CONSENSUS ASSESSMENTS INITIATIVE - El.Co. S.r.l.
1y ago
25 Views
1 Downloads
266.73 KB
9 Pages
Report/dmca
Download PDF

Transcription

CONSENSUSASSESSMENTSINITIATIVEControl DomainControl QuestionControl SpecificationIDIDConsensus Assessment QuestionsConsensus Assessment AnswersNotesCCMv3.0.1Compliance MappingAICPA AICPATSC 2009 Trust Service Criteria (SOC 2SM Report)YesApplication & Interface AIS-01SecurityApplication plication & Interface AIS-02SecurityCustomer AccessRequirementsAIS-02.1Application & Interface AIS-03SecurityData IntegrityAIS-03.1AIS- 02.2Applications andprogramminginterfaces (APIs) shallbe designed,developed, deployed,and tested inaccordance withleading industrystandards (e.g.,OWASP for webapplications) andadhere to applicablelegal, statutory, orregulatory complianceobligations.Do you use industry standards (BuildSecurity in Maturity Model [BSIMM]benchmarks, Open Group ACS TrustedTechnology Provider Framework, NIST, etc.)Do you use an automated source codeanalysis tool to detect security defects incode prior to production?Do you use manual source-code analysis todetect security defects in code prior toproduction?Do you verify that all of your softwaresuppliers adhere to industry standards forSystems/Software Development Lifecycle(SDLC) security?(SaaS only) Do you review your applicationsfor security vulnerabilities and address anyissues prior to deployment to production?Prior to grantingcustomers access todata, assets, andinformation systems,identified security,contractual, andregulatoryData input and outputintegrity routines (i.e.,reconciliation and editchecks) shall beimplemented forapplication interfacesand databases toprevent manual orsystematic processingerrors, corruption ofdata, or misuse.Are all identified security, contractual, andregulatory requirements for customeraccess contractually addressed andAre all requirements and trust levels forcustomers’ access defined anddocumented?NoBITS SharedAICPAAssessmentsTSC 2014AUP v5.0BITS SharedAssessmentsSIG v6.0BSIGermanyCanada PIPEDACCM V1.XCIS-AWSFoundations v1.1COBIT 4.1COBIT 5.0COPPACSA Enterprise Architecture (formerly the TrustedCloud Initiative)Domain Container CapabilityNot ApplicableS3.10.0XXCC7.1(S3.10.0) Design, acquisition, implementation,configuration, modification, and management ofinfrastructure and software are consistent withdefined system security policies to enableauthorized access and to prevent unauthorizedaccess.I.4G.16.3, I.3COBIT 4.1 AI2.4Schedule 1 (Section SA-045), 4.7 - Safeguards,Subsec. .05MEA03.01MEA03.02312.8 and 312.10Schedule 1 (Section SA-015) 4.1Accountability,Subs. .10.0) Design, acquisition, implementation,configuration, modification, and management ofinfrastructure and software are consistent withdefined processing integrity and related securitypolicies.XXPublicCSAGuidanceV3.0ENISA IAFFedRAMP SecurityFedRAMP Security Controls95/46/EC - European UnionControls(Final Release, Jan 2012)Data Protection Directive (Final Release, Jan 2012)--MODERATE IMPACT LEVEL---LOW IMPACT LEVEL--S3.2a(S3.2.a) a. Logical access security measures torestrict access to information resources notdeemed to be public.CC5.1C.2.1, C.2.3,C.2.4, C.2.6.1,H.110 (B)11 (A )XAre data input and output integrity routines(i.e., reconciliation and edit checks)implemented for application interfaces anddatabases to prevent manual or systematicprocessing errors or corruption of data?S3.4(I3.2.0) The procedures related to completeness, PI1.2accuracy, timeliness, and authorization of inputs PI1.3PI1.5are consistent with the documented systemprocessing integrity policies.I.4G.16.3, I.3Schedule 1 (Section SA-055), 4.7 - Safeguards,Subsec. 4.7.3ApplicationServices DevelopmentProcess Software QualityAssurancesharedx312.3, 312.8 and312.10BOSS LegalServices ContractssharedxDomain 10DSS06.02DSS06.04312.8 and 312.10ApplicationsharedServices ProgrammingInterfaces InputValidationxDomain MEA03.01MEA03.02312.8 and 312.10BOSS DataGovernance Rules forInformationLeakagePreventionsharedxDomain 10Domain 106.03.01. (c)Article: 27 (3)B.1G.8.2.0.2,6 (B)G.8.2.0.3,26 (A )G.12.1, G.12.4,G.12.9, G.12.10,G.16.2, G.19.2.1,G.19.3.2, G.9.4,G.17.2, G.17.3,G.17.4, G.20.1Schedule 1 (Section SA-035), 4.7 - Safeguards,Subsec. 