Mais conteúdo relacionado
Semelhante a Compliance poster (20)
Compliance poster
- 1. IT Controls Reference
Standards
ISO 17799 (2005)
Regulations
Laws
Assessing security risks
Identify, quantify, and prioritise risks
against criteria for risk acceptance relevant
to the organisation
4.2
Treating security risks
Determine risk treatment options: apply appropriate
controls, accept risks, avoid risks or transfer risk to
other parties
Information security policy
An information security policy document should be
approved by management, and published and
communicated to all employees and relevant
external parties. The information security policy
should be reviewed at planned intervals
Internal organisation
A management framework should be established
to initiate and control the implementation of
information security within the organisation
6.2
External parties
To maintain the security of information and
information processing facilities that are accessed,
processed, communicated to, or managed by
external parties
Responsibility for assets
All assets should be accounted for and have a
nominated owner
7.2
Information classification
Information should be classified to indicate the
need, priorities and expected degree of protection
Prior to employment
To ensure that employees, contractors and
third party users understand responsibilities,
and are suitable for their roles
8.2
During employment
To ensure that employees, contractors and third
party users are aware of information security
threats and concerns, and are equipped to support
security policy in the course of their normal work
8.3
Termination or change of employment
To ensure that employees, contractors and
third party users exit an organisation or change
employment in an orderly manner
Secure areas
To prevent unauthorised physical access, damage,
and interference to the organisation’s premises
and information
9.2
Equipment security
To prevent loss, damage, theft or compromise of
assets and interruption to the organisation’s
activities
Operational procedures and responsibilities
To ensure the correct and secure operation of
information processing facilities including
segregation of duties and change management
functions
10.2
Third party service delivery management
To implement and maintain the appropriate level
of information security and service delivery in line
with third party service delivery agreements
10.3
System planning and acceptance
To minimise the risk of systems failures
10.4
Protection against malicious and mobile code
Precautions are required to prevent and detect the
introduction of malicious code and unauthorised
mobile code
10.5
Back-up
Routine procedures for implementing the
back-up policy and strategy
10.6
Network security management
To ensure the protection of information in networks
and the protection of the supporting infrastructure
10.7
Media handling
To prevent unauthorised disclosure, modification,
removal or destruction of assets, and interruption to
business activities
10.8
Exchange of information
To maintain the security of information and
software exchanged within an organisation and with
any external entity
10.9
Electronic commerce services
To ensure the security of electronic commerce
services, and their secure use
10.10
Monitoring
To detect unauthorised information processing
activities including review of operator logs
and fault logging
Business requirement for access control
Establish, document and review access control
policies and rules
11.2
User access management
Formal procedures to control the allocation of
access rights to information systems and services
11.3
User responsibilities
User awareness, particularly with the use of
passwords and the security of equipment
11.4
Network access control
Ensure that appropriate interfaces and
authentication mechanisms to networked services
are in place
11.5
Operating system access control
To ensure authorised access to operating systems.
