Upload
rui-gomes
View
68
Download
0
Embed Size (px)
Citation preview
Standards Regulations Laws
ISO 17799 (2005) COBIT® 4.0 ITIL FDA 21 CFRPart 11
Payment Card IndustryData Security Standard
Basel IIBank of International Settlements
Operational Risk Check List
EU Data ProtectionDirective
MiFIDFrom 26 June 2006 draft version of:
“Implementing Directive 2004/39/EC”
Sarbanes – OxleyCOSO
SECTION 4: Risk assessment and treatment
4.1Assessing security risksIdentify, quantify, and prioritise risks against criteria for risk acceptance relevant to the organisation
Plan and organise:PO9 Assess and manage IT risks
Monitor and evaluate:ME3 Ensure regulatory complianceME4 Provide IT governance
2.2.3 Responsibilities, powers and duties are clearlyspecified by policy processes, procedures andwork instructions
(c) Protection of records throughout the recordsretention period
N/A • Risk management – Organisational management
• Policy management
Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data
Article 7 – Risk management:Establish, implement and maintain adequate risk management policies and procedures whichidentify the risks relating to the firm’s activities,processes and systems
• Risk assessment• Objective setting• Event identification
4.2Treating security risksDetermine risk treatment options: apply appropriatecontrols, accept risks, avoid risks or transfer risk toother parties
Plan and organise:PO9 Assess and manage IT risks
Monitor and evaluate:ME1 Monitor and evaluate IT performanceME2 Monitor and evaluate internal control
4.1.1 Establish a management framework to initiateand manage information security
(c) Protection of records throughout the recordsretention period
N/A • Risk management– Organisational management
First principle:Personal data shall be processed fairly and lawfully
Second principle:Personal data shall be obtained only for one or morespecified and lawful purposes
Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data
N/A • Risk response• Event identification
SECTION 5: Security policy
5.1Information security policyAn information security policy document should beapproved by management, and published andcommunicated to all employees and relevantexternal parties. The information security policyshould be reviewed at planned intervals
Plan and organise:PO1 Define a strategic IT planPO4 Define the IT processes, organisation
and relationshipsPO6 Communicate management aims and directionPO7 Manage IT human resources
4.1.1 Identify the risks arising from the links withthird parties
(c) Protection of records throughout the recordsretention period
Maintain an information security policy:12. Maintain a policy that addresses
information security
N/A Second principle:Personal data shall be obtained only for one or morespecified and lawful purposes
Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data
Eighth principle:Personal data shall not be transferred to a countryor territory outside the European economic area,unless adequate level of protection for personaldata is ensured
Article 5 – Organisational requirements:Require investment firms to establish, implement and maintain systems and procedures that areadequate to safeguard the security, integrity andconfidentiality of information, taking into account the nature of the information in question
• Internal environment• Objective setting• Risk assessment
SECTION 6: Organisation of information security
6.1Internal organisation A management framework should be established to initiate and control the implementation ofinformation security within the organisation
Deliver and support:DS5 Ensure systems security
N/A (c) Protection of records throughout the recordsretention period
Maintain an information security policy:12. Maintain a policy that addresses
information security
• Policy management – Outsourcing policy
Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data
N/A • Internal environment• Control activities• Information and communication
6.2External partiesTo maintain the security of information andinformation processing facilities that are accessed,processed, communicated to, or managed byexternal parties
Plan and organise:PO8 Manage quality
Deliver and support:DS1 Define and manage service levelsDS2 Manage third-party servicesDS5 Ensure systems security
N/A (c) Protection of records throughout the recordsretention period
Maintain an information security policy:12. Maintain a policy that addresses
information security
• Policy management – Outsourcing policy
Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data
N/A • Internal environment• Risk assessment• Control activities• Information and communication• Monitoring
SECTION 7: Asset management
7.1Responsibility for assetsAll assets should be accounted for and have anominated owner
Plan and organise:PO4 Define the IT processes, organisation
and relationships
3.3.1 Configuration and asset management process4.2.1 Ensure there is an overview of the most
important information sources and systems;allocate responsibility for all information and systems
(c) Protection of records throughout the recordsretention period
N/A • Risk management– Asset management
Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data
N/A • Control activities
