Symantec ITControlsPoster-compliancehome

IT Controls Reference
ISO 17799 Sarbanes-Oxley HIPAA Payment Card Industry NERC Symantec Products,
2005 COBIT® 4.0 Requirements Data Security Standard
GLBA*
Standards CIP
PIPEDA — Canada
Solutions & Capabilities
COSO
SECTION: 4 Risk Assessment and Treatment
4.1 Plan and Organize:

• PO9 Assess and Manage IT Risks
• Risk Assessment
• Objective Setting
Security Standard:
a) 1. Risk Analysis (R)
N/A III.B. Assess Risk • 002 – Critical Cyber Asset
Identification
• 4.7.2 – Safeguards will vary depending on sensitivity
of the information collected
Symantec™ Security Information Manager
Ability to associate risk scores to assets and discriminate
Assessing Security Risks • Event Identification threat response activities based on risk rating
Identify, quantify, and prioritize risks against criteria Monitor and Evaluate:
for risk acceptance relevant to the organization • ME3 Ensure Regulatory Compliance Symantec Enterprise Security Manager™
• ME4 Provide IT Governance Ability to associate risk scores to assets and prioritize
vulnerability and configuration remediation based on
risk rating
Symantec™ Control Compliance Suite

Ability to group, trend and remediate asset vulnerabilities
and configurations based on risk categorizations

• Risk Response
• Event Identification
Security Standard:
a) 1. Risk Management (R)
N/A III.C. Manage and Control Risk • 002 – Critical Cyber Asset
Identification
• 4.7.2 – Safeguards will vary depending on sensitivity
of the information collected
Discriminate threat response activities based on
Treating Security Risks • 007 – Systems Security risk rating
Determine risk treatment options: Apply appropriate Monitor and Evaluate: Management
controls, accept risks, avoid risks or transfer risk to • ME1 Monitor and Evaluate IT Performance • 008 – Incident Report and
other parties • ME2 Monitor and Evaluate Internal Control Response Planning
SECTION: 5 Security Policy

• PO1 Define a Strategic IT Plan
• Internal Environment
• Objective Setting
Security Standard:
a) 1. Sanction Policy (R)
Maintain an Information Security Policy:
12. Maintain a policy that addresses information security
II.A. Information Security
Program
• 003 – Security Management
Controls
• 4.1.4
(a) implement procedures to protect personal
Symantec BindView™ Policy Manager
Ability to author, review, publish and gather approval on
Information Security Policy • PO4 Define the IT Processes, Organization • Risk Assessment a) 2. Assigned Security Responsibility (R) II.B. Objectives information corporate policies
An information security policy document should and Relationships III.A. Invoice Board of (d) develop information to explain the organization’s
be approved by management, and published and • PO6 Communicate Management Aims and Directors policies and procedures
communicated to all employees and relevant external Direction
parties. The information security policy should be • PO7 Manage IT Human Resources
reviewed at planned intervals
SECTION: 6 Organization of Information Security
6.1 Deliver and Support:

• DS5 Ensure Systems Security
• Control Activities
Security Standard:
a) 1. Information System Activity
II. A. Information Security
Program
• 003 – Security Management
Control
N/A Symantec BindView™ Policy Manager
Ability to ensure complete IT policy coverage and
Internal Organization • Information and Communication Review (R) II.B. Objectives evidence of compliance across multiple management
A management framework should be established to a) 2. Assigned Security Responsibility (R) III. A. Involve the Board of frameworks
initiate and control the implementation of information Directors
security within the organization III.C. Manage and Control Risk
III.F. Report to the Board

• PO8 Manage Quality
•
•
Internal Environment
Risk Assessment
Security Standard:
b) 1. Written Contract or Other
III.C. Manage and Control Risk
III.D. Oversee Service Provider
N/A N/A Symantec Sygate™ Enterprise Protection
Ability to prevent introduction of non-compliant,
External Parties • Control Activities Arrangement (R) Arrangements unsecure devices onto corporate network, reducing the
To maintain the security of information and information Deliver and Support: • Information and Communication likelihood of information being compromised
processing facilities that are accessed, processed, • DS1 Define and Manage Service Levels • Monitoring
communicated to, or managed by external parties • DS2 Manage Third-Party Services
SECTION: 7 Asset Management

