Back

Establish, implement, and maintain an anti-tamper protection program.


CONTROL ID
10638
CONTROL TYPE
Monitor and Evaluate Occurrences
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a physical security program., CC ID: 11757

This Control has the following implementation support Control(s):
  • Disallow disabling tamper detection and response mechanisms, absent authorization., CC ID: 12211
  • Prevent security mechanisms from being compromised by adverse physical conditions., CC ID: 12215
  • Monitor for evidence of when tampering indicators are being identified., CC ID: 11905
  • Protect assets from tampering or unapproved substitution., CC ID: 11902


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • When warnings are posted on the website, it is necessary to implement anti-tampering measures. In cases where notifications are made to customers by email, it is necessary to pay attention to the contents of the mail so as to avoid leakage of information, and to take anti-spoofing and anti-tampering… (P115.2., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Install anti-skimming solutions on these machines and kiosks to detect the presence of foreign devices placed over or near a card entry slot; (§ 13.2.2.a, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • To protect sensitive cryptographic keys, the FI should manage, process and store such keys in hardened and tamper resistant systems, e.g. by using a hardware security module. (§ 10.2.4, Technology Risk Management Guidelines, January 2021)
  • Do policies and procedures require that devices are periodically inspected to look for tampering or substitution? (9.9 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire P2PE and Attestation of Compliance, Version 3.1)
  • Subsequent to production but prior to shipment from the manufacturer's or reseller's facility, the device and any of its components are stored in a protected, access-controlled area or sealed within tamper-evident packaging to prevent undetected unauthorized access to the device or its components an… (I5, Payment Card Industry (PCI), PIN Transaction Security (PTS) Hardware Security Module (HSM) - Security Requirements, Version 3.0)
  • A change- and tamper-detection mechanism is deployed as follows: (11.6.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • The frequency of periodic POI device inspections and the type of inspections performed is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. (9.5.1.2.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine documented results of periodic device inspections and interview personnel to verify that the frequency and type of POI device inspections performed match what is defined in the entity's targeted risk analysis conducted for this requirement. (9.5.1.2.1.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • A change- and tamper-detection mechanism is deployed as follows: (11.6.1, Self-Assessment Questionnaire A and Attestation of Compliance for use with PCI DSS Version 4.0)
  • A change- and tamper-detection mechanism is deployed as follows: (11.6.1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • The frequency of periodic POI device inspections and the type of inspections performed is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. (9.5.1.2.1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • A change- and tamper-detection mechanism is deployed as follows: (11.6.1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • The frequency of periodic POI device inspections and the type of inspections performed is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. (9.5.1.2.1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • A change- and tamper-detection mechanism is deployed as follows: (11.6.1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Implement a tamper protection program for the system, system component, or system service. (SR-9 Control, FedRAMP Security Controls High Baseline, Version 5)
  • Implement a tamper protection program for the system, system component, or system service. (SR-9 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Implement a tamper protection program for the system, system component, or system service. (SR-9 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Implement a tamper protection program for the system, system component, or system service. (SR-9 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • The encryption hardware should be protected from physical tampering and uncontrolled electronic connections. Assuming cryptography is the appropriate solution, organizations should select cryptographic protection with remote key management if the units being protected are so numerous or geographical… (§ 6.2.16.1 ICS-specific Recommendations and Guidance ¶ 8, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization implements a tamper protection program for the information system, system component, or information system service. (SA-18 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization implements a tamper protection program for the information system, system component, or information system service. (SA-18 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Implement a tamper protection program for the system, system component, or system service. (SR-9 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Implement a tamper protection program for the system, system component, or system service. (SR-9 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The organization implements a tamper protection program for the information system, system component, or information system service. (SA-18 Control:, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)