Back

Define the scope of the security policy.


CONTROL ID
07145
CONTROL TYPE
Data and Information Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish and maintain the scope of the organizational compliance framework and Information Assurance controls., CC ID: 01241

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Objectives, scope, ownership and responsibility for the policy (Critical components of information security 1) 2) b., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • When creating the security policy implementers should specify the scope of the policy. (3.3 bullet 2, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • When defining the scope of the security concept the implementer should require the specification of critical business processes, specialized tasks, or parts of an organization that are included in the scope. (4.1 Bullet 1, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • When defining the scope of the security concept the implementer should clearly define the limits of the scope. (4.1 Bullet 2, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • Specify scope and content (§ 3.4.5 Subsection 1 Bullet 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The information security policy must state which areas it applies to. The scope may include the whole organisation or just parts of the organisation. It is, however, important that the business tasks and processes under review are completely included in the scope. Stipulating the scope is not a triv… (§ 3.4.3 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Specification of the scope: The information domain for which the security concept should be drawn up and implemented must be defined. (§ 6 ¶ 3 Bullet 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • When drawing up of a security concept, the area of the organisation to be covered (scope) must be specified first. (§ 6.1 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The tasks in the field of information security must be delimited and the interfaces must be specified in detail already before involving external service providers. Tasks can be outsourced to external service providers; responsibility for information security always rests with the outsourcing organi… (§ 8.3.7 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Scopes of application (Section 5.2 SA-01 Basic requirement ¶ 1 Bullet 2, Cloud Computing Compliance Controls Catalogue (C5))
  • The scope of the ISMS (the organization managed by the ISMS) is defined. (1.2.1 Requirements (must) Bullet 1, Information Security Assessment, Version 5.1)
  • Identify organizational goals, risks, and security policy. (§ 4 ¶ 2 Bullet 3, Information Supplement: Best Practices for Implementing a Security Awareness Program, Version 1.0)
  • Updating PCI DSS scope as appropriate (A3.2.2 Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Identifying all out-of-scope networks and justification for networks being out of scope, including descriptions of all segmentation controls implemented (A3.2.1 Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Additional requirement for service providers only: PCI DSS scope is documented and confirmed by the entity at least once every six months and upon significant change to the in-scope environment. At a minimum, the scoping validation includes all the elements specified in Requirement 12.5.2. (12.5.2.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Updating PCI DSS scope as appropriate. (A3.2.2 Bullet 3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • If segmentation is used, PCI DSS scope is confirmed as follows: (A3.2.4, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Identifying all segmentation controls in use and the environment(s) from which the CDE is segmented, including justification for environments being out of scope. (A3.2.1 Bullet 6, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Identifying all locations where account data is stored, processed, and transmitted, including but not limited to: 1) any locations outside of the currently defined CDE, 2) applications that process CHD, 3) transmissions between systems and networks, and 4) file backups. (12.5.2 Bullet 3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Identifying all segmentation controls in use and the environment(s) from which the CDE is segmented, including justification for environments being out of scope. (12.5.2 Bullet 5, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Confirming that all identified data flows, account data, system components, segmentation controls, and connections from third parties with access to the CDE are included in scope. (12.5.2 Bullet 7, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • At least once every three months. (A3.2.1.a Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • After significant changes to the in-scope environment. (A3.2.1.a Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine documented results of scope reviews occurring at least once every three months to verify that scoping validation includes all elements specified in this requirement. (A3.2.1.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine documented results of scope reviews performed by the entity to verify that PCI DSS scoping confirmation activity includes all elements specified in this requirement. (12.5.2.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Additional testing procedure for service provider assessments only: Examine documented results of scope reviews to verify that scoping validation includes all elements specified in Requirement 12.5.2. (12.5.2.1.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • After significant changes to the in-scope environment. (12.5.2.a Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • At least once every 12 months. (12.5.2.a Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • At least once every six months, and (12.5.2.1.a Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • After significant changes (12.5.2.1.a Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Identifying all locations where account data is stored, processed, and transmitted, including but not limited to: 1) any locations outside of the currently defined CDE, 2) applications that process CHD, 3) transmissions between systems and networks, and 4) file backups. (12.5.2 Bullet 3, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Identifying all segmentation controls in use and the environment(s) from which the CDE is segmented, including justification for environments being out of scope. (12.5.2 Bullet 5, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Confirming that all identified data flows, account data, system components, segmentation controls, and connections from third parties with access to the CDE are included in scope. (12.5.2 Bullet 7, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Identifying all locations where account data is stored, processed, and transmitted, including but not limited to: 1) any locations outside of the currently defined CDE, 2) applications that process CHD, 3) transmissions between systems and networks, and 4) file backups. (12.5.2 Bullet 3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Identifying all segmentation controls in use and the environment(s) from which the CDE is segmented, including justification for environments being out of scope. (12.5.2 Bullet 5, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Confirming that all identified data flows, account data, system components, segmentation controls, and connections from third parties with access to the CDE are included in scope. (12.5.2 Bullet 7, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Additional requirement for service providers only: PCI DSS scope is documented and confirmed by the entity at least once every six months and upon significant change to the in-scope environment. At a minimum, the scoping validation includes all the elements specified in Requirement 12.5.2. (12.5.2.1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • The organization determines the boundaries and applicability of the ISMS to establish its scope. (§ 4.3 Required activity, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • The organization should also consider activities with impact on the ISMS or activities that are outsourced, either to other parts within the organization or to independent suppliers. For such activities, interfaces (physical, technical and organizational) and their influence on the scope should be i… (§ 4.3 Guidance ¶ 2, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • the organizational scope, boundaries and interfaces; (§ 4.3 Guidance ¶ 3(j), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • The application shall provide the capability to enforce a security policy that allows the device to control execution of mobile code based on the results of an authenticity check prior to the code being executed. (12.2.3 (1) ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)