Compliance poster

Standards Regulations Laws

ISO 17799 (2005) COBIT® 4.0 ITIL FDA 21 CFRPart 11

Payment Card IndustryData Security Standard

Basel IIBank of International Settlements

Operational Risk Check List

EU Data ProtectionDirective

MiFIDFrom 26 June 2006 draft version of:

“Implementing Directive 2004/39/EC”

Sarbanes – OxleyCOSO

SECTION 4: Risk assessment and treatment

4.1Assessing security risksIdentify, quantify, and prioritise risks against criteria for risk acceptance relevant to the organisation

Plan and organise:PO9 Assess and manage IT risks

Monitor and evaluate:ME3 Ensure regulatory complianceME4 Provide IT governance

2.2.3 Responsibilities, powers and duties are clearlyspecified by policy processes, procedures andwork instructions

(c) Protection of records throughout the recordsretention period

N/A • Risk management – Organisational management

• Policy management

Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data

Article 7 – Risk management:Establish, implement and maintain adequate risk management policies and procedures whichidentify the risks relating to the firm’s activities,processes and systems

• Risk assessment• Objective setting• Event identification

4.2Treating security risksDetermine risk treatment options: apply appropriatecontrols, accept risks, avoid risks or transfer risk toother parties


Monitor and evaluate:ME1 Monitor and evaluate IT performanceME2 Monitor and evaluate internal control

4.1.1 Establish a management framework to initiateand manage information security


N/A • Risk management– Organisational management

First principle:Personal data shall be processed fairly and lawfully

Second principle:Personal data shall be obtained only for one or morespecified and lawful purposes


N/A • Risk response• Event identification

SECTION 5: Security policy

5.1Information security policyAn information security policy document should beapproved by management, and published andcommunicated to all employees and relevantexternal parties. The information security policyshould be reviewed at planned intervals

Plan and organise:PO1 Define a strategic IT planPO4 Define the IT processes, organisation

and relationshipsPO6 Communicate management aims and directionPO7 Manage IT human resources

4.1.1 Identify the risks arising from the links withthird parties


Maintain an information security policy:12. Maintain a policy that addresses

information security

N/A Second principle:Personal data shall be obtained only for one or morespecified and lawful purposes


Eighth principle:Personal data shall not be transferred to a countryor territory outside the European economic area,unless adequate level of protection for personaldata is ensured

Article 5 – Organisational requirements:Require investment firms to establish, implement and maintain systems and procedures that areadequate to safeguard the security, integrity andconfidentiality of information, taking into account the nature of the information in question

• Internal environment• Objective setting• Risk assessment

SECTION 6: Organisation of information security

6.1Internal organisation A management framework should be established to initiate and control the implementation ofinformation security within the organisation

Deliver and support:DS5 Ensure systems security

N/A (c) Protection of records throughout the recordsretention period



• Policy management – Outsourcing policy


N/A • Internal environment• Control activities• Information and communication

6.2External partiesTo maintain the security of information andinformation processing facilities that are accessed,processed, communicated to, or managed byexternal parties

Plan and organise:PO8 Manage quality

Deliver and support:DS1 Define and manage service levelsDS2 Manage third-party servicesDS5 Ensure systems security




• Policy management – Outsourcing policy


N/A • Internal environment• Risk assessment• Control activities• Information and communication• Monitoring

SECTION 7: Asset management

7.1Responsibility for assetsAll assets should be accounted for and have anominated owner

Plan and organise:PO4 Define the IT processes, organisation

and relationships

3.3.1 Configuration and asset management process4.2.1 Ensure there is an overview of the most

important information sources and systems;allocate responsibility for all information and systems


N/A • Risk management– Asset management


N/A • Control activities

7.2Information classificationInformation should be classified to indicate theneed, priorities and expected degree of protection

Plan and organise:PO2 Define the information architecturePO4 Assess and manage IT risks