7.2Information classificationInformation should be classified to indicate theneed, priorities and expected degree of protection
Plan and organise:PO2 Define the information architecturePO4 Assess and manage IT risks
Deliver and support:DS5 Ensure systems security
4.2.1 Rules for classification are outside the sphereof ITIL
(c) Protection of records throughout the recordsretention period
N/A • Risk management– Asset management
Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data
Eighth principle:Personal data shall not be transferred to a countryor territory outside the European economic area,unless adequate level of protection for personaldata is ensured
Article 51 – Retention of records:Require investment firms to retain all the recordsrequired under Directive 2004/39/EC and itsimplementing measures for a period of at least five years
• Risk assessment• Event identification
SECTION 8: Human resources security
8.1Prior to employmentTo ensure that employees, contractors and third party users understand responsibilities, and are suitable for their roles
Plan and organise:PO7 Manage IT human resources
Deliver and support:DS12 Manage the physical environment
4.2.2 Includes job descriptions; applicant screening;confidentiality agreements
(c) Protection of records throughout the recordsretention period
Implement strong access control measures:8. Assign a unique ID to each person with
computer access
Maintain an information security policy:12. Maintain a policy that addresses
information security
• Policy management– Personnel policy
Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data
N/A • Internal environment• Control activities• Information and communication
8.2During employmentTo ensure that employees, contractors and thirdparty users are aware of information securitythreats and concerns, and are equipped to supportsecurity policy in the course of their normal work
Plan and organise:PO7 Manage IT human resources
Deliver and support:DS7 Educate and train users
4.2.2 Includes training to make employees awareof security threats and of the importance ofinformation security
(c) Protection of records throughout the recordsretention period
(i) Users of electronic record/electronic signaturesystems have appropriate education, trainingand experience
Maintain an information security policy:12. Maintain a policy that addresses
information security
• Policy management– Personnel policy
Second principle:Personal data shall be obtained only for one or morespecified and lawful purposes
Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data
N/A • Internal environment• Control activities• Information and communication
8.3Termination or change of employmentTo ensure that employees, contractors and third party users exit an organisation or changeemployment in an orderly manner
Plan and organise:PO4 Define the IT processes, organisation
and relationshipsPO7 Manage IT human resources
4.2.2 Includes job descriptions; applicant screening;confidentiality agreements
(c) Protection of records throughout the recordsretention period
Implement strong access control measures:8. Assign a unique ID to each person with
computer access
• Policy management– Personnel policy
Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data
N/A N/A
SECTION 9: Physical and environmental security
9.1Secure areasTo prevent unauthorised physical access, damage,and interference to the organisation’s premises and information
Deliver and support:DS5 Ensure systems securityDS11 Manage dataDS12 Manage the physical environment
ITIL Environmental Strategy SetITIL Environmental Management Set
(c) Protection of records throughout the recordsretention period
Implement strong access control measures:9. Restrict physical access to cardholder data
• Policy management– Physical security policy
Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data
N/A • Control activities• Information and communication• Monitoring
9.2Equipment securityTo prevent loss, damage, theft or compromise ofassets and interruption to the organisation’sactivities
Deliver and support:DS12 Manage the physical environment
Select locations for installing equipment thatinvolve the least risk from outside
(c) Protection of records throughout the recordsretention period
Implement strong access control measures:9. Restrict physical access to cardholder data
• Policy management– Physical security policy
Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data
N/A • Control activities• Information and communication
SECTION 10: Communications and operations management
10.1Operational procedures and responsibilitiesTo ensure the correct and secure operation ofinformation processing facilities includingsegregation of duties and change managementfunctions
Plan and organise:PO4 Assess and manage IT risks
Acquire and implement:A16 Manage changes
Deliver and support:DS4 Ensure continuous serviceDS13 Manage operations
4.2.3 Ensure there are established responsibilitiesfor the management of all IT resources and all parts of the IT infrastructure including segregration of duties and security incident handling
(a) Validation of systems and the ability to discerninvalid or altered records
(c) Protection of records throughout the recordsretention period