Some methods include: ensure quality passwords,
user authentication, and the recording of successful
and failed system accesses
11.6
Application and information access control
To prevent unauthorised access to information held
in application systems
11.7
Mobile computing and teleworking
To ensure information security when using
mobile computing and teleworking facilities
Security requirements of information systems
To ensure that security is built into information
systems, including infrastructure, business
applications and user-developed applications
12.2
Correct processing in applications
To prevent errors, loss, unauthorised modification
or misuse of information in applications
12.3
Cryptographic controls
To protect the confidentiality, authenticity or
integrity of information by cryptographic means
12.4
Security of system files
To ensure security of system files
12.5
Security in development and support processes
Project and support environments should be
strictly controlled
12.6
Technical vulnerability management
To reduce risks resulting from exploitation of
published technical vulnerabilities
Reporting information security events
and weaknesses
To ensure information security events and
weaknesses associated with information systems
are communicated in a manner allowing timely
corrective action to be taken
13.2
Management of information security incidents
and improvements
To ensure a consistent and effective approach
is applied to the management of information
security incidents
Seventh principle:
Technical and organisational measures against
unauthorised or unlawful processing of personal data
Article 7 – Risk management:
Establish, implement and maintain adequate
risk management policies and procedures which
identify the risks relating to the firm’s activities,
processes and systems
• Risk assessment
• Objective setting
• Event identification
Plan and organise:
PO9 Assess and manage IT risks
Monitor and evaluate:
ME1 Monitor and evaluate IT performance
ME2 Monitor and evaluate internal control
4.1.1 Establish a management framework to initiate
and manage information security
(c) Protection of records throughout the records
retention period
N/A
• Risk management
– Organisational management
First principle:
Personal data shall be processed fairly and lawfully
Second principle:
Personal data shall be obtained only for one or more
specified and lawful purposes
Seventh principle:
Technical and organisational measures against
unauthorised or unlawful processing of personal data
N/A
• Risk response
• Event identification
Plan and organise:
PO1 Define a strategic IT plan
PO4 Define the IT processes, organisation
and relationships
PO6 Communicate management aims and direction
PO7 Manage IT human resources
4.1.1 Identify the risks arising from the links with
third parties
(c) Protection of records throughout the records
retention period
Maintain an information security policy:
12. Maintain a policy that addresses
information security
N/A
Second principle:
Personal data shall be obtained only for one or more
specified and lawful purposes
Seventh principle:
Technical and organisational measures against
unauthorised or unlawful processing of personal data
Eighth principle:
Personal data shall not be transferred to a country
or territory outside the European economic area,
unless adequate level of protection for personal
data is ensured
Article 5 – Organisational requirements:
Require investment firms to establish, implement
and maintain systems and procedures that are
adequate to safeguard the security, integrity and
confidentiality of information, taking into account
the nature of the information in question
• Internal environment
• Objective setting
• Risk assessment
Deliver and support:
DS5 Ensure systems security
N/A
(c) Protection of records throughout the records
retention period
Maintain an information security policy:
12. Maintain a policy that addresses
information security
• Policy management
– Outsourcing policy
Seventh principle:
Technical and organisational measures against
unauthorised or unlawful processing of personal data
N/A
• Internal environment
• Control activities
• Information and communication
Plan and organise:
PO8 Manage quality
Deliver and support:
DS1 Define and manage service levels
DS2 Manage third-party services
DS5 Ensure systems security
N/A
(c) Protection of records throughout the records
retention period
Maintain an information security policy:
12. Maintain a policy that addresses
information security
• Policy management
– Outsourcing policy
Seventh principle:
Technical and organisational measures against
unauthorised or unlawful processing of personal data
N/A
• Internal environment
• Risk assessment
• Control activities
• Information and communication
• Monitoring
Plan and organise:
PO4 Define the IT processes, organisation
and relationships
3.3.1 Configuration and asset management process
4.2.1 Ensure there is an overview of the most
important information sources and systems;
allocate responsibility for all information
and systems
(c) Protection of records throughout the records