4.2.1 Rules for classification are outside the sphereof ITIL


N/A • Risk management– Asset management



Article 51 – Retention of records:Require investment firms to retain all the recordsrequired under Directive 2004/39/EC and itsimplementing measures for a period of at least five years

• Risk assessment• Event identification

SECTION 8: Human resources security

8.1Prior to employmentTo ensure that employees, contractors and third party users understand responsibilities, and are suitable for their roles

Plan and organise:PO7 Manage IT human resources

Deliver and support:DS12 Manage the physical environment

4.2.2 Includes job descriptions; applicant screening;confidentiality agreements


Implement strong access control measures:8. Assign a unique ID to each person with

computer access



• Policy management– Personnel policy



8.2During employmentTo ensure that employees, contractors and thirdparty users are aware of information securitythreats and concerns, and are equipped to supportsecurity policy in the course of their normal work

Plan and organise:PO7 Manage IT human resources

Deliver and support:DS7 Educate and train users

4.2.2 Includes training to make employees awareof security threats and of the importance ofinformation security


(i) Users of electronic record/electronic signaturesystems have appropriate education, trainingand experience




Second principle:Personal data shall be obtained only for one or morespecified and lawful purposes



8.3Termination or change of employmentTo ensure that employees, contractors and third party users exit an organisation or changeemployment in an orderly manner


and relationshipsPO7 Manage IT human resources

4.2.2 Includes job descriptions; applicant screening;confidentiality agreements



computer access



N/A N/A

SECTION 9: Physical and environmental security

9.1Secure areasTo prevent unauthorised physical access, damage,and interference to the organisation’s premises and information

Deliver and support:DS5 Ensure systems securityDS11 Manage dataDS12 Manage the physical environment

ITIL Environmental Strategy SetITIL Environmental Management Set


Implement strong access control measures:9. Restrict physical access to cardholder data

• Policy management– Physical security policy


N/A • Control activities• Information and communication• Monitoring

9.2Equipment securityTo prevent loss, damage, theft or compromise ofassets and interruption to the organisation’sactivities

Deliver and support:DS12 Manage the physical environment

Select locations for installing equipment thatinvolve the least risk from outside


Implement strong access control measures:9. Restrict physical access to cardholder data

• Policy management– Physical security policy


N/A • Control activities• Information and communication

SECTION 10: Communications and operations management

10.1Operational procedures and responsibilitiesTo ensure the correct and secure operation ofinformation processing facilities includingsegregation of duties and change managementfunctions


Acquire and implement:A16 Manage changes

Deliver and support:DS4 Ensure continuous serviceDS13 Manage operations

4.2.3 Ensure there are established responsibilitiesfor the management of all IT resources and all parts of the IT infrastructure including segregration of duties and security incident handling

(a) Validation of systems and the ability to discerninvalid or altered records


(f) Use of operational system checks to enforcesequencing of steps and events as appropriate

(k) Use of appropriate controls over systemsdocumentation

N/A • Intrusion detection• Incident response plan• Systems administration


N/A • Internal environment• Risk response• Control activities• Monitoring

10.2Third party service delivery managementTo implement and maintain the appropriate level of information security and service delivery in linewith third party service delivery agreements


and relationshipsPO8 Manage qualityPO10 Manage projects

Deliver and support:DS1 Define and manage service levelsDS2 Manage third-party services




• Policy management– Outsourcing policy


N/A • Internal environment• Control activities

10.3System planning and acceptanceTo minimise the risk of systems failures

Deliver and support:DS3 Manage performance and capacityDS4 Ensure continuous service

3.3.4 Change management process3.4.3 Improving performance in terms of throughput

capacity and response times; other measuresinclude resource, demand and workloadmanagement, application sizing and modelling



N/A N/A Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data

N/A • Control activities• Monitoring

10.4Protection against malicious and mobile codePrecautions are required to prevent and detect theintroduction of malicious code and unauthorisedmobile code