4.7.3Article 17 (1), (2)NIST SP 800-53 R3 SC-5NIST SP 800-53 R3 SC-6NIST SP 800-53 R3 SC-7NIST SP 800-53 R3 SC-12NIST SP 800-53 R3 SC-13NIST SP 800-53 R3 SC-14NIST SP 800-53 R3 SA-8NIST SP 800-53 R3 SC-2NIST SP 800-53 R3 SC-4NIST SP 800-53 R3 SC-5NIST SP 800-53 R3 SC-6NIST SP 800-53 R3 SC-7NIST SP 800-53 R3 SC-7 (1)NIST SP 800-53 R3 SC-7 (2)NIST SP 800-53 R3 SC-7 (3)NIST SP 800-53 R3 SC-7 (4)NIST SP 800-53 R3 SC-7 (5)NIST SP 800-53 R3 SC-7 (7)NIST SP 800-53 R3 SC-7 (8)NIST SP 800-53 R3 SC-7 (12)NIST SP 800-53 R3 SC-7 (13)NIST SP 800-53 R3 SC-7 (18)NIST SP 800-53 R3 SC-8NIST SP 800-53 R3 SC-8 (1)NIST SP 800-53 R3 CA-1NIST SP 800-53 R3 CA-1NIST SP 800-53 R3 CA-2NIST SP 800-53 R3 CA-2NIST SP 800-53 R3 CA-2 (1) NIST SP 800-53 R3 CA-2 (1)NIST SP 800-53 R3 CA-5NIST SP 800-53 R3 CA-5NIST SP 800-53 R3 CA-6NIST SP 800-53 R3 CA-61.2.6NIST SP 800-53 R3 SI-2NIST SP 800-53 R3 SI-3NIST SP 800-53 R3 SI-2NIST SP 800-53 R3 SI-2 (2)NIST SP 800-53 R3 SI-3NIST SP 800-53 R3 SI-3 (1)NIST SP 800-53 R3 SI-3 (2)NIST SP 800-53 R3 SI-3 (3)NIST SP 800-53 R3 SI-4NIST SP 800-53 R3 SI-4 (2)NIST SP 800-53 R3 SI-4 (4)NIST SP 800-53 R3 SI-4 (5)NIST SP 800-53 R3 SI-4 (6)NIST SP 800-53 R3 SI-6NIST SP 800-53 R3 SI-7NIST SP 800-53 R3 SI-7 (1)NIST SP 800-53 R3 SI-9NIST SP 800-53 R3 SI-10NIST SP 800-53 R3 SI-111.2.6NIST SP 800-53 R3 AC-1NIST SP 800-53 R3 SC-1NIST SP 800-53 R3 SC-13NIST SP 800-53 R3 AC-1NIST SP 800-53 R3 AC-4NIST SP 800-53 R3 SC-1NIST SP 800-53 R3 .2.48.2.18.2.28.2.38.2.59.2.1(I3.3.0) The procedures related to completeness,accuracy, timeliness, and authorization of systemprocessing, including error correction anddatabase management, are consistent withdocumented system processing integrity policies.(I3.4.0) The procedures related to completeness,accuracy, timeliness, and authorization of outputsare consistent with the documented systemprocessing integrity policies.X(I3.5.0) There are procedures to enable tracing ofinformation inputs from their source to their finaldisposition and vice versa.Application & Interface AIS-04SecurityData Security / IntegrityAudit Assurance &ComplianceAudit PlanningAudit Assurance &ComplianceIndependent AuditsAIS-04.1AAC-01 AAC-01.1AAC-02 C-02.7AAC-02.8Audit Assurance &ComplianceInformation SystemRegulatory MappingAAC-03 AAC-03.1AAC-03.2AAC-03.3AAC-03.4Business ContinuityBCR-01 BCR-01.1Management &Operational ResilienceBCR-01.2Business ContinuityPlanningBusiness ContinuityBCR-02 BCR-02.1Management &Operational ResilienceBusiness ContinuityTestingBusiness ContinuityBCR-03 BCR-03.1Management &Operational ResilienceBCR-03.2Power /TelecommunicationsBusiness ContinuityManagement &Operational ResilienceDocumentationBCR-04 BCR-04.1Policies andprocedures shall beestablished andmaintained in supportof data security toinclude(confidentiality,integrity, andavailability) acrossmultiple systeminterfaces,jurisdictions, andbusiness functions toprevent improperdisclosure,alternation, ordestruction.Is your Data Security Architecture designedusing an industry standard (e.g., CDSA,MULITSAFE, CSA Trusted CloudArchitectural Standard, FedRAMP,CAESARS)?Audit plans shall bedeveloped andmaintained to addressbusiness processdisruptions. Auditingplans shall focus onreviewing theeffectiveness of theimplementation ofsecurity operations.Independent reviewsand assessments shallbe performed at leastannually to ensurethat the organizationaddressesnonconformities ofestablished policies,standards,procedures, andcomplianceobligations.Do you produce audit assertions using astructured, industry accepted format (e.g.,CloudAudit/A6 URI Ontology, CloudTrust,SCAP/CYBEX, GRC XML, ISACA's CloudComputing Management Audit/AssuranceProgram, etc.)