retention period
N/A
• Risk management
– Asset management
Seventh principle:
Technical and organisational measures against
unauthorised or unlawful processing of personal data
N/A
• Control activities
Plan and organise:
PO2 Define the information architecture
PO4 Assess and manage IT risks
Deliver and support:
DS5 Ensure systems security
4.2.1 Rules for classification are outside the sphere
of ITIL
(c) Protection of records throughout the records
retention period
N/A
• Risk management
– Asset management
Seventh principle:
Technical and organisational measures against
unauthorised or unlawful processing of personal data
Eighth principle:
Personal data shall not be transferred to a country
or territory outside the European economic area,
unless adequate level of protection for personal
data is ensured
Article 51 – Retention of records:
Require investment firms to retain all the records
required under Directive 2004/39/EC and its
implementing measures for a period of at least
five years
• Risk assessment
• Event identification
Plan and organise:
PO7 Manage IT human resources
Deliver and support:
DS12 Manage the physical environment
4.2.2 Includes job descriptions; applicant screening;
confidentiality agreements
(c) Protection of records throughout the records
retention period
Implement strong access control measures:
8. Assign a unique ID to each person with
computer access
Maintain an information security policy:
12. Maintain a policy that addresses
information security
• Policy management
– Personnel policy
Seventh principle:
Technical and organisational measures against
unauthorised or unlawful processing of personal data
N/A
• Internal environment
• Control activities
• Information and communication
Plan and organise:
PO7 Manage IT human resources
Deliver and support:
DS7 Educate and train users
4.2.2 Includes training to make employees aware
of security threats and of the importance of
information security
(c) Protection of records throughout the records
retention period
(i) Users of electronic record/electronic signature
systems have appropriate education, training
and experience
Maintain an information security policy:
12. Maintain a policy that addresses
information security
• Policy management
– Personnel policy
Second principle:
Personal data shall be obtained only for one or more
specified and lawful purposes
Seventh principle:
Technical and organisational measures against
unauthorised or unlawful processing of personal data
N/A
• Internal environment
• Control activities
• Information and communication
Plan and organise:
PO4 Define the IT processes, organisation
and relationships
PO7 Manage IT human resources
4.2.2 Includes job descriptions; applicant screening;
confidentiality agreements
(c) Protection of records throughout the records
retention period
Implement strong access control measures:
8. Assign a unique ID to each person with
computer access
• Policy management
– Personnel policy
Seventh principle:
Technical and organisational measures against
unauthorised or unlawful processing of personal data
N/A
N/A
Deliver and support:
DS5 Ensure systems security
DS11 Manage data
DS12 Manage the physical environment
ITIL Environmental Strategy Set
ITIL Environmental Management Set
(c) Protection of records throughout the records
retention period
Implement strong access control measures:
9. Restrict physical access to cardholder data
• Policy management
– Physical security policy
Seventh principle:
Technical and organisational measures against
unauthorised or unlawful processing of personal data
N/A
• Control activities
• Information and communication
• Monitoring
Deliver and support:
DS12 Manage the physical environment
Select locations for installing equipment that
involve the least risk from outside
(c) Protection of records throughout the records
retention period
Implement strong access control measures:
9. Restrict physical access to cardholder data
• Policy management
– Physical security policy
Seventh principle:
Technical and organisational measures against
unauthorised or unlawful processing of personal data
N/A
• Control activities
• Information and communication
Plan and organise:
PO4 Assess and manage IT risks
Acquire and implement:
A16 Manage changes
Deliver and support:
DS4 Ensure continuous service
DS13 Manage operations
4.2.3 Ensure there are established responsibilities
for the management of all IT resources
and all parts of the IT infrastructure
including segregration of duties and
security incident handling
(a) Validation of systems and the ability to discern
invalid or altered records
(c) Protection of records throughout the records
retention period
(f) Use of operational system checks to enforce
sequencing of steps and events as appropriate
(k) Use of appropriate controls over systems
documentation
N/A
• Intrusion detection
• Incident response plan
• Systems administration
Seventh principle:
Technical and organisational measures against
unauthorised or unlawful processing of personal data
N/A
• Internal environment
• Risk response
• Control activities
• Monitoring
Plan and organise:
