Back

Establish, implement, and maintain procedures for provisioning shared resources.


CONTROL ID
12181
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a virtual environment and shared resources security program., CC ID: 06551

This Control has the following implementation support Control(s):
  • Employ an open virtualization format for provisioning software for virtual machines, as necessary., CC ID: 12356


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • When using a cloud service for a specified system, it is necessary to understand the control target cloud bases (Notes) and countries or regions in which data will be stored when selecting cloud service providers and while using their services as well as to pay attention to applicable domestic and f… (C24.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • A malicious or compromised user of the service should not be able to affect the service or data of another. (3. ¶ 1, Cloud Security Guidance, 1.0)
  • Separation should exist between service users to prevent one malicious or compromised user from affecting the service or data of another. (3: ¶ 1, Cloud Security Guidance, 1.0)
  • What is the process for provisioning new components? (Appendix D, Build and Maintain a Secure Network Bullet 7 Sub-bullet 2, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • Controls are implemented such that each customer only has permission to access its own cardholder data and CDE. (A1.1.2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Controls are implemented such that each customer can only access resources allocated to them. (A1.1.3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine documentation to verify controls are defined such that each customer only has permission to access its own cardholder data and CDE. (A1.1.2.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine system configurations to verify that customers have privileges established to only access their own account data and CDE. (A1.1.2.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine customer privileges to verify each customer can only access resources allocated to them. (A1.1.3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Controls are implemented such that each customer only has permission to access its own cardholder data and CDE. (A1.1.2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Controls are implemented such that each customer can only access resources allocated to them. (A1.1.3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Mission Partner Environments that require access to NIPRNet services are required to connect to NIPRNet via the Internet, IAPs, and DoD DMZ or via a NIPRNet Federated Gateway (NFG) IAW JFHQ-DODIN TASKORD 16-0103 Establishment of the NIPRNET Federated Gateway (NFG). NIPRNet services are applications … (Section 5.10.1.5 ¶ 1, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • The mission owner must expose the application to the MPE network and MPE users through the NFG. (Section 5.10.1.5 ¶ 1 Bullet 3, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)