?Data center utilitiesservices andenvironmentalconditions (e.g.,water, power,temperature andhumidity controls,telecommunications,Information systemdocumentation (e.g.,administrator anduser guides, andarchitecturediagrams) shall bemade available toauthorized personnelto ensure thefollowing: Configuring,installing, andoperating theinformation system Effectively using thesystem’s securityfeaturesCC5.61.1;1.2;1.3;1.4;1.5;1. COBIT 4.1 13;3.146.02. (b)6.04.03. (a)Article 17 (1), (2),(3), (4)XDo you allow tenants to view your SOC2/ISO27001 or similar third-party audit orDo you conduct network penetration testsof your cloud service infrastructureregularly as prescribed by industry bestDo you conduct application penetrationtests of your cloud infrastructure regularlyas prescribed by industry best practices andDo you conduct internal audits regularly asprescribed by industry best practices andDo you conduct external audits regularly asprescribed by industry best practices andAre the results of the penetration testsavailable to tenants at their request?Are the results of internal and externalaudits available to tenants at their request?Do you have an internal audit program thatallows for cross-functional audit ofassessments?Organizations shallDo you have the ability to logically segmentcreate and maintain a or encrypt customer data such that datacontrol frameworkmay be produced for a single tenant only,which captureswithout inadvertently accessing anotherstandards, regulatory, Do you have the capability to recover datalegal, and statutoryfor a specific customer in the case of arequirements relevant failure or data loss?for their businessneeds. The controlDo you have the capability to restrict theframework shall bestorage of customer data to specificreviewed at leastcountries or geographic locations?annually to ensurechanges that couldDo you have a program in place thataffect the businessincludes the ability to monitor changes toprocesses arethe regulatory requirements in relevantreflected.jurisdictions, adjust your security programfor changes to legal requirements, andensure compliance with relevant regulatoryA consistent unified Do you provide tenants with geographicallyframework forresilient hosting options?business continuityDo you provide tenants with infrastructureplanning and plandevelopment shall be service failover capability to otherproviders?established,documented, andBusiness continuityand security incidentresponse plans shallbe subject to testingat planned intervals orupon significantorganizational orenvironmentalchanges. Incidentresponse plans shallinvolve impactedcustomers (tenant)(S3.4) Procedures exist to protect againstunauthorized access to system resources.XXS4.1.0(S4.1.0) The entity’s system security is periodically CC4.1reviewed and compared with the defined systemsecurity policies.S4.2.0(S4.2.0) There is a process to identify and addresspotential impairments to the entity’s ongoingability to achieve its objectives in accordance withits defined system security policies.S4.1.0(S4.1.0) The entity’s system security is periodically CC4.1reviewed and compared with the defined systemsecurity policies.XS4.2.0X(S4.2.0) There is a process to identify and addresspotential impairments to the entity’s ongoingability to achieve its objectives in accordance withits defined system security policies.45 013ITARJericho A.14.2.7A12.6.1,A18.2.2Commandment #1Commandment #2Commandment #4Commandment #5Commandment #11A.6.2.1A.6.2.2A.11.1.1A9.1.1.Commandment #6Commandment #7Commandment 1.1A18.1.4Commandment #1Commandment #9Commandment 9.4.1,A10.1.1A18.1.4All06.iClause 4.2.3 e)Clause 4.2.3bClause 5.1 gClause ,5.1(f),9.1,9.2,9.3(f),A18.2.1Commandment #1Commandment #2Commandment A.12.5.4A.12.5.5A.12.6.1A.15.2.105.j45 CFR 164.312 10.b;10.e(c)(1) (New)45 CFR 164.312(c)(2)(New)45 CFR164.312(e)(2)(i)(New)CO-01COBIT 4.1 ME 2.1, APO12.04ME 2.2 PO 9.5 PO APO12.059.6APO12.06MEA02.01MEA02.02Title 16 Part 312BOSS Compliance Audit PlanningsharedxDomain 2, 4 6.01. (d)NIST SP 800-53 R3 CA-2NIST SP 800-53 R3 CA-2NIST SP 800-53 R3 CA-2 (1) NIST SP 800-53 R3 CA-2 (1)NIST SP 800-53 