PO4 Define the IT processes, organisation
and relationships
PO8 Manage quality
PO10 Manage projects
Deliver and support:
DS1 Define and manage service levels
DS2 Manage third-party services
N/A
(c) Protection of records throughout the records
retention period
Maintain an information security policy:
12. Maintain a policy that addresses
information security
• Policy management
– Outsourcing policy
Seventh principle:
Technical and organisational measures against
unauthorised or unlawful processing of personal data
N/A
• Internal environment
• Control activities
Deliver and support:
DS3 Manage performance and capacity
DS4 Ensure continuous service
3.3.4 Change management process
3.4.3 Improving performance in terms of throughput
capacity and response times; other measures
include resource, demand and workload
management, application sizing and modelling
(a) Validation of systems and the ability to discern
invalid or altered records
(c) Protection of records throughout the records
retention period
N/A
N/A
Seventh principle:
Technical and organisational measures against
unauthorised or unlawful processing of personal data
N/A
• Control activities
• Monitoring
Deliver and support:
DS5 Ensure systems security
DS8 Manage service desk and incidents
DS9 Manage the configuration
DS10 Manage problems
3.3.2 Incident control/help desk
4.2.4 Access control; anti-virus control policy
(c) Protection of records throughout the records
retention period
Maintain a vulnerability management program:
5. Use and regularly update anti-virus software
• Cyber intelligence
– Patch management
• Firewalls
• Active content filtering
• Intrusion detection
• Virus scanners
• Incident response plan
Seventh principle:
Technical and organisational measures against
unauthorised or unlawful processing of personal data
N/A
• Control activities
• Event identification
• Information and communication
Deliver and support:
DS4 Ensure continuous service
DS11 Manage data
3.4.2 Availability management
3.4.4 Fallback planning
(c) Protection of records throughout the records
retention period
N/A
• Incident response plan
Seventh principle:
Technical and organisational measures against
unauthorised or unlawful processing of personal data
Article 5 – Organisational requirements:
Require investment firms to establish, implement
and maintain systems and procedures that are
adequate to safeguard the security, integrity and
confidentiality of information, taking into account
the nature of the information in question
• Event identification
• Control activities
• Monitoring
Deliver and support:
DS5 Ensure systems security
4.2.3 Communications and operations management;
security measures for networks
(c) Protection of records throughout the records
retention period
Build and maintain a secure network:
1. Install and maintain a firewall configuration to
protect data
2. Do not use vendor-supplied defaults for system
passwords and other security parameters
Maintain a vulnerability management program:
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems
and applications
• Risk management
– Asset management
• Cyber intelligence
– Patch management
• Firewalls
• Active content filtering
– Web application security
• Intrusion detection
• Virus scanners
Seventh principle:
Technical and organisational measures against
unauthorised or unlawful processing of personal data
N/A
• Risk assessment
• Control activities
• Monitoring
Deliver and support:
DS11 Manage data
3.4.2 Availability management
3.4.4 Fallback planning
4.2.3 Communications and operations management;
handling and security of data carriers
Agreements should be included in the SLA
(c) Protection of records throughout the records
retention period
(e) Use of secure, computer-generated audit trails,
which are retained for a certain period of time
Protect cardholder data:
3. Protect stored data
Implement strong access control measures:
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with
computer access
9. Restrict physical access to cardholder data
• Physical security policy
Fifth principle:
Personal data processed shall not be kept for longer
than is necessary
Seventh principle:
Technical and organisational measures against
unauthorised or unlawful processing of personal data
N/A
• Control activities
• Information and communication
Deliver and support:
DS5 Ensure systems security
4.2.3 Communications and operations management;
handling and security of data carriers
Agreements should be included in the SLA
(c) Protection of records throughout the records
retention period
Build and maintain a secure network:
1. Install and maintain a firewall configuration to
protect data
Protect cardholder data:
4. Encrypt transmissions of cardholder data and
sensitive information across public networks
Implement strong access control measures:
8. Assign a unique ID to each person with
computer access
• Active content filtering
– Web application security
• Firewalls
• Virus scanners
Seventh principle:
Technical and organisational measures against
unauthorised or unlawful processing of personal data
Eighth principle:
