Back

Include implementing mitigating controls to prevent the root cause of the failure of a security control in the Responding to Failures in Security Controls procedure.


CONTROL ID
12520
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain Responding to Failures in Security Controls procedures., CC ID: 12514

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The TRM function should formulate a formal technology risk acknowledgement and acceptance process for reviewing, evaluating and approving any major incidents of non-compliance with IT control policies. Typical reasons for such non-compliance are technology limitations (e.g. certain proprietary opera… (2.3.4, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • Additional requirement for service providers only: Respond to failures of any critical security controls in a timely manner. Processes for responding to failures in security controls must include: - Restoring security functions - Identifying and documenting the duration (date and time start to end) … (10.8.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Implementing controls to prevent cause of failure from reoccurring (A3.3.1.1 Bullet 6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Identifying and documenting cause(s) of failure, including root cause, and documenting remediation required to address root cause (A3.3.1.1 Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Respond to failures of any critical security controls in a timely manner. Processes for responding to failures in security controls must include: - Restoring security functions - Identifying and documenting the duration (date and time start to end) of the security failure - Identifying and documen… (10.8.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Are processes for responding to critical security control failures defined and implemented, and include: - Restoring security functions - Identifying and documenting the duration (date and time start to end) of the security failure - Identifying and documenting cause(s) of failure, including root ca… (10.8.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Are failures in critical security controls documented, including: - Identification of cause(s) of the failure, including root cause - Duration (date and time start and end) of the security failure - Details of the remediation required to address the root cause? (10.8.1(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Examine records to verify that security control failures are documented to include: - Identification of cause(s) of the failure, including root cause - Duration (date and time start and end) of the security failure - Details of the remediation required to address the root cause (10.8.1.b, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Examine documented policies and procedures and interview personnel to verify processes are defined and implemented to respond to a security control failure, and include: - Restoring security functions - Identifying and documenting the duration (date and time start to end) of the security failure - I… (10.8.1.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Identifying and documenting the cause(s) of failure, including root cause, and documenting remediation required to address the root cause. (A3.3.1.2 Bullet 3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Implementing controls to prevent the cause of failure from reoccurring. (A3.3.1.2 Bullet 6, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • IDS/IPS. (10.7.1 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Network security controls. (10.7.1 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • FIM. (10.7.1 Bullet 3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Anti-malware solutions. (10.7.1 Bullet 4, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Physical access controls. (10.7.1 Bullet 5, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Logical access controls. (10.7.1 Bullet 6, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Audit logging mechanisms. (10.7.1 Bullet 7, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Segmentation controls (if used). (10.7.1 Bullet 8, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Network security controls. (10.7.2 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • IDS/IPS. (10.7.2 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Change-detection mechanisms. (10.7.2 Bullet 3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Anti-malware solutions. (10.7.2 Bullet 4, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Physical access controls. (10.7.2 Bullet 5, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Logical access controls. (10.7.2 Bullet 6, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Audit logging mechanisms. (10.7.2 Bullet 7, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Segmentation controls (if used). (10.7.2 Bullet 8, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Audit log review mechanisms. (10.7.2 Bullet 9, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Automated security testing tools (if used). (10.7.2 Bullet 10, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Identifying and documenting the cause(s) of failure and documenting required remediation. (10.7.3 Bullet 3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Implementing controls to prevent the cause of failure from reoccurring. (10.7.3 Bullet 6, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Audit logging mechanisms (A3.3.1 Bullet 7, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Logical access controls (A3.3.1 Bullet 6, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Automated audit log review mechanisms. This bullet is a best practice until its effective date; refer to Applicability Notes below for details. (A3.3.1 Bullet 9, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Network security controls (A3.3.1 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • IDS/IPS (A3.3.1 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • FIM (A3.3.1 Bullet 3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Segmentation controls (if used) (A3.3.1 Bullet 8, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Automated code review tools (if used). This bullet is a best practice until its effective date; refer to Applicability Notes below for details. (A3.3.1 Bullet 10, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Physical access controls (A3.3.1 Bullet 5, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Anti-malware solutions (A3.3.1 Bullet 4, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Details of the remediation required to address the root cause. (A3.3.1.2.b Bullet 3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Details of the remediation required to address the root cause. (10.7.3.b Bullet 3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Network security controls. (10.7.2 Bullet 1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • IDS/IPS. (10.7.2 Bullet 2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Audit log review mechanisms. (10.7.2 Bullet 9, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Anti-malware solutions. (10.7.2 Bullet 4, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Physical access controls. (10.7.2 Bullet 5, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Logical access controls. (10.7.2 Bullet 6, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Audit logging mechanisms. (10.7.2 Bullet 7, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Change-detection mechanisms. (10.7.2 Bullet 3, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Segmentation controls (if used). (10.7.2 Bullet 8, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Automated security testing tools (if used). (10.7.2 Bullet 10, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Identifying and documenting the cause(s) of failure and documenting required remediation. (10.7.3 Bullet 3, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Implementing controls to prevent the cause of failure from reoccurring. (10.7.3 Bullet 6, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • IDS/IPS. (10.7.2 Bullet 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Network security controls. (10.7.2 Bullet 1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Physical access controls. (10.7.2 Bullet 5, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Logical access controls. (10.7.2 Bullet 6, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Audit logging mechanisms. (10.7 2 Bullet 7, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Segmentation controls (if used). (10.7.2 Bullet 8, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Anti-malware solutions. (10.7 2 Bullet 4, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Change-detection mechanisms. (10.7.2 Bullet 3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Automated security testing tools (if used). (10.7 2 Bullet 10, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Identifying and documenting the cause(s) of failure and documenting required remediation. (10.7.3 Bullet 3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Implementing controls to prevent the cause of failure from reoccurring. (10.7.3 Bullet 6, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • IDS/IPS. (10.7.1 Bullet 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Anti-malware solutions. (10.7.1 Bullet 4, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Network security controls. (10.7.1 Bullet 1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • FIM. (10.7.1 Bullet 3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Physical access controls. (10.7.1 Bullet 5, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Audit log review mechanisms. (10.7 2 Bullet 9, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Audit logging mechanisms. (10.7.1 Bullet 7, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Segmentation controls (if used). (10.7.1 Bullet 8, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Logical access controls. (10.7.1 Bullet 6, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • The ability to identify and implement controls over the root causes of an incident. (App A Objective 3.2.e, FFIEC Information Technology Examination Handbook - Information Security, September 2016)