R3 CA-7NIST SP 800-53 R3 CA-7NIST SP 800-53 R3 CA-7 (2)NIST SP 800-53 R3 PL-610.2.545 CFR164.312(b)L.2, L.4, L.7, L.9, 58 (B)L.1159 (B)61 (C , A )76 (B)77 (B)CO-02COBIT 4.1 DS5.5, APO12.04ME2.5, ME 3.1 PO 1Title 16 Part 312BOSS Compliance IndependentAuditssharedxDomain 2, 4 6.03. (e)6.07.01. (m)6.07.01. (n)NIST SP 800-53 R3 CA-1NIST SP 800-53 R3 CA-2NIST SP 800-53 R3 CA-2 (1)NIST SP 800-53 R3 CA-6NIST SP 800-53 R3 RA-51.2.51.2.74.2.18.2.710.2.310.2.545 CFR 164.308(a)(8)45 CFR164.308(a)(1)(ii)(D)NIST SP 800-53 R3 CA-1NIST SP 800-53 R3 CA-2NIST SP 800-53 R3 CA-2 (1)NIST SP 800-53 R3 CA-6NIST SP 800-53 R3 RA-5NIST SP 800-53 R3 RA-5 (1)NIST SP 800-53 R3 RA-5 (2)NIST SP 800-53 R3 RA-5 (3)NIST SP 800-53 R3 RA-5 (6)NIST SP 800-53 R3 RA-5 (9)10.b;10.c;10.e A.11.5.61.2.21.2.66.2.16.2.2L.1, L.2, L.7, L.9, 58 (B)L.11XMexico - Federal Law onProtection of Personal DataHeld by Private PartiesNERC CIPNIST SP800-53 R3NIST SP800-53 R4Appendix JNZISMODCA UM: PA R2.0NZISM v2.505.h;06.i;06.jClause 4.2.3eClause 5.1 gClause 5.2.1 d)Clause 6A.6.1.8Commandment #1Commandment #2Commandment #3CIP-007-3 - -6Chapter 8Article C.01.14.5.8.C.01.9,2AP-1 The organizationdetermines anddocuments the legalauthority that permits thecollection, use,maintenance, and sharingof personally identifiableAR-7 The organization14.5designs information14.6systems to supportprivacy by automatingprivacy 13.C.02.AC-1AC-4SC-1SC-16AR-7 The organizationdesigns informationsystems to supportprivacy by automatingprivacy controls.CA-2CA-7PL-6AR-4 Privacy Auditing and 5.1, 5.3, 5.4Monitoring. To promoteaccountability,organizations identify andaddress gaps in privacycompliance,management,operational, and technicalcontrols by conductingregular assessments (e.g.,AR-4. Privacy Auditing and 6,1Monitoring. Theseassessments can be selfassessments or third partyaudits that result inreports on compliancegaps identified inprograms, projects, andinformation 1.8.C.01.CIP-003-3 - SI-10R4.2SI-11SI-2SI-3SI-4SI-6SI-7SI-9Chapter VI, Section 1Article 39, I. and VIII.AR-7 The organizationdesigns informationsystems to supportprivacy by automatingprivacy controls.CIP-003-3 - CA-1R1.3 - R4.3 CA-2CIP-004-3 CA-6R4 - R4.2 RA-5CIP-005-3a R1 - R1.1 R1.216.516.817.4PA17PA31PCI DSS v2.0PCI DSSv3.0PCI DSS v3.2Shared Assessments2017 AUPPA levelSGPBSGPPCI DSS v2.0 6.56, 6.56; 6.5I.134.1.1, 4.2,4.34.1.1; 4.2; 4.3L.3P.4P.5A.8PA25GPPCI DSS v2.0 6.3.1PCI DSS v2.0 6.3.26.3.16.3.26.3.1;6.3.2N.4PA20PA25PA29GPPSGPPCI DSS v2.0 2.3PCI DSS v2.0 3.4.1,PCI DSS v2.0 4.1PCI DSS v2.0 4.1.1PCI DSS v2.0 6.1PCI DSS v2.0 6.3.2aPCI DSS v2.0 6.5cPCI DSS v2.0 8.3PCI DSS v2.0 10.5.5PCI DSS v2.0 11.52.33.4.14.14.1.16.16.3.2a6.5c, 7.1,7.2, 7.3,8.1, 8.2,8.3, 8.4,8.5, 8.6,8.7, 8.810.5.5, 10.811.5, 11.62.33.4.14.14.1.16.16.3.26.5b; 7.1; 7.2; 7.3; 8.1;8.2; 8.3; 8.3.1;8.3.2; 8.4;8.5; 8.6; 8.7; 8.810.5.5; 10.911.5; 11.6B.1PA15SGPPCI DSS v2.0 2.1.2.bPA18GPPCI DSS v2.0 11.2PCI DSS v2.0 11.3PCI DSS v2.0 6.6PCI DSS v2.012.1.2.b11.211.36.3.2, 8.411.211.36.3.2; 6.611.2.1; 11.2.2; 11.2.3;11.3.1; 11.3.2; 11.3.3;11.3.4; 12.8.4L.2PCI DSS v2.0 3.1.1PCI DSS v2.0 3.13,13.1L.3A.1A.2XXXXCC3.12.8;3.7XCOBIT 4.1 ME S sharedCompliance InformationSystem RegulatoryMappingxDomain 2, 406.aISO/IEC27001:2005Clause 4.2.1 b) 2)Clause 4.2.1 c) 1)Clause 4.2.1 g)Clause 4.2.3 d) 6)Clause 4.3.3Clause 5.2.1 a - fClause 7.3 c) e A3.3.0XAre business continuity plans subject totesting at planned intervals or uponsignificant organizational or environmentalchanges to ensure continuingeffectiveness?