Personal data shall not be transferred to a country
or territory outside the European economic area,
unless adequate level of protection for personal
data is ensured
N/A
• Risk assessment
• Risk response
• Control activities
• Information and communication
• Monitoring
Deliver and support:
DS5 Ensure systems security
4.2.3 Communications and operations management;
handling and security of data carriers
Agreements should be included in the SLA
4.2.4 Access control; application access control
(c) Protection of records throughout the records
retention period
(e) Use of secure, computer-generated audit trails,
which are retained for a certain period of time
Build and maintain a secure network:
1. Install and maintain a firewall configuration to
protect data
2. Do not use vendor-supplied defaults for system
passwords and other security parameters
Protect cardholder data:
4. Encrypt transmissions of cardholder data and
sensitive information across public networks
Maintain a vulnerability management program:
6. Develop and maintain secure systems
and applications
• Active content filtering
Second principle:
Personal data shall be obtained only for one or more
specified and lawful purposes
Fifth principle:
Personal data processed shall not be kept for longer
than is necessary
Seventh principle:
Technical and organisational measures against
unauthorised or unlawful processing of personal data
Eighth principle:
Personal data shall not be transferred to a country
or territory outside the European economic area,
unless adequate level of protection for personal
data is ensured
N/A
• Event identification
• Control activities
Deliver and support:
DS5 Ensure systems security
Monitor and evaluate:
ME1 Monitor and evaluate IT performance
ME2 Monitor and evaluate internal control
4.2.4 Access control; monitoring and auditing
information system access
(a) Validation of systems and the ability to discern
invalid or altered records
(c) Protection of records throughout the records
retention period
(d) Limiting system access to authorised individuals
(g) Use of authority checks to ensure that only
authorised individuals can use the system
Implement strong access control measures:
8. Assign a unique ID to each person with
computer access
Regularly monitor and test networks:
10. Track and monitor all access to network
resources and cardholder data
11. Regularly test security systems and processes
• Access controls/authentication
• Active content filtering
– Web application security
• Virus scanners
Seventh principle:
Technical and organisational measures against
unauthorised or unlawful processing of personal data
N/A
• Control activities
• Monitoring
Deliver and support:
DS5 Ensure systems security
Largely outside the scope of ITIL
(c) Protection of records throughout the records
retention period
(d) Limiting system access to authorised individuals
(g) Use of authority checks to ensure that only
authorised individuals can use the system
Implement strong access control measures:
8. Assign a unique ID to each person with
computer access
Maintain an information security policy:
12. Maintain a policy that addresses
information security
• Access controls/authentication
• Systems administration
Seventh principle:
Technical and organisational measures against
unauthorised or unlawful processing of personal data
N/A
• Internal environment
• Control activities
Deliver and support:
DS5 Ensure systems security
4.2.4 Access control; network, computer and
application access control
(c) Protection of records throughout the records
retention period
(d) Limiting system access to authorised individuals
(g) Use of authority checks to ensure that only
authorised individuals can use the system
Implement strong access control measures:
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with
computer access
• Access controls/authentication
• Active content filtering
– Web application security
• Virus scanners
• Systems administration
Seventh principle:
Technical and organisational measures against
unauthorised or unlawful processing of personal data
N/A
• Control activities
• Monitoring
Deliver and support:
DS5 Ensure systems security
Outside the scope of ITIL, this is the
responsibility of the user organisation
(c) Protection of records throughout the records
retention period
(d) Limiting system access to authorised individuals
(g) Use of authority checks to ensure that only
authorised individuals can use the system
(i) Users of electronic record/electronic signature
systems have appropriate education, training
and experience
Build and maintain a secure network:
2. Do not use vendor-supplied defaults for
system passwords and other security parameters
Implement strong access control measures:
8. Assign a unique ID to each person with
computer access
Maintain an information security policy:
12. Maintain a policy that addresses
information security
• Access controls/authentication
• Virus scanners
• Systems administration
Seventh principle:
Technical and organisational measures against
unauthorised or unlawful processing of personal data
N/A
• Internal environment