Deliver and support:DS5 Ensure systems securityDS8 Manage service desk and incidentsDS9 Manage the configurationDS10 Manage problems

3.3.2 Incident control/help desk4.2.4 Access control; anti-virus control policy


Maintain a vulnerability management program:5. Use and regularly update anti-virus software

• Cyber intelligence – Patch management

• Firewalls• Active content filtering• Intrusion detection• Virus scanners• Incident response plan


N/A • Control activities• Event identification• Information and communication

10.5Back-upRoutine procedures for implementing the back-up policy and strategy

Deliver and support:DS4 Ensure continuous serviceDS11 Manage data

3.4.2 Availability management3.4.4 Fallback planning


N/A • Incident response plan Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data

Article 5 – Organisational requirements:Require investment firms to establish, implementand maintain systems and procedures that areadequate to safeguard the security, integrity andconfidentiality of information, taking into accountthe nature of the information in question

• Event identification• Control activities• Monitoring

10.6Network security managementTo ensure the protection of information in networksand the protection of the supporting infrastructure


4.2.3 Communications and operations management;security measures for networks


Build and maintain a secure network:1. Install and maintain a firewall configuration to

protect data2. Do not use vendor-supplied defaults for system

passwords and other security parameters

Maintain a vulnerability management program:5. Use and regularly update anti-virus software6. Develop and maintain secure systems

and applications

• Risk management– Asset management

• Cyber intelligence– Patch management

• Firewalls• Active content filtering

– Web application security• Intrusion detection• Virus scanners


N/A • Risk assessment• Control activities• Monitoring

10.7Media handlingTo prevent unauthorised disclosure, modification,removal or destruction of assets, and interruption tobusiness activities

Deliver and support:DS11 Manage data

3.4.2 Availability management3.4.4 Fallback planning4.2.3 Communications and operations management;

handling and security of data carriersAgreements should be included in the SLA


(e) Use of secure, computer-generated audit trails,which are retained for a certain period of time

Protect cardholder data:3. Protect stored data

Implement strong access control measures:7. Restrict access to data by business need-to-know8. Assign a unique ID to each person with

computer access9. Restrict physical access to cardholder data

• Physical security policy Fifth principle:Personal data processed shall not be kept for longerthan is necessary


N/A • Control activities• Information and communication

10.8Exchange of informationTo maintain the security of information andsoftware exchanged within an organisation and withany external entity


4.2.3 Communications and operations management;handling and security of data carriersAgreements should be included in the SLA



protect data

Protect cardholder data:4. Encrypt transmissions of cardholder data and

sensitive information across public networks


computer access

• Active content filtering– Web application security

• Firewalls• Virus scanners



N/A • Risk assessment• Risk response• Control activities• Information and communication• Monitoring

10.9Electronic commerce servicesTo ensure the security of electronic commerceservices, and their secure use


4.2.3 Communications and operations management;handling and security of data carriersAgreements should be included in the SLA

4.2.4 Access control; application access control




protect data2. Do not use vendor-supplied defaults for system




Maintain a vulnerability management program:6. Develop and maintain secure systems

and applications

• Active content filtering Second principle:Personal data shall be obtained only for one or morespecified and lawful purposes

Fifth principle:Personal data processed shall not be kept for longerthan is necessary



N/A • Event identification• Control activities

10.10MonitoringTo detect unauthorised information processingactivities including review of operator logs and fault logging


Monitor and evaluate:ME1 Monitor and evaluate IT performanceME2 Monitor and evaluate internal control

4.2.4 Access control; monitoring and auditinginformation system access



(d) Limiting system access to authorised individuals(g) Use of authority checks to ensure that only

authorised individuals can use the system


computer access

Regularly monitor and test networks:10. Track and monitor all access to network

resources and cardholder data11. Regularly test security systems and processes

• Access controls/authentication• Active content filtering

– Web application security• Virus scanners



SECTION 11: Access control

11.1Business requirement for access controlEstablish, document and review access controlpolicies and rules