(A3.1.0) Procedures exist to (1) identify potential CC3.1threats of disruptions to systems operation thatA1.2would impair system availability commitmentsand (2) assess the risks associated with theA1.3identified threats.A3.4.0A3.3(A3.3.0) Procedures exist to provide for backup,A1.2(A3.3) Procedures exist to provide for backup,offsite storage, restoration, and disaster recoveryconsistent with the entity’s defined systemavailability and related security policies.A3.2.0(A3.2.0) Measures to prevent or mitigate threats A1.1have been implemented consistent with the risk A1.2assessment when commercially practicable.XDo you provide tenants withdocumentation showing the transport routeCan tenants define how their data istransported and through which legaljurisdictions?GAPPHIPAA/HITECHHITRUST CSF v8.1(Aug 2009) (Omnibus Rule)PA 11.0) Procedures exist to provide thatCC1.4personnel responsible for the design,development, implementation, and operation ofCC2.1systems affecting security have the qualificationsand resources to fulfill their responsibilities.(A.2.1.0) The entity has prepared an objectivedescription of the system and its boundaries andcommunicated such description to 4.05BOSS Operational RiskManagement BusinessContinuityproviderxDomain 7, 8 6.07. (a)6.07. (b)6.07. (c)Article 17 (1), (2)K.1.3, K.1.4.3,52 (B)K.1.4.6, K.1.4.7, 55 (A )K.1.4.8, S Operational RiskManagement BusinessContinuityproviderxDomain 7, 8 6.07.01. (b)6.07.01. (j)6.07.01. (l)F.1.6, F.1.6.1,9 (B)F.1.6.2, F.1.9.2, 10 (B)F.2.10, F.2.11,F.2.12Schedule 1 (Section RS-085), 4.7 - Safeguards,Subsec. 4.7.3DSS01.03DSS01.04DSS01.05DSS04.03312.8 and 312.10providerInfra Services Facility Security EnvironmentalRisk ManagementxDomain 7, 8 6.08. (a)6.09. (c)6.09. (f)6.09. (g)Article 17 (1), (2)G.1.1Schedule 1 (Section OP-025), 4.7 - Safeguards,Subsec. 4.7.3COBIT 4.1 DS 9, DS BAI0813.1BAI10DSS01.01312.8 and 312.10SRM Policies and sharedStandards JobAid GuidelinesxDomain 7, 8Article 1756 (B)57 (B)NIST SP800-53 R3 CP-1NIST SP800-53 R3 CP-2NIST SP800-53 R3 CP-3NIST SP800-53 R3 CP-4NIST SP800-53 R3 CP-9NIST SP800-53 R3 CP-10NIST SP800-53 R3 CP-2NIST SP800-53 R3 CP-3NIST SP800-53 R3 CP-4(A3.4.0) Procedures exist to protect againstunauthorized access to system resource.XAre information system documents (e.g.,administrator and user guides, architecturediagrams, etc.) made available toauthorized personnel to ensureconfiguration, installation and operation ofthe information system?F.1K.1.2.3. K.1.2.4,K.1.2.5, K.1.2.6,K.1.2.7, K.1.2.11,K.1.2.13,K.1.2.15NIST SP800-53 R3 PE-1NIST SP800-53 R3 PE-13NIST SP800-53 R3 PE-13(1)NIST SP800-53 R3 PE-13(2)NIST SP800-53 R3 PE-13(3)NIST SP 800-53 R3 CP-9NIST SP 800-53 R3 CP-10NIST SP 800-53 R3 SA-5NIST SP800-53 R3 CP-1NIST SP800-53 R3 CP-2NIST SP800-53 R3 CP-2 (1)NIST SP800-53 R3 CP-2 (2)NIST SP800-53 R3 CP-3NIST SP800-53 R3 CP-4NIST SP800-53 R3 CP-4 (1)NIST SP800-53 R3 CP-2NIST SP800-53 R3 CP-2 (1)NIST SP800-53 R3 CP-2 (2)NIST SP800-53 R3 CP-3NIST SP800-53 R3 CP-4NIST SP800-53 R3 CP-4 (1)45 CFR 164.308(a)(7)(i)45 CFR 164.308(a)(7)(ii)(B)45 CFR 164.308(a)(7)(ii)(C)45 CFR 164.30845 CFR 164.308(a)(7)(ii)(D)NIST SP800-53 R3 PE-1NIST SP800-53 R3 PE-4NIST SP800-53 R3 PE-13NIST SP800-53 R3 PE-13 (1)NIST SP800-53 R3 PE-13 (2)NIST SP800-53 R3 PE-13 (3)NIST SP 800-53 R3 CP-9NIST SP 800-53 R3 CP-9 (1)NIST SP 800-53 R3 CP-9 (3)NIST SP 800-53 R3 CP-10NIST SP 800-53 R3 CP-10 (2)NIST SP 800-53 R3 CP-10 (3)NIST SP 800-53 R3 SA-5NIST SP 800-53 R3 SA-5 (1)NIST SP 800-53 R3 SA-5 (3)NIST SP 800-53 R3 SA-10NIST SP 800-53 R3 SA-11NIST SP 800-53 R3 SA-11 use 5.1(h)A.17.1.2A.17.1.21.22.23.35.2Commandment #1Commandment #2Commandment #3A.14.1.5A17.3.1Commandment #1Commandment #2Commandment #3A.9.2.2A.9.2.3A11.2.2,A11.2.3Commandment #1Commandment #2Commandment #3Commandment #4Commandment #9Commandment #11Clause 4.3.3A.10.7.4Clause 9.2(g)Commandment #1Commandment #2Commandment #4Commandment #5Commandment #11CP-1CP-2CP-3CP-4CP-6CP-7CP-8CP-2CP-3CP-4UL-2 INFORMATIONSHARING WITH THIRDPARTIES - a. Sharespersonally identifiableinformation (PII)externally, only for theauthorized C.01.PCI DSS v2.0 12.9.1 12.9.1PCI DSS v2.0 12.9.3 12.9.3PCI DSS v2.0 12.9.4 12.9.4PCI DSS v2.0 12.9.6 12.9.64.45.2(time limit)6.3(whenever 05-3a - CP-9R1.3CP-10CIP-007-3 - 1.9.C.04.18.1.10.C.01.PCI DSS v2.0 12.9.2 12.9.2,12.10.24.1, 4.1.1,9.1, 9.2PCI DSS v2.0 12.1PCI DSS v2.0 12.2PCI DSS v2.0 12.3PCI DSS v2.0 12.4K.112.10.2K.64.1; 4.1.1; 9.1; 9.2F.11.1.2, 1.1.3, 1.1.2; 1.1.3; 2.2; 12.32.2, 12.312.612.6I.16U.1