• PO4 Define the IT Processes, Organization
• Control Activities Physical Standard:
d) 2. Device and Media Controls –
N/A N/A • 002 – Critical Cyber Asset
Identification
• 4.1 – An organization responsible for personal
information under its control shall designate an
Ability to classify assets and reporting accordingly
Responsibility for Assets and Relationships Accountability (A) individual or individuals who are accountable for
All assets should be accounted for and have the organization’s compliance
a nominated owner

• PO2 Define the Information Architecture
• Risk Assessment
Security Standard:
a) 1. Risk Analysis (R)
N/A N/A • 002 – Critical Cyber Asset
Identification
• 4.7.2 – Safeguards will vary depending on
sensitivity of the information collected
Ability to classify assets and reporting accordingly
Information Classification • PO9 Assess and Manage IT Risks a) 1. Risk Management (R)
Information should be classified to indicate the need,
priorities and expected degree of protection
Deliver and Support:
SECTION: 8 Human Resources Security

• PO7 Manage IT Human Resources
Security Standard:
Implement Strong Access Control Measures:
8. Assign a unique ID to each person with computer access
III.C. Manage and Control Risk • 004 – Personnel and Training • 4.7.4 – Organizations shall make their
employees aware of the importance of
N/A
Prior to Employment • Information and Communication a) 3. Authorization and/or Supervision (A) maintaining the confidentiality of personal
To ensure that employees, contractors and third party Deliver and Support: a) 3. Workforce Clearance Procedure (A) Maintain an Information Security Policy: information
users understand responsibilities, and are suitable for • DS12 Manage the Physical Environment a) 5. Security Reminders (A) 12. Maintain a policy that addresses information security
their roles

• PO7 Manage IT Human Resources
Security Standard:
a) 5. Security Reminders (A)
III.C. Manage and Control Risk • 004 – Personnel and Training N/A Symantec BindView™ Policy Manager
Ability to disseminate policy to employees, contractors,
During Employment • Information and Communication and 3rd party and ensure sign-off
To ensure that employees, contractors and third party Deliver and Support:
users are aware of information security threats and • DS7 Educate and Train Users
concerns, and are equipped to support security policy in
the course of their normal work

• PO4 Define the IT Processes, Organization and
N/A Security Standard:
a) 3. Termination Procedures (A)
N/A • 004 – Personnel and Training N/A Symantec BindView™ Policy Manager
Ability to establish termination policies and track
Termination or Change of Employment Relationships compliance to the requirements
To ensure that employees, contractors and third party • PO7 Manage IT Human Resources
users exit an organization or change employment in an
orderly manner
SECTION: 9 Physical and Environmental Security

• Information and Communication
Security Standard:
a) 3. Authorization and/or Supervision (A)
9. Restrict physical access to cardholder data
III.C. Manage and Control Risk • 006 – Physical Security of
Critical Cyber Assets
• 4.7.3 – Methods of protection should include:
(a) physical measures, for example, locked
N/A
Secure Areas • DS11 Manage Data • Monitoring a) 3. Workforce Clearance Procedure (A) filing cabinets and restricted access to offices
To prevent unauthorized physical access, damage, • DS12 Manage the Physical Environment (b) organizational measures, for example, security
and interference to the organization’s premises and Physical Standard: clearances and limiting access on a “need-to-know”
information a) 1. Facility Access Control basis
a) 2. Facility Security Plan
a) 2. Access Control and Validation
Procedures (A)

• DS12 Manage the Physical Environment
Physical Standard:
a) 1. Facility Access Control
9. Restrict physical access to cardholder data
III.C. Manage and Control Risk • 006 – Physical Security of
(a) physical measures, for example, locked filing
N/A
Equipment Security b) Workstation Use (R) cabinets and restricted access to offices
To prevent loss, damage, theft or compromise of assets c) Workstation Security
and interruption to the organization’s activities d) 1. Device and Media Controls –
Disposal (R)
d) 2. Media Re-use (R)
Accountability (A)
SECTION: 10 Communications and Operations Management

