Back

Include third party access in the access classification scheme.


CONTROL ID
11786
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Include restricting access to confidential data or restricted information to a need to know basis in the access classification scheme., CC ID: 00510

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • In controlling access by third-party personnel (e.g. service providers) to secure areas, proper approval of access should be required and their activities should be closely monitored. It is also important that proper screening procedures including verification and background checks, especially for s… (3.6.3, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • Do decision processes and supporting procedures exist to permit third party access (e.g., contract employees, customers, etc.)? (Table Row IV.10, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Restrict each entity’s access and privileges to its own cardholder data environment only. (A.1.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Restrict each entity’s access and privileges to its own cardholder data environment only. (A1.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Restrict each entity’s access and privileges to its own cardholder data environment only. (A1.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Does each entity have read, write, or execute permissions only for files and directories it owns or for necessary system files (restricted via file system permissions, access control lists, chroot, jailshell, etc.)? (A.1.2 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Do all entities’ users not have write access to shared system binaries? (A.1.2 (c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Do all entities’ users not have write access to shared system binaries? (A1.2(c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Does each entity have read, write, or execute permissions only for files and directories it owns or for necessary system files (restricted via file system permissions, access control lists, chroot, jailshell, etc.)? (A1.2(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Are each entity’s access and privileges restricted to its own cardholder data environment as follows: (A1.2, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Verify the user ID of any application process is not a privileged user (root/admin). (A1.2.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Verify that viewing of log entries is restricted to the owning entity. (A1.2.d, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Verify that an entity’s users do not have write access to shared system binaries. (A1.2.c, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Verify each entity (merchant, service provider) has read, write, or execute permissions only for files and directories it owns or for necessary system files (restricted via file system permissions, access control lists, chroot, jailshell, etc.) Important: An entity’s files may not be shared by gro… (A1.2.b, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • To ensure each entity cannot monopolize server resources to exploit vulnerabilities (for example, error, race, and restart conditions resulting in, for example, buffer overflows), verify restrictions are in place for the use of these system resources: - Disk space - Bandwidth - Memory - CPU (A1.2.e, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Prior to granting customers access to data, assets, and information systems, all identified security, contractual, and regulatory requirements for customer access shall be addressed and remediated. (AIS-02, Cloud Controls Matrix, v3.0)
  • Only allow access to authorized cloud storage or email providers. (CIS Control 13: Sub-Control 13.4 Only Allow Access to Authorized Cloud Storage or Email Providers, CIS Controls, 7.1)
  • Only allow access to authorized cloud storage or email providers. (CIS Control 13: Sub-Control 13.4 Only Allow Access to Authorized Cloud Storage or Email Providers, CIS Controls, V7)
  • Private contractors designated to perform criminal justice functions for a CJA shall be eligible for access to CJI. Access shall be permitted pursuant to an agreement which specifically identifies the agency's purpose and scope of providing services for the administration of criminal justice. The ag… (§ 5.1.1.5 ¶ 2 1., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Private contractors designated to perform criminal justice functions on behalf of a NCJA (government) shall be eligible for access to CJI. Access shall be permitted pursuant to an agreement which specifically identifies the agency's purpose and scope of providing services for the administration of c… (§ 5.1.1.5 ¶ 2 2., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Contractors designated to perform noncriminal justice ancillary functions on behalf of a NCJA (public) or NCJA (private) for noncriminal justice functions shall be eligible for access to CJI. Access shall be permitted when such designation is authorized pursuant to federal law or state statute appro… (§ 5.1.1.8 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Identify unique products and services and any required third-party access requirements. (App A Objective 1.4.b, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Determine whether the ODFI allows technology service providers direct access to an ACH operator. Consider whether agreements between the ODFI and the service providers include: (App A Tier 2 Objectives and Procedures H.9, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • During a serious situation, addressing personnel and family matters often takes priority over resuming business. Planning for such matters may involve pre-identification of temporary housing, work space, and staffing. In some situations, the organization may need to use personnel from associated org… (Appendix D Subsection 3 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))