Business ContinuityBCR-05 BCR-05.1Management &Operational ResilienceEnvironmental RisksBusiness ContinuityBCR-06 BCR-06.1Management &Operational ResilienceEquipment LocationBusiness ContinuityBCR-07 BCR-07.1Management &Operational 07.4Is physical protection against damage (e.g.,Physical protectionagainst damage from natural causes, natural disasters, deliberateattacks) anticipated and designed withnatural causes andcountermeasures applied?disasters, as well asdeliberate attacks,including fire, flood,atmospheric electricaldischarge, solarinduced geomagneticstorm, wind,earthquake, tsunami,explosion, nuclearaccident, volcanicactivity, biologicalhazard, civil unrest,mudslide, tectonicactivity, and otherforms of natural orman-made disastershall be anticipated,designed, and havecountermeasuresapplied.To reduce the risksfrom environmentalthreats, hazards, andopportunities forunauthorized access,equipment shall bekept away fromlocations subject tohigh probabilityenvironmental risksand supplemented byredundant equipmentlocated at areasonable distance.Are any of your data centers located inplaces that have a highprobability/occurrence of high-impactenvironmental risks (floods, tornadoes,earthquakes, hurricanes, etc.)?Policies andprocedures shall beestablished, andsupporting businessprocesses andtechnical measuresimplemented, forequipmentmaintenance ensuringcontinuity andavailability ofoperations andsupport personnel.If using virtual infrastructure, does yourcloud solution include independenthardware restore and recovery capabilities?BCR-07.5A3.2.0If using virtual infrastructure, do youprovide tenants with a capability to restorea Virtual Machine to a previous state inIf using virtual infrastructure, do you allowvirtual machine images to be downloadedand ported to a new cloud provider?If using virtual infrastructure, are machineimages made available to the customer in away that would allow the customer toreplicate those images in their own off-sitestoragelocation?Doesyourcloud solution include(A3.1.0) Procedures exist to (1) identify potential CC3.1threats of disruptions to systems operation thatA1.1would impair system availability commitmentsA1.2and (2) assess the risks associated with theidentified threats.F.1F.2.9, F.1.2.21,F.5.1, F.1.5.2,F.2.1, F.2.7,F.2.8Schedule 1 (Section RS-055), 4.7 - Safeguards,Subsec. 4.7.3F.1F.2.9, F.1.2.21,F.5.1, F.1.5.2,F.2.1, F.2.7,F.2.853 (A )Schedule 1 (Section RS-0675 (C , A ) 5), 4.7 - Safeguards,Subsec. 4.7.3F.2.191 (B)2.8;3.7DSS01.03DSS01.04DSS01.05Infra Services providerFacility Security EnvironmentalRisk ManagementxDomain 7, 8 6.07. (d)6.08. (a)6.09. (a)6.09. (b)6.09. (d)Article 17 (1), (2)NIST SP800-53 R3 PE-1NIST SP800-53 R3 PE-13NIST SP800-53 R3 PE-14NIST SP800-53 R3 PE-15NIST SP800-53 R3 PE-1NIST SP800-53 R3 PE-13NIST SP800-53 R3 PE-13 (1)NIST SP800-53 R3 PE-13 (2)NIST SP800-53 R3 PE-13 (3)NIST SP800-53 R3 PE-14NIST SP800-53 R3 PE-15NIST SP800-53 R3 PE-18DSS01.04DSS01.05312.8 and 312.10 Infra Services providerFacility Security EnvironmentalRisk ManagementxDomain 7, 8 6.07. (d)6.08. (a)6.09. (a)6.09. (b)6.09. (d)Article 17 (1), (2)NIST SP800-53 R3 PE-1NIST SP800-53 R3 PE-14NIST SP800-53 R3 PE-15NIST SP800-53 R3 PE-1NIST SP800-53 R3 PE-5NIST SP800-53 R3 PE-14NIST SP800-53 R3 PE-15NIST SP800-53 R3 PE-18providerxDomain 7, 8 6.09. (h)Article 17 (1)NIST SP 800-53 R3 MA-2NIST SP 800-53 R3 MA-4NIST SP 800-53 R3 MA-5NIST