•
•
Risk Response
Security Standard:
a) 1. Information System Activity
N/A III.C. Manage and Control Risk • 003 – Security Management
Controls
• 4.7.1 – The security safeguards shall protect
personal information against loss or theft, as well
Symantec™ Control Compliance Suite,
Symantec Enterprise Security Manager™
Operational Procedures and Responsibilities Relationships • Control Activities Review (R) as unauthorized access, disclosure, copying, use, Ability to conduct periodic reviews of permission grants
To ensure the correct and secure operation of • Monitoring a) 1. Sanction Policy (R) or modification. on file system and group level permissions
information processing facilities including segregation Acquire and Implement: a) 2. Assigned Security Responsibility (R)
of duties and change management functions • A16 Manage Changes b) 1. Written Contract or Other
Arrangement (R)
Deliver and Support: a) 6. Response and Reporting (R)
• DS4 Ensure Continuous Service
• DS13 Manage Operations Physical Standard:
a) 2. Contingency Operations (R)

Security Standard:
b) 1. Written Contract or Other Arrangement
III.D. Oversee Service Provider
Arrangements
N/A • 4.1.3 – The organization shall use contractual
or other means to provide a comparable level of
Define and manage information security programs
Third Party Service Delivery Management Relationships protection while the information is being processed
To implement and maintain the appropriate level of • PO8 Manage Quality by a third party
information security and service delivery in line with • PO10 Manage Projects
third party service delivery agreements
Deliver and Support:
• DS1 Define and Manage Service Levels
• DS2 Manage Third-Party Services

• DS3 Manage Performance and Capacity
• Monitoring
N/A N/A III.C. Manage and Control Risk • 007 – Systems Security
Management
Symantec™ Control Compliance Suite
System Planning and Acceptance • DS4 Ensure Continuous Service as unauthorized access, disclosure, copying, use, Ensure that systems are secure and best practices
To minimize the risk of systems failures or modification. are in place

Security Standard:
a) 4. Access Establishment and
Maintain a Vulnerability Management Program:
5. Use and regularly update anti-virus software
III.C. Manage and Control Risk • 007 – Systems Security
Management
Symantec AntiVirus™
Antivirus and antispyware functionality
Protection Against Malicious and Mobile Code • DS8 Manage Service Desk and Incidents • Information and Communication Modification (A) as unauthorized access, disclosure, copying, use,
Precautions are required to prevent and detect the • DS9 Manage the Configuration a) 5. Protection from Malicious Software or modification.
introduction of malicious code and unauthorized • DS10 Manage Problems
mobile code

Security Standard:
a) 7. Data Backup Plan (R)
N/A III.C. Manage and Control Risk • 009 – Recovery Plans for
Veritas NetBackup™ Server,
Symantec Backup Exec™
Back-up • DS11 Manage Data • Monitoring a) 7. Disaster Recovery Plan (R) as unauthorized access, disclosure, copying, use, Ability to conduct backup and recovery on all
Routine procedures for implementing the back-up a) 7. Emergency Mode Operation Plan (R) or modification. enterprise devices
policy and strategy a) 7. Testing And Revision Procedure (A)
Physical Standard:
a) 2. Contingency Operations (R)
a) 2. Data Backup and Storage (A)

• Risk Assessment
Technical Standard:
a) 2. Encryption and Decryption (A)
Build and Maintain a Secure Network:
1. Install and maintain a firewall
III.C. Manage and Control Risk • 005 – Electronic Security
Perimeters
Symantec Sygate™ Enterprise Protection
Ability to prevent introduction of non-compliant,
Network Security Management • Monitoring (e) 1. Transmission Security 2. Do not use vendor-supplied defaults for system passwords • 007 – Systems Security as unauthorized access, disclosure, copying, use, unsecure devices onto corporate network, reducing the
To ensure the protection of information in networks (e) 2. Integrity Controls (A) and other security parameters Management or modification. likelihood of information being compromised
and the protection of the supporting infrastructure
Maintain a Vulnerability Management Program: Symantec™ Network Security 7100 Series
5. Use and regularly update anti-virus software Intrusion Prevention
6. Develop and maintain secure systems and applications