(f) Use of operational system checks to enforcesequencing of steps and events as appropriate
(k) Use of appropriate controls over systemsdocumentation
N/A • Intrusion detection• Incident response plan• Systems administration
Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data
N/A • Internal environment• Risk response• Control activities• Monitoring
10.2Third party service delivery managementTo implement and maintain the appropriate level of information security and service delivery in linewith third party service delivery agreements
Plan and organise:PO4 Define the IT processes, organisation
and relationshipsPO8 Manage qualityPO10 Manage projects
Deliver and support:DS1 Define and manage service levelsDS2 Manage third-party services
N/A (c) Protection of records throughout the recordsretention period
Maintain an information security policy:12. Maintain a policy that addresses
information security
• Policy management– Outsourcing policy
Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data
N/A • Internal environment• Control activities
10.3System planning and acceptanceTo minimise the risk of systems failures
Deliver and support:DS3 Manage performance and capacityDS4 Ensure continuous service
3.3.4 Change management process3.4.3 Improving performance in terms of throughput
capacity and response times; other measuresinclude resource, demand and workloadmanagement, application sizing and modelling
(a) Validation of systems and the ability to discerninvalid or altered records
(c) Protection of records throughout the recordsretention period
N/A N/A Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data
N/A • Control activities• Monitoring
10.4Protection against malicious and mobile codePrecautions are required to prevent and detect theintroduction of malicious code and unauthorisedmobile code
Deliver and support:DS5 Ensure systems securityDS8 Manage service desk and incidentsDS9 Manage the configurationDS10 Manage problems
3.3.2 Incident control/help desk4.2.4 Access control; anti-virus control policy
(c) Protection of records throughout the recordsretention period
Maintain a vulnerability management program:5. Use and regularly update anti-virus software
• Cyber intelligence – Patch management
• Firewalls• Active content filtering• Intrusion detection• Virus scanners• Incident response plan
Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data
N/A • Control activities• Event identification• Information and communication
10.5Back-upRoutine procedures for implementing the back-up policy and strategy
Deliver and support:DS4 Ensure continuous serviceDS11 Manage data
3.4.2 Availability management3.4.4 Fallback planning
(c) Protection of records throughout the recordsretention period
N/A • Incident response plan Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data
Article 5 – Organisational requirements:Require investment firms to establish, implementand maintain systems and procedures that areadequate to safeguard the security, integrity andconfidentiality of information, taking into accountthe nature of the information in question
• Event identification• Control activities• Monitoring
10.6Network security managementTo ensure the protection of information in networksand the protection of the supporting infrastructure
Deliver and support:DS5 Ensure systems security
4.2.3 Communications and operations management;security measures for networks
(c) Protection of records throughout the recordsretention period
Build and maintain a secure network:1. Install and maintain a firewall configuration to
protect data2. Do not use vendor-supplied defaults for system
passwords and other security parameters
Maintain a vulnerability management program:5. Use and regularly update anti-virus software6. Develop and maintain secure systems
and applications
• Risk management– Asset management
• Cyber intelligence– Patch management
• Firewalls• Active content filtering
– Web application security• Intrusion detection• Virus scanners
Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data
N/A • Risk assessment• Control activities• Monitoring
10.7Media handlingTo prevent unauthorised disclosure, modification,removal or destruction of assets, and interruption tobusiness activities
Deliver and support:DS11 Manage data
3.4.2 Availability management3.4.4 Fallback planning4.2.3 Communications and operations management;
handling and security of data carriersAgreements should be included in the SLA
(c) Protection of records throughout the recordsretention period
(e) Use of secure, computer-generated audit trails,which are retained for a certain period of time
Protect cardholder data:3. Protect stored data
Implement strong access control measures:7. Restrict access to data by business need-to-know8. Assign a unique ID to each person with
computer access9. Restrict physical access to cardholder data
• Physical security policy Fifth principle:Personal data processed shall not be kept for longerthan is necessary
Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data
N/A • Control activities• Information and communication
10.8Exchange of informationTo maintain the security of information andsoftware exchanged within an organisation and withany external entity