SP 800-53 R3 MA-2NIST SP 800-53 R3 MA-2 (1)NIST SP 800-53 R3 MA-3NIST SP 800-53 R3 MA-3 (1)NIST SP 800-53 R3 MA-3 (2)NIST SP 800-53 R3 MA-3 (3)NIST SP 800-53 R3 MA-4NIST SP 800-53 R3 MA-4 (1)NIST SP 800-53 R3 MA-4 (2)NIST SP 800-53 R3 MA-5NIST SP 800-53 R3 MA-6Domain 7, 8 6.08. (a)6.09. (e)6.09. (f)Article 17 (1), (2)NIST SP800-53 R3 PE-1NIST SP800-53 R3 PE-12NIST SP800-53 R3 PE-13NIST SP800-53 R3 PE-14NIST SP800-53 R3 CP-8NIST SP800-53 R3 CP-8 (1)NIST SP800-53 R3 CP-8 (2)NIST SP800-53 R3 PE-1NIST SP800-53 R3 PE-9NIST SP800-53 R3 PE-10NIST SP800-53 R3 PE-11NIST SP800-53 R3 PE-12NIST SP800-53 R3 PE-13NIST SP800-53 R3 PE-13 (1)NIST SP800-53 R3 PE-13 (2)NIST SP800-53 R3 PE-13 (3)NIST SP800-53 R3 PE-14Domain 7, 8 6.02. (a)6.03.03. (c)6.07. (a)6.07. (b)6.07. (c)Article 17 (1), (2)NIST SP 800-53 R3 CP-1NIST SP 800-53 R3 CP-2NIST SP 800-53 R3 RA-3NIST SP 800-53 R3 CP-1NIST SP 800-53 R3 CP-2NIST SP 800-53 R3 RA-3NIST SP 800-53 R3 CM-2NIST SP 800-53 R3 CM-4NIST SP 800-53 R3 CM-6NIST SP 800-53 R3 MA-4NIST SP 800-53 R3 SA-3NIST SP 800-53 R3 SA-4NIST SP 800-53 R3 SA-5NIST SP 800-53 R3 CM-2NIST SP 800-53 R3 CM-2 (1)NIST SP 800-53 R3 CM-2 (3)NIST SP 800-53 R3 CM-2 (5)NIST SP 800-53 R3 CM-3NIST SP 800-53 R3 CM-3 (2)NIST SP 800-53 R3 CM-4NIST SP 800-53 R3 CM-5NIST SP 800-53 R3 CM-6NIST SP 800-53 R3 CM-6 (1)NIST SP 800-53 R3 CM-6 (3)NIST SP 800-53 R3 CP-2NIST SP 800-53 R3 CP-2 (1)NIST SP 800-53 R3 CP-2 (2)NIST SP 800-53 R3 CP-6NIST SP 800-53 R3 CP-6 (1)NIST SP 800-53 R3 CP-6 (3)NIST SP 800-53 R3 CP-7NIST SP 800-53 R3 CP-7 (1)NIST SP 800-53 R3 CP-7 (2)NIST SP 800-53 R3 CP-7 (3)NIST SP 800-53 R3 CP-7 (5)NIST SP 800-53 R3 CA-1NIST SP 800-53 R3 CM-1NIST SP 800-53 R3 CM-9NIST SP 800-53 R3 PL-1NIST SP 800-53 R3 PL-2NIST SP 800-53 R3 SA-1NIST SP 800-53 R3 SA-3NIST SP 800-53 R3 SA-4NIST SP 800-53 R3 SA-4 (1)NIST SP 800-53 R3 SA-4 (4)NIST SP 800-53 R3 SA-4NIST SP 800-53 R3 SA-4 (1)NIST SP 800-53 R3 SA-4 (4)NIST SP 800-53 R3 SA-4 (7)NIST SP 800-53 R3 SA-5NIST SP 800-53 R3 SA-5 (1)NIST SP 800-53 R3 SA-5 (3)NIST SP 800-53 R3 SA-8NIST SP 800-53 R3 CM-1NIST SP 800-53 R3 CM-2NIST SP 800-53 R3 CM-2 (1)NIST SP 800-53 R3 CM-2 (3)NIST SP 800-53 R3 CM-2 (5)NIST SP 800-53 R3 SA-3NIST SP 800-53 R3 SA-4NIST SP 800-53 R3 SA-4 (1)NIST SP 800-53 R3 SA-4 (4)NIST SP 800-53 R3 SA-4 (7)NIST SP 800-53 R3 SA-5NIST SPSP 800-53800-53 R3R3 CM-1SA-5 (1)NIST(A3.2.0) Measures to prevent or mitigate threatshave been implemented consistent with the riskassessment when commercially practicable.A3.1.0A3.2.0(A3.1.0) Procedures exist to (1) identify potential CC3.1threats of disruptions to systems operation thatA1.1would impair system availability commitmentsA1.2and (2) assess the risks associated with theidentified threats.A3.2.0(A3.2.0) Measures to prevent or mitigate threats A1.1have been implemented consistent with the risk A1.2assessment when commercially practicable.A4.1.0(A4.1.0) The entity’s system availability andsecurity performance is periodically reviewed andcompared with the defined system availabilityand related security policies.XOP-042,1COBIT 4.1 A13.3CC4.12,1XXBCR-09.3Business ContinuityBCR-10 BCR-10.1Management &Operational ResiliencePolicyBusiness ContinuityBCR-11 BCR-11.1Management &Operational ResilienceBCR-11.2Retention PolicyBCR-11.4BCR-11.5Change Control &ConfigurationManagementNew Development /AcquisitionCCC-01 CCC-01.1CCC-01.2Change Control &ConfigurationManagementOutsou