• DS11 Manage Data
Physical Standard:
Protect Cardholder Data:
3. Protect stored data
III.C. Manage and Control Risk • 003 – Security Management
Controls
N/A
Media Handling Disposal (R) • 006 – Physical Security as unauthorized access, disclosure, copying, use,
To prevent unauthorized disclosure, modification, d) 2. Media Re-use (R) Implement Strong Access Control Measures: or modification.
removal or destruction of assets, and interruption d) 2. Device and Media Controls - 7. Restrict access to data by business need-to-know
to business activities Accountability (A) 8. Assign a unique ID to each person with computer access • 4.7.5 – Care shall be used in the disposal or
9. Restrict physical access to cardholder data destruction of personal information

•
•
Risk Assessment
Risk Response
Security Standard:
b) 1. Written Contract or Other
1. Install and maintain a firewall
Perimeters
N/A
Exchange of Information • Control Activities Arrangement (R) as unauthorized access, disclosure, copying, use,
To maintain the security of information and software • Information and Communication Protect Cardholder Data: or modification.
exchanged within an organization and with any external • Monitoring Technical Standard: 4. Encrypt transmissions of cardholder data and sensitive
entity a) 2. Encryption and Decryption (A) information across public networks
(d) Person or Entity Authentication (R)
(e) 1. Transmission Security Implement Strong Access Control Measures:
(e) 2. Integrity Controls (A) 8. Assign a unique ID to each person with computer access

N/A Build and Maintain a Secure Network:
1. Install and maintain a firewall configuration to
III.C. Manage and Control Risk N/A • 4.7.1 – The security safeguards shall protect
N/A
Electronic Commerce Services protect data as unauthorized access, disclosure, copying, use,
To ensure the security of electronic commerce services, 2. Do not use vendor-supplied defaults for system passwords or modification.
and their secure use. and other security parameters

4. Encrypt transmissions of cardholder data and sensitive
information across public networks


• Monitoring
Security Standard:
a) 5. Log-In Monitoring (A)
Perimeters
Ability to consolidate logs and conduct period reviews
Monitoring a) 1. Information System Activity Review (R) • 006 – Physical Security as unauthorized access, disclosure, copying, use, of access
To detect unauthorized information processing activities Monitor and Evaluate: b) 8. Audit Controls (R) Regularly Monitor and Test Networks: • 007 – Systems Security or modification.
including review of operator logs and fault logging • ME1 Monitor and Evaluate IT Performance 10. Track and monitor all access to network resources Management
• ME2 Monitor and Evaluate Internal Control and cardholder data
11. Regularly test security systems and processes
SECTION: 11 Access Control

Security Standard:
a) 4. Access Authorization (A)
Controls
• 4.1.4
Ability to author, review, publish, and ensure sign-off on
Business Requirement for Access Control • 005 – Electronic Security information access control policies
Establish, document and review access control policies Maintain an Information Security Policy: Perimeters
and rules 12. Maintain a policy that addresses information security • 4.7.3 – Methods of protection should include: Symantec™ Control Compliance Suite,
(b) organizational measures, for example, security Symantec Enterprise Security Manager™
clearances and limiting access on a “need-to-know” Ability to conduct periodic reviews of permission grants
(c) technological measures, for example, the use on file system and group level permissions
of passwords and encryption

• Monitoring
Security Standard:
a) 4. Access Authorization (A)
7. Restrict access to data by business need-to-know
Controls
• 4.1.4
User Access Management a) 4. Access Establishment and 8. Assign a unique ID to each person with computer access • 005 – Electronic Security information Ability to conduct periodic reviews of permission grants
Formal procedures to control the allocation of access Modification (A) Perimeters on file system and group level permissions
rights to information systems and services a) 5. Password Management (A) • 007 – Systems Security • 4.7.3 – Methods of protection should include:
Management (b) organizational measures, for example, security
Technical Standard : clearances and limiting access on a “need-to-know”
a) 2. Unique User Identification (R) (c) technological measures, for example, the use