• Control activities
Deliver and support:
DS5 Ensure systems security
4.2.4 Access control; network, computer
access control
(c) Protection of records throughout the records
retention period
(d) Limiting system access to authorised individuals
(g) Use of authority checks to ensure that only
authorised individuals can use the system
Build and maintain a secure network:
2. Do not use vendor-supplied defaults for
system passwords and other security parameters
Implement strong access control measures:
8. Assign a unique ID to each person with
computer access
• Access controls/authentication
• Active content filtering
– Web application security
• Virus scanners
• Systems administration
Seventh principle:
Technical and organisational measures against
unauthorised or unlawful processing of personal data
N/A
• Internal environment
• Control activities
• Monitoring
Deliver and support:
DS5 Ensure systems security
4.2.4 Access control; computer access control
(c) Protection of records throughout the records
retention period
(d) Limiting system access to authorised individuals
(g) Use of authority checks to ensure that only
authorised individuals can use the system
Build and maintain a secure network:
2. Do not use vendor-supplied defaults for
system passwords and other security parameters
Implement strong access control measures:
8. Assign a unique ID to each person with
computer access
Maintain an information security policy:
10. Track and monitor all access to network
resources and cardholder data
• Access controls/authentication
• Active content filtering
– Web application security
• Intrusion detection
• Virus scanners
• Systems administration
Seventh principle:
Technical and organisational measures against
unauthorised or unlawful processing of personal data
N/A
• Internal environment
• Control activities
• Monitoring
Deliver and support:
DS5 Ensure systems security
4.2.4 Access control; application access control
(c) Protection of records throughout the records
retention period
(d) Limiting system access to authorised individuals
(g) Use of authority checks to ensure that only
authorised individuals can use the system
Build and maintain a secure network:
2. Do not use vendor-supplied defaults for
system passwords and other security parameters
Maintain a vulnerability management system:
6. Develop and maintain secure systems
and applications
Implement strong access control measures:
8. Assign a unique ID to each person with
computer access
• Access controls/authentication
• Active content filtering
– Web application security
• Virus scanners
Seventh principle:
Technical and organisational measures against
unauthorised or unlawful processing of personal data
N/A
• Control activities
• Monitoring
Deliver and support:
DS5 Ensure systems security
N/A
(c) Protection of records throughout the records
retention period
(d) Limiting system access to authorised individuals
(g) Use of authority checks to ensure that only
authorised individuals can use the system
Build and maintain a secure network:
1. Install and maintain a firewall configuration to
protect data
2. Do not use vendor-supplied defaults for
system passwords and other security parameters
Implement strong access control measures:
8. Assign a unique ID to each person with
computer access
• Policy management
– Remote system
• Access policy
• Access controls/authentication
• Active content filtering
– Web application security
Seventh principle:
Technical and organisational measures against
unauthorised or unlawful processing of personal data
N/A
• Internal environment
• Control activities
• Monitoring
Acquire and implement:
A12 Acquire and maintain application software
A13 Acquire and maintain technology infrastructure
ITIL book software lifecycle support and the
business perspective set
ITIL is not specifically concerned with
system development
(c) Protection of records throughout the records
retention period
(e) Use of secure, computer-generated audit trails,
which are retained for a certain period of time
(k) Use of appropriate controls over systems
documentation
Maintain a vulnerability management system:
6. Develop and maintain secure systems
and applications
• Systems administration
Seventh principle:
Technical and organisational measures against
unauthorised or unlawful processing of personal data
N/A
• Control activities
• Monitoring
Acquire and implement:
A12 Acquire and maintain application software
ITIL book software lifecycle support and the
business perspective set
ITIL is not specifically concerned with
system development
(c) Protection of records throughout the records
retention period
(e) Use of secure, computer-generated audit trails,
which are retained for a certain period of time
(f) Use of operational system checks to enforce
sequencing of steps and events as appropriate
(k) Use of appropriate controls over systems
documentation
Maintain a vulnerability management system:
6. Develop and maintain secure systems
and applications
• Cyber intelligence
– Patch management
• Systems administration
Seventh principle:
Technical and organisational measures against