Deliver and support:DS5 Ensure systems security
4.2.3 Communications and operations management;handling and security of data carriersAgreements should be included in the SLA
(c) Protection of records throughout the recordsretention period
Build and maintain a secure network:1. Install and maintain a firewall configuration to
protect data
Protect cardholder data:4. Encrypt transmissions of cardholder data and
sensitive information across public networks
Implement strong access control measures:8. Assign a unique ID to each person with
computer access
• Active content filtering– Web application security
• Firewalls• Virus scanners
Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data
Eighth principle:Personal data shall not be transferred to a countryor territory outside the European economic area,unless adequate level of protection for personaldata is ensured
N/A • Risk assessment• Risk response• Control activities• Information and communication• Monitoring
10.9Electronic commerce servicesTo ensure the security of electronic commerceservices, and their secure use
Deliver and support:DS5 Ensure systems security
4.2.3 Communications and operations management;handling and security of data carriersAgreements should be included in the SLA
4.2.4 Access control; application access control
(c) Protection of records throughout the recordsretention period
(e) Use of secure, computer-generated audit trails,which are retained for a certain period of time
Build and maintain a secure network:1. Install and maintain a firewall configuration to
protect data2. Do not use vendor-supplied defaults for system
passwords and other security parameters
Protect cardholder data:4. Encrypt transmissions of cardholder data and
sensitive information across public networks
Maintain a vulnerability management program:6. Develop and maintain secure systems
and applications
• Active content filtering Second principle:Personal data shall be obtained only for one or morespecified and lawful purposes
Fifth principle:Personal data processed shall not be kept for longerthan is necessary
Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data
Eighth principle:Personal data shall not be transferred to a countryor territory outside the European economic area,unless adequate level of protection for personaldata is ensured
N/A • Event identification• Control activities
10.10MonitoringTo detect unauthorised information processingactivities including review of operator logs and fault logging
Deliver and support:DS5 Ensure systems security
Monitor and evaluate:ME1 Monitor and evaluate IT performanceME2 Monitor and evaluate internal control
4.2.4 Access control; monitoring and auditinginformation system access
(a) Validation of systems and the ability to discerninvalid or altered records
(c) Protection of records throughout the recordsretention period
(d) Limiting system access to authorised individuals(g) Use of authority checks to ensure that only
authorised individuals can use the system
Implement strong access control measures:8. Assign a unique ID to each person with
computer access
Regularly monitor and test networks:10. Track and monitor all access to network
resources and cardholder data11. Regularly test security systems and processes
• Access controls/authentication• Active content filtering
– Web application security• Virus scanners
Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data
N/A • Control activities• Monitoring
SECTION 11: Access control
11.1Business requirement for access controlEstablish, document and review access controlpolicies and rules
Deliver and support:DS5 Ensure systems security
Largely outside the scope of ITIL (c) Protection of records throughout the recordsretention period
(d) Limiting system access to authorised individuals(g) Use of authority checks to ensure that only
authorised individuals can use the system
Implement strong access control measures:8. Assign a unique ID to each person with
computer access
Maintain an information security policy:12. Maintain a policy that addresses
information security
• Access controls/authentication• Systems administration
Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data
N/A • Internal environment• Control activities
11.2User access managementFormal procedures to control the allocation ofaccess rights to information systems and services
Deliver and support:DS5 Ensure systems security
4.2.4 Access control; network, computer andapplication access control
(c) Protection of records throughout the recordsretention period
(d) Limiting system access to authorised individuals(g) Use of authority checks to ensure that only
authorised individuals can use the system
Implement strong access control measures:7. Restrict access to data by business need-to-know8. Assign a unique ID to each person with
computer access
• Access controls/authentication• Active content filtering
– Web application security• Virus scanners• Systems administration
Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data
N/A • Control activities• Monitoring
11.3User responsibilitiesUser awareness, particularly with the use ofpasswords and the security of equipment
Deliver and support:DS5 Ensure systems security