NERC CIP NIST SP800-53 R3 NIST SP800-53 R4 Appendix J NZISM NZISM v2.5 PCI DSS v2.0 PCI DSS v3.0 PCI DSS v3.2 Shared Assessments 2017 AUP Yes No Not Applicable Domain Container Capability Public Private PA ID PA level AIS-01.1 Do you use industry standards (Build Security in Maturity Model [BSIMM] benchmarks, Open Group ACS Trusted

Related Books

Description Page Line - txcourts.gov

Description Page Line - txcourts.gov

International consensus guidelines on Clinical Target Volume . - SEOR

International consensus guidelines on Clinical Target Volume . - SEOR

Study Published: November, 2011 Oak Hills Church · 6929 .

Study Published: November, 2011 Oak Hills Church · 6929 .

Distributed Consensus Protocols and Algorithms

Distributed Consensus Protocols and Algorithms

The Basics of Consensus Decision Making

The Basics of Consensus Decision Making

Tutorial for the WGCNA package for R II. Consensus network analysis of .

Tutorial for the WGCNA package for R II. Consensus network analysis of .

An Expert Consensus Statement on the Management of Large Chondral and .

An Expert Consensus Statement on the Management of Large Chondral and .

BRIGANCE Early Childhood Product Sampler - Masaryk University

BRIGANCE Early Childhood Product Sampler - Masaryk University

CONSENSUS ASSESSMENTS INITIATIVE QUESTIONNAIRE v3 - HUB Scuola

CONSENSUS ASSESSMENTS INITIATIVE QUESTIONNAIRE v3 - HUB Scuola

CONSENSUS ASSESSMENTS INITIATIVE QUESTIONNAIRE v3.1 Control ID .

CONSENSUS ASSESSMENTS INITIATIVE QUESTIONNAIRE v3.1 Control ID .

Defining and Prioritizing KPIs for EHR Implementation: A Clinically .

Defining and Prioritizing KPIs for EHR Implementation: A Clinically .

PopularTags

Recent Views