Security Standard:
a) 5. Password Management (A)
2. Do not use vendor-supplied defaults for system
Controls
(b) organizational measures, for example, security
Ability to author, review, publish, and ensure awareness
User Responsibilities passwords • 004 – Personnel and Training clearances and limiting access on a “need-to-know” of policies
User awareness, particularly with the use Physical Standard: (c) technological measures, for example, the use
of passwords and the security of equipment b) Workstation Use (R) Implement Strong Access Control Measures: of passwords and encryption
c) Workstation Security 8. Assign a unique ID to each person with computer access
• 4.7.4 – Organizations shall make their employees
Maintain an Information Security Policy: aware of the importance of maintaining the
12. Maintain a policy that addresses information security confidentiality of personal information

Security Standard:
a) 5. Password Management (A)
IlI.C. Manage and Control Risk • 005 – Electronic Security
Perimeters
Symantec™ Network Access Control
Ensure that only secure devices are admitted to
Network Access Control • Monitoring passwords • 007 – Systems Security as unauthorized access, disclosure, copying, use, the network
Ensure that appropriate interfaces and authentication Technical Standard: Management or modification.
mechanisms to networked services are in place c) 2. Mechanism to Authenticate Electronic Implement Strong Access Control Measures:
Protected Health Information (A) 8. Assign a unique ID to each person with computer access • 4.7.3 – Methods of protection should include:
d) Person or Entity Authentication (R) (c) technological measures, for example, the use

Security Standard:
Perimeters
Operating System Access Control • Monitoring Modification (A) passwords • 007 – Systems Security as unauthorized access, disclosure, copying, use, Ability scan across platforms for compliance to technical
To ensure unauthorized access to operating systems. a) 5. Password Management (A) Management or modification. standards and detect deviations from known good
Some methods include: ensure quality passwords, user Implement Strong Access Control Measures: standards
authentication, and the recording of successful and Technical Standard: 8. Assign a unique ID to each person with computer access • 4.7.3 – Methods of protection should include:
failed system accesses a) 2. Unique User Identification (R) (c) technological measures, for example, the use
a) 2. Automatic Logoff (A) Monitor and Test Networks: of passwords and encryption
d) Person or Entity Authentication (R) 10. Track and monitor all access to network resources and
cardholder data

• Monitoring
Security Standard:
Perimeters
N/A
Application and Information Access Control Modification (A) passwords • 007 – Systems Security as unauthorized access, disclosure, copying, use,
To prevent unauthorized access to information held in a) 5. Password Management (A) Management or modification.
application systems. Maintain a Vulnerability Management System:
Technical Standard: 6. Develop and maintain secure systems and applications • 4.7.3 – Methods of protection should include:
a) 2. Unique User Identification (R) (c) technological measures, for example, the use
d) Person or Entity Authentication (R) Implement Strong Access Control Measures: of passwords and encryption

Security Standard:
1. Install and maintain a firewall configuration to
Perimeters
Symantec AntiVirus™
Ability to prevent malware on remote devices
Mobile Computing and Teleworking • Monitoring Modification (A) protect data as unauthorized access, disclosure, copying, use,
To ensure information security when using mobile or modification.
computing and teleworking facilities
Build and Maintain a Secure Network: • 4.7.3 – Methods of protection should include:
2. Do not use vendor-supplied defaults for system (c) technological measures, for example,
passwords and other security parameters the use of passwords and encryption

SECTION: 12 Information Systems Acquisition, Development and Maintenance
12.1 Acquire and Implement:

• A12 Acquire and Maintain Application
• Monitoring
N/A Maintain a Vulnerability Management Program:
N/A N/A N/A N/A
Security Requirements of Information Systems Software

To ensure that security is built into information systems, • A13 Acquire and Maintain Technology
including infrastructure, business applications and user- Infrastructure
developed applications

• A12 Acquire and Maintain Application
• Control Activities Technical Standard:
e) 2. Transmission Security – Integrity
III.C. Manage and Control Risk N/A • 4.6 – Personal information shall be as accurate,
complete, and up-to-date as is necessary for the
N/A
Correct Processing in Applications Software Controls (A) purposes for which it is to be used
To prevent errors, loss, unauthorized modification
or misuse of information in applications • 4.7.1 – The security safeguards shall protect
as unauthorized access, disclosure, copying, use,
or modification.