Largely outside the scope of ITIL (c) Protection of records throughout the recordsretention period




computer access



• Access controls/authentication• Systems administration



11.2User access managementFormal procedures to control the allocation ofaccess rights to information systems and services


4.2.4 Access control; network, computer andapplication access control




Implement strong access control measures:7. Restrict access to data by business need-to-know8. Assign a unique ID to each person with

computer access


– Web application security• Virus scanners• Systems administration



11.3User responsibilitiesUser awareness, particularly with the use ofpasswords and the security of equipment


Outside the scope of ITIL, this is theresponsibility of the user organisation



authorised individuals can use the system(i) Users of electronic record/electronic signature

systems have appropriate education, trainingand experience

Build and maintain a secure network:2. Do not use vendor-supplied defaults for

system passwords and other security parameters


computer access



• Access controls/authentication• Virus scanners• Systems administration



11.4Network access controlEnsure that appropriate interfaces andauthentication mechanisms to networked servicesare in place


4.2.4 Access control; network, computer access control







computer access


– Web application security• Virus scanners• Systems administration


N/A • Internal environment• Control activities• Monitoring

11.5Operating system access controlTo ensure authorised access to operating systems.Some methods include: ensure quality passwords,user authentication, and the recording of successfuland failed system accesses


4.2.4 Access control; computer access control (c) Protection of records throughout the recordsretention period






computer access

Maintain an information security policy:10. Track and monitor all access to network

resources and cardholder data


– Web application security• Intrusion detection• Virus scanners• Systems administration



11.6 Application and information access controlTo prevent unauthorised access to information heldin application systems


4.2.4 Access control; application access control (c) Protection of records throughout the recordsretention period





Maintain a vulnerability management system:6. Develop and maintain secure systems

and applications


computer access


– Web application security• Virus scanners



11.7Mobile computing and teleworkingTo ensure information security when using mobile computing and teleworking facilities






protect data2. Do not use vendor-supplied defaults for



computer access

• Policy management – Remote system

• Access policy• Access controls/authentication• Active content filtering

– Web application security



SECTION 12: Information systems acquisition, development and maintenance

12.1Security requirements of information systemsTo ensure that security is built into informationsystems, including infrastructure, businessapplications and user-developed applications

Acquire and implement:A12 Acquire and maintain application softwareA13 Acquire and maintain technology infrastructure

ITIL book software lifecycle support and thebusiness perspective setITIL is not specifically concerned with system development





and applications

• Systems administration Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data


12.2Correct processing in applicationsTo prevent errors, loss, unauthorised modificationor misuse of information in applications

Acquire and implement:A12 Acquire and maintain application software

ITIL book software lifecycle support and thebusiness perspective setITIL is not specifically concerned with system development






and applications

• Cyber intelligence– Patch management

• Systems administration


N/A • Control activities

12.3Cryptographic controlsTo protect the confidentiality, authenticity orintegrity of information by cryptographic means


ITIL is not specifically concerned with system development



(h) Use of device checks to determine validity ofsource data input or operational instruction





• Virus scanners• Systems administration



12.4Security of system filesTo ensure security of system files



ITIL is not primarily concerned with individualcomponents, such as files, queues, data or messages





Build and maintain a secure network:2. Do not use vendor-supplied defaults for system


• Systems administration Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data

N/A • Control activities• Information and communication• Monitoring

12.5Security in development and support processesProject and support environments should be strictly controlled



ITIL is not specifically concerned with system development




and applications

N/A Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data


12.6Technical vulnerability managementTo reduce risks resulting from exploitation ofpublished technical vulnerabilities


Deliver and support:DS2 Manage third-party servicesDS4 Ensure continuous serviceDS5 Ensure systems securityDS9 Manage the configuration

