Confirm that the hosting provider ensures that processes with access to confidential data can only be executed by an organization on its own confidential data environment.

UCF ID: 04264
Control Type: Process or Activity
Status: Live

Supporting and supported controls

This control directly supports:

    Ensure third parties acknowledge their responsibilities for data in their possession and control. [UCF Control ID 01364]

There are no supporting controls.

Authority documents complied with:

Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2.1, App A § 1.1, App A § 1.2; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, App A § 1.1, App A § 1.2; ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008, § 5.7.2; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3, App F § SC-9

Payment Card Guidance

Shared hosting providers must ensure that only processes that have access to the cardholder data can be executed by that organization and that the organization's access and privileges are restricted to its own cardholder data environment.
Verify if shared hosting providers are running their own applications, they are executed with the unique ID of the entity. Verify that any applications used by the hosting provider do not have a privileged user ID; the service provider has only read, write, or execute permissions for files it owns; the service provider's users do not have write access to shared binaries; logs only can be read by the owner of the information; and restrictions are in place for disk space, bandwidth, memory, and CPU usage. [App A § 1.1, App A § 1.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2.1]

Shared hosting providers must ensure that only processes that have access to the cardholder data can be executed by that organization and that the organization's access and privileges are restricted to its own cardholder data environment. [App A § 1.1, App A § 1.2, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]

NIST Guidance

The organization must protect the confidentiality of transmitted information. [App F § SC-9, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3]

ISO Guidance

The service provider should ensure that an organization's information in an ICT system should not be accessible or made known to the ICT system of another organization, unless it has been authorized. The service provider should establish a way to identify and logically and physically isolate the ICT systems that are supported and maintained by different external vendors and subscribed to by different organizations. [§ 5.7.2, ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of individuals whose access privileges have been reviewed. [UCF Control ID 01690]
    Report on the percentage of systems and applications where assignment of user and administration privileges is in compliance with the policy that specifies role-based information access privileges. [UCF Control ID 02096]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.