Professional Documents
Culture Documents
MAY, 2009
XYPRO Technology Corporation
3325 Cochran Street, Suite 200
Simi Valley, California 93063-2528 U.S.A.
Email: info@xypro.com
Telephone: + 1 805-583-2874
FAX: + 1 805-583-0124
XYGATE/MI
XY-2K XYGATE/OS
XYCLOPS XYGATE/PC
XYDOC XYGATE/PM UM
XYDOC II XYGATE/PQ
XYGATE XYGATE/SE
XYGATE/AC XYGATE/SE40
XYGATE/CD XYGATE/SM
XYGATE/CM XYGATE/SP
XYGATE/EFTP XYGATE/SR
XYGATE/ESDK XYGATE/SW
XYGATE/FE XYGATE/UA
XYGATE/KM XYPRO
XYGATE/LD XYTIMER
XYGATE/MA XYWATCH
The PCI Data Security Standard has been compiled by the PCI Security Standards Council. For more information,
please consult www.pcisecuritystandards.org.
Four such sets of standards are presented in this document: PCI, SOX, HIPAA and SB1386.
The Payment Card Industry Data Security Standard (PCI) Version 1.2 is a standard of security for all payment card transactions
agreed upon by the members of the Payment Card Industry Council, which includes VISA, Mastercard, American Express, Discovery
Card and JCP. This standard is being phased in within the United States and internationally to secure retail transactions between a
cardholder and the merchant accepting the transaction, between the merchant accepting the transaction and the merchant’s bank, and
between the bank and the payment card organization.
The Sarbanes-Oxley Act of 2002 (SOX) targets internal controls over accounting procedures and financial reporting. It also brings
pressure on the information security organization within a corporation to provide the underlying assurance needed to produce accurate
accounting and reporting. While the SOX legislation has no specific security standards, the Control Objectives For Information And
Related Technology (COBIT) have been created to provide a structure to meet SOX requirements. Even though the Sarbanes-Oxley
Act of 2002 is a law of the United States of America, it is applied to any company that has a presence in the USA, and so it must be
part of the security considerations of any corporation doing international business in the USA.
The government of the United States of America created the Health Insurance Portability and Accountability Act (HIPAA) to reduce
health care fraud and abuse, introduce and implement administrative simplification to increase the effectiveness and efficiency of the
health care system, and protect the health care information of individuals against unauthorized access.
The State of California passed the legislation SB1386 in response to several breaches of privacy in databases containing personal
information. This legislation a person or business that conducts business in California, that owns or licenses computerized data that
includes personal information to disclose any breach of the security of the data to any resident of California whose unencrypted
personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
The spreadsheet also includes references to discussions of these topics in the two definitive HP NonStop information security
handbooks.
“Volume 1” refers to: HP NonStop Server Security: A Practical Handbook (ISBN-13: 978-1555583149) and “Volume 2” refers to:
Securing HP NonStop Servers in an Open Systems World: TCP/IP, OSS and SQL (ISBN: 978-1555583446).
XYPRO has designed this document primarily for educational purposes. Readers should note that no regulatory, legislative, or
advisory body has endorsed this document. Accordingly, companies should seek counsel and appropriate advice from their risk
advisors and auditors. The IT professional should always consult his or her own professional judgment to specific control
circumstances presented by the particular systems or information technology environment.
Internal controls, automated or manual, no matter how well designed and operated, can provide only reasonable assurance of
achieving control objectives and can never achieve certainty. The likelihood of achievement is affected by limitations inherent to
internal control. These include the realities that human judgment in decision-making can be faulty and the breakdowns in internal
control can occur because of human factors such as errors of inappropriate override of internal controls.
2.07 Authenticate each user based on Vol1; 8.2 Identification, 164.312 Implied
his unique userid p94 Authentication, and (d)
p110 Access
2.08 Two-factor authentication for 8.3
network access
3.00 Authorization
3.01 Establish a procedure for linking 10.1
all access to system resources to
an individual user
3.02 Management should implement Vol 1;ch 5 12.5.5 Security of Online
procedures to provide authorized access to data
access to resources based on the
individual's demonstrated need
to view, add, change, or delete
data.
3.03 The userid structure used by the Vol 1; 12.5.4 Segregation of
computing resource must p143 Duties
support segregation of duties to
ensure that personnel are
peforming only those duties
stipulated for their respective
jobs and positions.
4.00 Auditing
4.01 Implement automated audit trails Vol 1; 10.2.1 Use and monitoring 164.312 Implied
to reconstruct all individual user pp72-79 of system utilities (b)
accesses to personal data ch 5