• Monitoring
Technical Standard:
a) 2. Encryption and Decryption (A)
4. Encrypt transmission of cardholder data and sensitive
III.C. Manage and Control Risk N/A • 4.7.3 – Methods of protection should include:
(c) technological measures, for example, the use of
N/A
Cryptographic Controls e) 2. Transmission Security – Encryption (A) information across public networks passwords and encryption
To protect the confidentiality, authenticity or integrity
of information by cryptographic means.

• A16 Manage Changes
N/A Build and Maintain a Secure Network:
2. Do not use vendor-supplied defaults for system passwords
Perimeters
Security of System Files Monitoring and other security parameters • 007 – Systems Security as unauthorized access, disclosure, copying, use, Ability to ensure that best practice technical standards
To ensure security of system files Deliver and Support Management or modification. are implemented to protect system file information

• A16 Manage Changes
• Monitoring
N/A Maintain a Vulnerability Management Program:
N/A N/A N/A N/A
Security in Development and Support Processes

Project and support environments should be Deliver and Support
strictly controlled • DS5 Ensure Systems Security
12.6 Plan and Organize;

a) 6. Response and Reporting (R)
5. Use and regularly update antivirus software
Perimeters
Technical Vulnerability Management 6. Develop and maintain secure systems and applications • 007 – Systems Security as unauthorized access, disclosure, copying, use, Ability to scan for updated lists of vulnerabilities and
To reduce risks resulting from exploitation Deliver and Support: Management or modification. offer remediation
of published technical vulnerabilities • DS2 Manage Third-Party Services
• DS9 Manage the Configuration
Monitor and Evaluate:

• ME1 Monitor and Evaluate IT Performance
SECTION: 13 Information Security Incident Management

a) 6. Response and Reporting (R)
Regularly Monitor and Test Networks:
11. Regularly test security systems and processes
III.C. Manage and Control Risk • 008 – Incident Reporting and
Response Planning
Ability to gather, alert, and trend on security events
Reporting Information Security Events • DS8 Manage Service Desk and Incidents as unauthorized access, disclosure, copying, use, and weaknesses in real time
and Weaknesses • DS10 Manage Problems Maintain an Information Security Policy: or modification.
To ensure information security events and weaknesses 12. Maintain a policy that addresses information security
associated with information systems are communicated Monitor and Evaluate:
in a manner allowing timely corrective action to be taken • ME1 Monitor and Evaluate IT Performance
• ME2 Monitor and Evaluate Internal Control

N/A N/A Maintain an Information Security Policy:
III.C. Manage and Control Risk • 008 – Incident Reporting and
Response Planning
Ability to manage security events through incident
Management of Information Security Incidents • DS8 Manage Service Desk and Incidents as unauthorized access, disclosure, copying, use, workflow and integration to change management
and Improvements • DS10 Manage Problems or modification. systems
To ensure a consistent and effective approach is applied
to the management of information security incidents Monitor and Evaluate:
SECTION: 14 Business Continuity Management

•
•
Event Identification
Risk Response
Security Standard:
a) 7. Disaster Recovery Plan (R)
N/A III.C. Manage and Control Risk • 009 – Recovery Plans for
Veritas™ product line
Ensure rapid data recovery from major failures
Information Security Aspects • DS10 Manage Problems • Control Activities a) 7. Testing and Revision Procedures (A) as unauthorized access, disclosure, copying, use,
of Business Continuity Management • DS11 Manage Data • Information and Communication a) 7. Applications and Data Criticality or modification.
To counteract interruptions to business activities and • Monitoring Analysis (A)
to protect critical business processes from the effects
of major failures or disasters and to ensure their timely
resumption
SECTION: 15 Compliance
15.1 Monitor and Evaluate:

• ME3 Ensure Regulatory Compliance
•
•
Event Identification
Security Standard:
N/A III.C. Manage and Control Risk
Each Standard CIP includes
compliance measures
• 4.10.2 – Organizations shall put procedures in
place to receive and respond to complaints or
Veritas Enterprise Vault™
Ensure appropriate retention of email and other
Compliance with Legal Requirements • ME4 Provide IT Governance • Risk Assessment a) 6. Response and Reporting (R) inquiries about their policies and practices relating messaging data to satisfy legal requirements
To avoid breaches of any law, statutory, regulatory or • Control Activities b) 1. Written Contract or Other to the handling of personal information.
contractual obligations, and of any security requirements • Information and Communication Arrangement (R)
• Monitoring