Outside the scope of ITIL, this is theresponsibility of the user organisation
(c) Protection of records throughout the recordsretention period
(d) Limiting system access to authorised individuals(g) Use of authority checks to ensure that only
authorised individuals can use the system(i) Users of electronic record/electronic signature
systems have appropriate education, trainingand experience
Build and maintain a secure network:2. Do not use vendor-supplied defaults for
system passwords and other security parameters
Implement strong access control measures:8. Assign a unique ID to each person with
computer access
Maintain an information security policy:12. Maintain a policy that addresses
information security
• Access controls/authentication• Virus scanners• Systems administration
Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data
N/A • Internal environment• Control activities
11.4Network access controlEnsure that appropriate interfaces andauthentication mechanisms to networked servicesare in place
Deliver and support:DS5 Ensure systems security
4.2.4 Access control; network, computer access control
(c) Protection of records throughout the recordsretention period
(d) Limiting system access to authorised individuals(g) Use of authority checks to ensure that only
authorised individuals can use the system
Build and maintain a secure network:2. Do not use vendor-supplied defaults for
system passwords and other security parameters
Implement strong access control measures:8. Assign a unique ID to each person with
computer access
• Access controls/authentication• Active content filtering
– Web application security• Virus scanners• Systems administration
Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data
N/A • Internal environment• Control activities• Monitoring
11.5Operating system access controlTo ensure authorised access to operating systems.Some methods include: ensure quality passwords,user authentication, and the recording of successfuland failed system accesses
Deliver and support:DS5 Ensure systems security
4.2.4 Access control; computer access control (c) Protection of records throughout the recordsretention period
(d) Limiting system access to authorised individuals(g) Use of authority checks to ensure that only
authorised individuals can use the system
Build and maintain a secure network:2. Do not use vendor-supplied defaults for
system passwords and other security parameters
Implement strong access control measures:8. Assign a unique ID to each person with
computer access
Maintain an information security policy:10. Track and monitor all access to network
resources and cardholder data
• Access controls/authentication• Active content filtering
– Web application security• Intrusion detection• Virus scanners• Systems administration
Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data
N/A • Internal environment• Control activities• Monitoring
11.6 Application and information access controlTo prevent unauthorised access to information heldin application systems
Deliver and support:DS5 Ensure systems security
4.2.4 Access control; application access control (c) Protection of records throughout the recordsretention period
(d) Limiting system access to authorised individuals(g) Use of authority checks to ensure that only
authorised individuals can use the system
Build and maintain a secure network:2. Do not use vendor-supplied defaults for
system passwords and other security parameters
Maintain a vulnerability management system:6. Develop and maintain secure systems
and applications
Implement strong access control measures:8. Assign a unique ID to each person with
computer access
• Access controls/authentication• Active content filtering
– Web application security• Virus scanners
Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data
N/A • Control activities• Monitoring
11.7Mobile computing and teleworkingTo ensure information security when using mobile computing and teleworking facilities
Deliver and support:DS5 Ensure systems security
N/A (c) Protection of records throughout the recordsretention period
(d) Limiting system access to authorised individuals(g) Use of authority checks to ensure that only
authorised individuals can use the system
Build and maintain a secure network:1. Install and maintain a firewall configuration to
protect data2. Do not use vendor-supplied defaults for
system passwords and other security parameters
Implement strong access control measures:8. Assign a unique ID to each person with
computer access
• Policy management – Remote system
• Access policy• Access controls/authentication• Active content filtering
– Web application security
Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data
N/A • Internal environment• Control activities• Monitoring
SECTION 12: Information systems acquisition, development and maintenance
12.1Security requirements of information systemsTo ensure that security is built into informationsystems, including infrastructure, businessapplications and user-developed applications
Acquire and implement:A12 Acquire and maintain application softwareA13 Acquire and maintain technology infrastructure
ITIL book software lifecycle support and thebusiness perspective setITIL is not specifically concerned with system development