unauthorised or unlawful processing of personal data
N/A
• Control activities
Deliver and support:
DS5 Ensure systems security
ITIL is not specifically concerned with
system development
(c) Protection of records throughout the records
retention period
(e) Use of secure, computer-generated audit trails,
which are retained for a certain period of time
(h) Use of device checks to determine validity of
source data input or operational instruction
(k) Use of appropriate controls over systems
documentation
Protect cardholder data:
4. Encrypt transmissions of cardholder data and
sensitive information across public networks
• Active content filtering
– Web application security
• Virus scanners
• Systems administration
Seventh principle:
Technical and organisational measures against
unauthorised or unlawful processing of personal data
N/A
• Control activities
• Monitoring
Acquire and implement:
A16 Manage changes
Deliver and support:
DS5 Ensure systems security
ITIL is not primarily concerned with individual
components, such as files, queues, data
or messages
(a) Validation of systems and the ability to discern
invalid or altered records
(c) Protection of records throughout the records
retention period
(e) Use of secure, computer-generated audit trails,
which are retained for a certain period of time
(k) Use of appropriate controls over systems
documentation
Build and maintain a secure network:
2. Do not use vendor-supplied defaults for system
passwords and other security parameters
• Systems administration
Seventh principle:
Technical and organisational measures against
unauthorised or unlawful processing of personal data
N/A
• Control activities
• Information and communication
• Monitoring
Acquire and implement:
A16 Manage changes
Deliver and support:
DS5 Ensure systems security
ITIL is not specifically concerned with
system development
(c) Protection of records throughout the records
retention period
(k) Use of appropriate controls over systems
documentation
Maintain a vulnerability management system:
6. Develop and maintain secure systems
and applications
N/A
Seventh principle:
Technical and organisational measures against
unauthorised or unlawful processing of personal data
N/A
• Control activities
• Monitoring
Plan and organise:
PO9 Assess and manage IT risks
Deliver and support:
DS2 Manage third-party services
DS4 Ensure continuous service
DS5 Ensure systems security
DS9 Manage the configuration
Monitor and evaluate:
ME1 Monitor and evaluate IT performance
ITIL is not specifically concerned with
vulnerability management
(a) Validation of systems and the ability to discern
invalid or altered records
(c) Protection of records throughout the records
retention period
(e) Use of secure, computer-generated audit trails,
which are retained for a certain period of time
(k) Use of appropriate controls over systems
documentation
Maintain a vulnerability management system:
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems
and applications
• Active content filtering
– Web application security
• Virus scanners
• Systems administration
Seventh principle:
Technical and organisational measures against
unauthorised or unlawful processing of personal data
N/A
N/A
Deliver and support:
DS5 Ensure systems security
DS8 Manage service desk and incidents
DS10 Manage problems
Monitor and evaluate:
ME1 Monitor and evaluate IT performance:
ME2 Monitor and evaluate internal control
4.2.2 Includes responding to security incidents as
quickly as possible through the right channels
(a) Validation of systems and the ability to discern
invalid or altered records
(c) Protection of records throughout the records
retention period
Regularly monitor and test networks:
11. Regularly test security systems and processes
Maintain an information security policy:
12. Maintain a policy that addresses
information security
• Policy management
– Personnel policy
• Virus scanners
• Incident response plan
Seventh principle:
Technical and organisational measures against
unauthorised or unlawful processing of personal data
N/A
N/A
Deliver and support:
DS5 Ensure systems security
DS8 Manage service desk and incidents
DS10 Manage problems
Monitor and evaluate:
ME1 Monitor and evaluate IT performance:
ME2 Monitor and evaluate internal control
4.2.2 Includes responding to security incidents as
quickly as possible through the right channels
4.2.3 Ensure there are established responsibilities
for the management of security incident
handling
(a) Validation of systems and the ability to discern
invalid or altered records
(c) Protection of records throughout the records
retention period
Maintain an information security policy:
12. Maintain a policy that addresses
information security
• Policy management
– Personnel policy
• Incident response plan
Seventh principle:
Technical and organisational measures against
unauthorised or unlawful processing of personal data
N/A
N/A
Deliver and support:
DS4 Ensure continuous service
DS10 Manage problems
DS11 Manage data
3.4.4 Business continuity planning; an entire ITIL
book is dedicated to this topic