• AI7 Install and Accredit Solutions
Security Standard:
a) 8. Technical evaluation that measures
10. Track and monitor all access to network resources
III.C. Manage and Control Risk
III.E. Adjust the Program
compliance measures
Ensure policy coverage and evidence of compliance
Compliance with Security Policies and Standards, and Changes • Monitoring compliance with security requirements (R) and cardholder data III.F. Report to the Board to key regulations and frameworks
and Technical Compliance 11. Regularly test security systems and processes
To ensure compliance of systems with organizational Monitor and Evaluate:
security policies and standards • ME1 Monitor and Evaluate IT Performance
• ME4 Provide IT Governance
15.3 Monitor and Evaluate:

• Monitoring Security Standard:
b) 8. Audit Controls (R)
10. Track and monitor all access to network resources
II.C. Manage and Control Risk
compliance measures
Ability to automate the process of information
Information Systems Audit Considerations • ME2 Monitor and Evaluate Internal Control and cardholder data systems audits by automatically gathering data from
To maximize the effectiveness of and to minimize • ME4 Provide IT Governance across infrastructure management systems in a single
interference to/from the information systems repository on a scheduled basis to reduce manual
audit process process
* 12 CFR Part 364 of Interagency Guidelines Establishing Standards for Safeguarding Customer Information and Rescission of Year 2000 Standards for Safety and Soundness; Final Rule © 2006 Symantec Corporations. All rights reserved. 10713777
www.symantec.com/compliance

Symantec ITControlsPoster-compliancehome

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Symantec ITControlsPoster-compliancehome

Hochgeladen von

Copyright:

Verfügbare Formate

IT Controls Reference

SECTION: 4 Risk Assessment and Treatment

4.1 Plan and Organize:

Symantec™ Control Compliance Suite

4.2 Plan and Organize:

SECTION: 5 Security Policy

5.1 Plan and Organize:

SECTION: 6 Organization of Information Security

6.1 Deliver and Support:

6.2 Plan and Organize:

SECTION: 7 Asset Management

7.1 Plan and Organize:

7.2 Plan and Organize:

SECTION: 8 Human Resources Security

8.1 Plan and Organize:

8.2 Plan and Organize:

8.3 Plan and Organize:

SECTION: 9 Physical and Environmental Security

9.1 Deliver and Support:

9.2 Deliver and Support:

SECTION: 10 Communications and Operations Management

10.1 Plan and Organize:

10.2 Plan and Organize:

10.3 Deliver and Support:

10.4 Deliver and Support:

10.5 Deliver and Support:

10.6 Deliver and Support:

10.7 Deliver and Support:

10.8 Deliver and Support:

10.9 Deliver and Support:

Protect Cardholder Data:

Maintain a Vulnerability Management Program:

10.10 Deliver and Support:

SECTION: 11 Access Control

11.1 Deliver and Support:

11.2 Deliver and Support:

11.3 Deliver and Support:

11.4 Deliver and Support:

11.5 Deliver and Support:

11.6 Deliver and Support:

11.7 Deliver and Support:

Implement Strong Access Control Measures:

SECTION: 12 Information Systems Acquisition, Development and Maintenance

12.1 Acquire and Implement:

Security Requirements of Information Systems Software

12.2 Acquire and Implement:

12.3 Deliver and Support:

12.4 Acquire and Implement:

12.5 Acquire and Implement:

Security in Development and Support Processes

12.6 Plan and Organize;

Monitor and Evaluate:

SECTION: 13 Information Security Incident Management

13.1 Deliver and Support:

13.2 Deliver and Support:

SECTION: 14 Business Continuity Management

14.1 Deliver and Support:

15.1 Monitor and Evaluate:

15.2 Acquire and Implement:

15.3 Monitor and Evaluate:

Das könnte Ihnen auch gefallen