(c) Protection of records throughout the recordsretention period
(e) Use of secure, computer-generated audit trails,which are retained for a certain period of time
(k) Use of appropriate controls over systemsdocumentation
Maintain a vulnerability management system:6. Develop and maintain secure systems
and applications
• Systems administration Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data
N/A • Control activities• Monitoring
12.2Correct processing in applicationsTo prevent errors, loss, unauthorised modificationor misuse of information in applications
Acquire and implement:A12 Acquire and maintain application software
ITIL book software lifecycle support and thebusiness perspective setITIL is not specifically concerned with system development
(c) Protection of records throughout the recordsretention period
(e) Use of secure, computer-generated audit trails,which are retained for a certain period of time
(f) Use of operational system checks to enforcesequencing of steps and events as appropriate
(k) Use of appropriate controls over systemsdocumentation
Maintain a vulnerability management system:6. Develop and maintain secure systems
and applications
• Cyber intelligence– Patch management
• Systems administration
Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data
N/A • Control activities
12.3Cryptographic controlsTo protect the confidentiality, authenticity orintegrity of information by cryptographic means
Deliver and support:DS5 Ensure systems security
ITIL is not specifically concerned with system development
(c) Protection of records throughout the recordsretention period
(e) Use of secure, computer-generated audit trails,which are retained for a certain period of time
(h) Use of device checks to determine validity ofsource data input or operational instruction
(k) Use of appropriate controls over systemsdocumentation
Protect cardholder data:4. Encrypt transmissions of cardholder data and
sensitive information across public networks
• Active content filtering– Web application security
• Virus scanners• Systems administration
Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data
N/A • Control activities• Monitoring
12.4Security of system filesTo ensure security of system files
Acquire and implement:A16 Manage changes
Deliver and support:DS5 Ensure systems security
ITIL is not primarily concerned with individualcomponents, such as files, queues, data or messages
(a) Validation of systems and the ability to discerninvalid or altered records
(c) Protection of records throughout the recordsretention period
(e) Use of secure, computer-generated audit trails,which are retained for a certain period of time
(k) Use of appropriate controls over systemsdocumentation
Build and maintain a secure network:2. Do not use vendor-supplied defaults for system
passwords and other security parameters
• Systems administration Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data
N/A • Control activities• Information and communication• Monitoring
12.5Security in development and support processesProject and support environments should be strictly controlled
Acquire and implement:A16 Manage changes
Deliver and support:DS5 Ensure systems security
ITIL is not specifically concerned with system development
(c) Protection of records throughout the recordsretention period
(k) Use of appropriate controls over systemsdocumentation
Maintain a vulnerability management system:6. Develop and maintain secure systems
and applications
N/A Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data
N/A • Control activities• Monitoring
12.6Technical vulnerability managementTo reduce risks resulting from exploitation ofpublished technical vulnerabilities
Plan and organise:PO9 Assess and manage IT risks
Deliver and support:DS2 Manage third-party servicesDS4 Ensure continuous serviceDS5 Ensure systems securityDS9 Manage the configuration
Monitor and evaluate:ME1 Monitor and evaluate IT performance
ITIL is not specifically concerned with vulnerability management
(a) Validation of systems and the ability to discerninvalid or altered records
(c) Protection of records throughout the recordsretention period
(e) Use of secure, computer-generated audit trails,which are retained for a certain period of time
(k) Use of appropriate controls over systemsdocumentation
Maintain a vulnerability management system:5. Use and regularly update anti-virus software6. Develop and maintain secure systems
and applications
• Active content filtering– Web application security
• Virus scanners• Systems administration
Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data
N/A N/A
SECTION 13: Information security incident management
13.1Reporting information security events and weaknessesTo ensure information security events andweaknesses associated with information systemsare communicated in a manner allowing timelycorrective action to be taken
Deliver and support:DS5 Ensure systems securityDS8 Manage service desk and incidentsDS10 Manage problems
Monitor and evaluate:ME1 Monitor and evaluate IT performance:ME2 Monitor and evaluate internal control
4.2.2 Includes responding to security incidents asquickly as possible through the right channels
(a) Validation of systems and the ability to discerninvalid or altered records