(c) Protection of records throughout the records
retention period
N/A
• Incident response plan
Seventh principle:
Technical and organisational measures against
unauthorised or unlawful processing of personal data
Article 14 – Conditions of outsourcing:
The investment firm and the service provider must
establish, implement and maintain a contingency
plan for disaster recovery and periodic testing of
back-up facilities
• Event identification
• Risk response
• Control activities
• Information and communication
• Monitoring
Monitor and evaluate:
ME3 Ensure regulatory compliance
ME4 Provide IT governance
4.3 Audit and evaluate: security reviews of
IT systems
(c) Protection of records throughout the records
retention period
N/A
N/A
Seventh principle:
Technical and organisational measures against
unauthorised or unlawful processing of personal data
N/A
• Internal environment
• Event identification
• Risk response
• Control activities
• Information and communication
• Monitoring
Acquire and implement:
AI7 Install and accredit solutions and changes
Monitor and evaluate:
ME1 Monitor and evaluate IT performance
ME2 Monitor and evaluate internal control
ME4 Provide IT governance
4.3 Audit and evaluate: security reviews of
IT systems
(a) Validation of systems and the ability to discern
invalid or altered records
(c) Protection of records throughout the records
retention period
(f) Use of operational system checks to enforce
sequencing of steps and events as appropriate
Regularly monitor and test networks:
10. Track and monitor all access to network
resources and cardholder data
11. Regularly test security systems and processes
• Risk management
– Asset management
• Intrusion detection
• Vulnerability and penetration testing
Seventh principle:
Technical and organisational measures against
unauthorised or unlawful processing of personal data
N/A
• Internal environment
• Control activities
• Monitoring
Monitor and evaluate:
ME1 Monitor and evaluate IT performance
ME2 Monitor and evaluate internal control
ME4 Provide IT governance
4.3 Audit and evaluate: security reviews of
IT systems
(c) Protection of records throughout the records
retention period
Regularly monitor and test networks:
10. Track and monitor all access to network
resources and cardholder data
• Intrusion detection
• Vulnerability and penetration testing
Seventh principle:
Technical and organisational measures against
unauthorised or unlawful processing of personal data
Article 8 – Internal audit:
Establish, implement and maintain an audit
plan to examine and evaluate the adequacy and
effectiveness of the investment firm’s systems
• Monitoring
14: Business continuity management
14.1
Information security aspects of business
continuity management
To counteract interruptions to business activities
and to protect critical business processes from the
effects of major failures or disasters and to ensure
their timely resumption
SECTION
• Risk management
– Organisational management
• Policy management
13: Information security incident management
13.1
SECTION
N/A
12: Information systems acquisition, development and maintenance
12.1
SECTION
(c) Protection of records throughout the records
retention period
11: Access control
11.1
SECTION
2.2.3 Responsibilities, powers and duties are clearly
specified by policy processes, procedures and
work instructions
10: Communications and operations management
10.1
SECTION
Plan and organise:
PO9 Assess and manage IT risks
Monitor and evaluate:
ME3 Ensure regulatory compliance
ME4 Provide IT governance
9: Physical and environmental security
9.1
SECTION
Sarbanes – Oxley
COSO
From 26 June 2006 draft version of:
“Implementing Directive 2004/39/EC”
8: Human resources security
8.1
SECTION
Bank of International Settlements
Operational Risk Check List
MiFID
7: Asset management
7.1
SECTION
Data Security Standard
EU Data Protection
Directive
6: Organisation of information security
6.1
SECTION
Basel II
5: Security policy
5.1
SECTION
Payment Card Industry
4: Risk assessment and treatment
4.1
SECTION
ITIL
FDA 21 CFR
Part 11
SECTION
COBIT® 4.0
15: Compliance
15.1
Compliance with legal requirements
To avoid breaches of any law, statutory, regulatory
or contractual obligations, and of any security
requirements
15.2
Compliance with security policies and standards,
and technical compliance
To ensure compliance of systems with
organisational security policies and standards
15.3
Information systems audit considerations
To maximise the effectiveness of and to minimise
interference to/from the information systems
audit processes
www.symantec.com
This information is provided as guidance only and does not constitute legal advice. The information is subject to
change and update at any time without prior written notice. See www.symantec.com for current details.
Copyright © 2006 Symantec Corporation. All rights reserved. Symantec and the Symantec logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S.
and other countries. Windows is a registered trademark of Microsoft Corporation in the United States and/or other countries. Other names may be trademarks of their respective owners.