Back

Segregate electronically stored information from operating system access.


CONTROL ID
00552
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Secure access to each system component operating system., CC ID: 00551

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Personnel should not store unprotected authentication data on or near the system the information grants access to. (§ 3.6.8, Australian Government ICT Security Manual (ACSI 33))
  • Inspect the configuration and observe the authentication process when disk encryption is being used to verify logical access to encrypted file systems is separate from the native Operating System's authentication mechanism. (Testing Procedures § 3.4.1.a, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • The organization must ensure the logical access is independent of system access when disk encryption is used. (§ 3.4.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Logical access must be managed separately and independently of the Operating System authentication and access control mechanisms when disk encryption, rather than file-level or column-level database encryption, is used. (PCI DSS Requirements § 3.4.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Is logical access to encrypted file systems managed separately and independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network login credentials)? (3.4.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • If the system uses disk encryption, ensure the logical access to the encrypted file system is separate from the logical access to the operating system. (§ 2.4, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1)
  • If disk encryption (rather than file- or column-level database encryption) is used, is logical access to encrypted file systems managed separately and independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or gene… (PCI DSS Question 3.4.1(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • If disk encryption (rather than file- or column-level database encryption) is used, is logical access to encrypted file systems managed separately and independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or gene… (PCI DSS Question 3.4.1(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • The organization should have effective internal controls to safeguard all stored cardholder information. If the organization's web site collects personal information, the organization should verify the information before saving it and should store it securely. (Pg 19, Pg 73, Pg 75, Pg 78, Pg 81, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business)
  • A key technical control that should be included in a well-managed IT environment is the enforcement of a division of duties with systems software and other configuration controls. (§ 5.3.5 ¶ 4, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • Website content (e.g., web pages, articles, images) should be protected against corruption or unauthorized disclosure by storing it separately from the Operating System (e.g., on a separate partition / disk). (CF.04.02.03a, The Standard of Good Practice for Information Security)
  • Website content (e.g., web pages, articles, images) should be protected against corruption or unauthorized disclosure by storing it separately from the Operating System (e.g., on a separate partition / disk). (CF.04.02.03a, The Standard of Good Practice for Information Security, 2013)
  • Calls for authorization access to be appropriately limited and segregated. It further requires that inactive terminals are logged off and the number of unsuccessful login attempts is limited. (SS-1.1, Federal Information System Controls Audit Manual (FISCAM), February 2009)