Compliance & Certification
The PCI DSS Standard describes the 12 Payment Card Industry (PCI) Data Security Standard (DSS) requirements that apply to organisations who process credit card payments or hold credit card data. These PCI DSS requirements are organized in 6 logically related groups, which are “control objectives.”
PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply.
These security requirements apply to all “system components.” System components are defined as any network component, server, or application that is included in or connected to the cardholder data environment. The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data. Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from those that do not, may reduce the scope of the cardholder data environment. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include but are not limited to the following: web, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Applications include all purchased and custom applications, including internal and external (Internet) applications.
The Policies included in the IT Policy System have been referenced to PCI DSS where appropriate. Using these references it is possible to ascertain the extent to which the Organisation meets internal compliance objectives and satisfies the requirements of the Standard.
The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure. The protection of Controlled Unclassified Information (CUI) while residing in non-federal information systems and organisations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations.
(a) RULES REQUIRED- The Commission shall prescribe rules requiring each annual report required by section 13 of the Securities Exchange Act of 1934 (15 U.S.C. 78m) to contain an internal control report, which shall–
(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
(b) INTERNAL CONTROL EVALUATION AND REPORTING- With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.
The Policies included in the IT Policy System have been referenced to SOX Section 404 where appropriate. Using these references it is possible to ascertain the extent to which the Organisation meets internal compliance objectives and satisfies the requirements of the Standard.
> GDPR – General Data Protection Regulation
> Data privacy requirements in ANZ
> PSN Public Sector Network see below
> Cyber Essentials UK
> Australian Signals Directorate cyber threat mitigations
> APRA recommendations
> HIPAA – The Health Insurance Portability and Accountability Act (NZ version)
> GLBA – The Gramm, Leach, Bliley Act
The Public Services Network (PSN) creates the effect of a single network across the public sector, delivered through multiple service providers, to create a more efficient marketplace for public sector ICT services, and thus ensure ongoing value and innovation, while reducing costs. The PSN is the enabling network layer for the Government ICT Strategy [E1].
Being PSN Compliant is defined as “A state describing ongoing adherence to the rules, conditions and obligations identified in a signed Code”. A Code is created by an organisation completing and signing the Code Template [ST11], or by signing a Deed of Undertakings in the case of a GCNSP. A Code can be a:-
> Code of Connection (CoCo): applicable to PSN Customers
> Code of Practice (CoP): applicable to PSN Service Providers
> Code of Interconnection (CoICo): applicable to those PSN Service
> Providers that are Direct Network Service Providers
> Deed of Undertakings (DoU): this is a contract applicable to GCN Service Providers.
PSN Compliance Certification is awarded by the PSN Authority (PSNA), following Compliance Verification, to the individual Customer Environment, PSN Service or GCN Service that make up the PSN.
The Policies included in the IT Policy System have been referenced to PSN where appropriate. Using these references it is possible to ascertain the extent to which the Organisation meets internal compliance objectives and satisfies the requirements of the Standard.