaluate: ME1 Monitor and evaluate IT performance: ME2 Monitor and evaluate internal control 4.2.2 Includes responding to security incidents as quickly as possible through the right channels 4.2.3 Ensure there are established responsibilities for the management of security incident handling (a) Validation of systems and the ability to discern invalid or altered records (c) Protection of records throughout the records retention period Maintain an information security policy: 12. Maintain a policy that addresses information security • Policy management – Personnel policy • Incident response plan Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A N/A Deliver and support: DS4 Ensure continuous service DS10 Manage problems DS11 Manage data 3.4.4 Business continuity planning; an entire ITIL book is dedicated to this topic (c) Protection of records throughout the records retention period N/A • Incident response plan Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data Article 14 – Conditions of outsourcing: The investment firm and the service provider must establish, implement and maintain a contingency plan for disaster recovery and periodic testing of back-up facilities • Event identification • Risk response • Control activities • Information and communication • Monitoring Monitor and evaluate: ME3 Ensure regulatory compliance ME4 Provide IT governance 4.3 Audit and evaluate: security reviews of IT systems (c) Protection of records throughout the records retention period N/A N/A Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Internal environment • Event identification • Risk response • Control activities • Information and communication • Monitoring Acquire and implement: AI7 Install and accredit solutions and changes Monitor and evaluate: ME1 Monitor and evaluate IT performance ME2 Monitor and evaluate internal control ME4 Provide IT governance 4.3 Audit and evaluate: security reviews of IT systems (a) Validation of systems and the ability to discern invalid or altered records (c) Protection of records throughout the records retention period (f) Use of operational system checks to enforce sequencing of steps and events as appropriate Regularly monitor and test networks: 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes • Risk management – Asset management • Intrusion detection • Vulnerability and penetration testing Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data N/A • Internal environment • Control activities • Monitoring Monitor and evaluate: ME1 Monitor and evaluate IT performance ME2 Monitor and evaluate internal control ME4 Provide IT governance 4.3 Audit and evaluate: security reviews of IT systems (c) Protection of records throughout the records retention period Regularly monitor and test networks: 10. Track and monitor all access to network resources and cardholder data • Intrusion detection • Vulnerability and penetration testing Seventh principle: Technical and organisational measures against unauthorised or unlawful processing of personal data Article 8 – Internal audit: Establish, implement and maintain an audit plan to examine and evaluate the adequacy and effectiveness of the investment firm’s systems • Monitoring 14: Business continuity management 14.1 Information security aspects of business continuity management To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters and to ensure their timely resumption SECTION • Risk management – Organisational management • Policy management 13: Information security incident management 13.1 SECTION N/A 12: Information systems acquisition, development and maintenance 12.1 SECTION (c) Protection of records throughout the records retention period 11: Access control 11.1 SECTION 2.2.3 Responsibilities, powers and duties are clearly specified by policy processes, procedures and work instructions 10: Communications and operations management 10.1 SECTION Plan and organise: PO9 Assess and manage IT risks Monitor and evaluate: ME3 Ensure regulatory compliance ME4 Provide IT governance 9: Physical and environmental security 9.1 SECTION Sarbanes – Oxley COSO From 26 June 2006 draft version of: “Implementing Directive 2004/39/EC” 8: Human resources security 8.1 SECTION Bank of International Settlements Operational Risk Check List MiFID 7: Asset management 7.1 SECTION Data Security Standard EU Data Protection Directive 6: Organisation of information security 6.1 SECTION Basel II 5: Security policy 5.1 SECTION Payment Card Industry 4: Risk assessment and treatment 4.1 SECTION ITIL FDA 21 CFR Part 11 SECTION COBIT® 4.0 15: Compliance 15.1 Compliance with legal requirements To avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security requirements 15.2 Compliance with security policies and standards, and technical compliance To ensure compliance of systems with organisational security policies and standards 15.3 Information systems audit considerations To maximise the effectiveness of and to minimise interference to/from the information systems audit processes www.symantec.com This information is provided as guidance only and does not constitute legal advice. The information is subject to change and update at any time without prior written notice. See www.symantec.com for current details. Copyright © 2006 Symantec Corporation. All rights reserved. Symantec and the Symantec logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Windows is a registered trademark of Microsoft Corporation in the United States and/or other countries. Other names may be trademarks of their respective owners.