(c) Protection of records throughout the recordsretention period
Regularly monitor and test networks:11. Regularly test security systems and processes
Maintain an information security policy:12. Maintain a policy that addresses
information security
• Policy management– Personnel policy
• Virus scanners• Incident response plan
Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data
N/A N/A
13.2Management of information security incidentsand improvementsTo ensure a consistent and effective approach is applied to the management of informationsecurity incidents
Deliver and support:DS5 Ensure systems securityDS8 Manage service desk and incidentsDS10 Manage problems
Monitor and evaluate:ME1 Monitor and evaluate IT performance:ME2 Monitor and evaluate internal control
4.2.2 Includes responding to security incidents asquickly as possible through the right channels
4.2.3 Ensure there are established responsibilitiesfor the management of security incidenthandling
(a) Validation of systems and the ability to discerninvalid or altered records
(c) Protection of records throughout the recordsretention period
Maintain an information security policy:12. Maintain a policy that addresses
information security
• Policy management– Personnel policy
• Incident response plan
Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data
N/A N/A
SECTION 14: Business continuity management
14.1Information security aspects of businesscontinuity managementTo counteract interruptions to business activitiesand to protect critical business processes from theeffects of major failures or disasters and to ensuretheir timely resumption
Deliver and support:DS4 Ensure continuous serviceDS10 Manage problemsDS11 Manage data
3.4.4 Business continuity planning; an entire ITILbook is dedicated to this topic
(c) Protection of records throughout the recordsretention period
N/A • Incident response plan Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data
Article 14 – Conditions of outsourcing:The investment firm and the service provider mustestablish, implement and maintain a contingencyplan for disaster recovery and periodic testing ofback-up facilities
• Event identification• Risk response• Control activities• Information and communication• Monitoring
SECTION 15: Compliance
15.1Compliance with legal requirementsTo avoid breaches of any law, statutory, regulatoryor contractual obligations, and of any securityrequirements
Monitor and evaluate:ME3 Ensure regulatory complianceME4 Provide IT governance
4.3 Audit and evaluate: security reviews of IT systems
(c) Protection of records throughout the recordsretention period
N/A N/A Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data
N/A • Internal environment• Event identification• Risk response• Control activities• Information and communication• Monitoring
15.2Compliance with security policies and standards,and technical complianceTo ensure compliance of systems withorganisational security policies and standards
Acquire and implement:AI7 Install and accredit solutions and changes
Monitor and evaluate:ME1 Monitor and evaluate IT performanceME2 Monitor and evaluate internal controlME4 Provide IT governance
4.3 Audit and evaluate: security reviews of IT systems
(a) Validation of systems and the ability to discerninvalid or altered records
(c) Protection of records throughout the recordsretention period
(f) Use of operational system checks to enforcesequencing of steps and events as appropriate
Regularly monitor and test networks:10. Track and monitor all access to network
resources and cardholder data11. Regularly test security systems and processes
• Risk management– Asset management
• Intrusion detection• Vulnerability and penetration testing
Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data
N/A • Internal environment• Control activities• Monitoring
15.3Information systems audit considerationsTo maximise the effectiveness of and to minimiseinterference to/from the information systems audit processes
Monitor and evaluate:ME1 Monitor and evaluate IT performanceME2 Monitor and evaluate internal controlME4 Provide IT governance
4.3 Audit and evaluate: security reviews of IT systems
(c) Protection of records throughout the recordsretention period
Regularly monitor and test networks:10. Track and monitor all access to network
resources and cardholder data
• Intrusion detection• Vulnerability and penetration testing
Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data
Article 8 – Internal audit:Establish, implement and maintain an audit plan to examine and evaluate the adequacy andeffectiveness of the investment firm’s systems
• Monitoring
IT Controls Reference
www.symantec.comThis information is provided as guidance only and does not constitute legal advice. The information is subject to
change and update at any time without prior written notice. See www.symantec.com for current details.
Copyright © 2006 Symantec Corporation. All rights reserved. Symantec and the Symantec logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S.and other countries. Windows is a registered trademark of Microsoft Corporation in the United States and/or other countries. Other names may be trademarks of their respective owners.