Monitor and evaluate:ME1 Monitor and evaluate IT performance

ITIL is not specifically concerned with vulnerability management





Maintain a vulnerability management system:5. Use and regularly update anti-virus software6. Develop and maintain secure systems

and applications


• Virus scanners• Systems administration


N/A N/A

SECTION 13: Information security incident management

13.1Reporting information security events and weaknessesTo ensure information security events andweaknesses associated with information systemsare communicated in a manner allowing timelycorrective action to be taken

Deliver and support:DS5 Ensure systems securityDS8 Manage service desk and incidentsDS10 Manage problems

Monitor and evaluate:ME1 Monitor and evaluate IT performance:ME2 Monitor and evaluate internal control

4.2.2 Includes responding to security incidents asquickly as possible through the right channels



Regularly monitor and test networks:11. Regularly test security systems and processes




• Virus scanners• Incident response plan


N/A N/A

13.2Management of information security incidentsand improvementsTo ensure a consistent and effective approach is applied to the management of informationsecurity incidents

Deliver and support:DS5 Ensure systems securityDS8 Manage service desk and incidentsDS10 Manage problems

Monitor and evaluate:ME1 Monitor and evaluate IT performance:ME2 Monitor and evaluate internal control

4.2.2 Includes responding to security incidents asquickly as possible through the right channels

4.2.3 Ensure there are established responsibilitiesfor the management of security incidenthandling






• Incident response plan


N/A N/A

SECTION 14: Business continuity management

14.1Information security aspects of businesscontinuity managementTo counteract interruptions to business activitiesand to protect critical business processes from theeffects of major failures or disasters and to ensuretheir timely resumption

Deliver and support:DS4 Ensure continuous serviceDS10 Manage problemsDS11 Manage data

3.4.4 Business continuity planning; an entire ITILbook is dedicated to this topic


N/A • Incident response plan Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data

Article 14 – Conditions of outsourcing:The investment firm and the service provider mustestablish, implement and maintain a contingencyplan for disaster recovery and periodic testing ofback-up facilities

• Event identification• Risk response• Control activities• Information and communication• Monitoring

SECTION 15: Compliance

15.1Compliance with legal requirementsTo avoid breaches of any law, statutory, regulatoryor contractual obligations, and of any securityrequirements

Monitor and evaluate:ME3 Ensure regulatory complianceME4 Provide IT governance

4.3 Audit and evaluate: security reviews of IT systems


N/A N/A Seventh principle:Technical and organisational measures againstunauthorised or unlawful processing of personal data

N/A • Internal environment• Event identification• Risk response• Control activities• Information and communication• Monitoring

15.2Compliance with security policies and standards,and technical complianceTo ensure compliance of systems withorganisational security policies and standards

Acquire and implement:AI7 Install and accredit solutions and changes

Monitor and evaluate:ME1 Monitor and evaluate IT performanceME2 Monitor and evaluate internal controlME4 Provide IT governance






resources and cardholder data11. Regularly test security systems and processes

• Risk management– Asset management

• Intrusion detection• Vulnerability and penetration testing



15.3Information systems audit considerationsTo maximise the effectiveness of and to minimiseinterference to/from the information systems audit processes

Monitor and evaluate:ME1 Monitor and evaluate IT performanceME2 Monitor and evaluate internal controlME4 Provide IT governance




resources and cardholder data

• Intrusion detection• Vulnerability and penetration testing


Article 8 – Internal audit:Establish, implement and maintain an audit plan to examine and evaluate the adequacy andeffectiveness of the investment firm’s systems

• Monitoring

IT Controls Reference

www.symantec.comThis information is provided as guidance only and does not constitute legal advice. The information is subject to

change and update at any time without prior written notice. See www.symantec.com for current details.

Copyright © 2006 Symantec Corporation. All rights reserved. Symantec and the Symantec logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S.and other countries. Windows is a registered trademark of Microsoft Corporation in the United States and/or other countries. Other names may be trademarks of their respective owners.

Documents

Compliance poster