Standards Description Clause Samples
Standards Description. American Express MSB requirements are derived in part from the United States Government’s Trusted Computer System Evaluation Criteria (TCSEC) Controlled Access Protection (“C2”) requirements. These requirements have been modified to reflect current computer industry “Best Practices” and security considerations. This was done to ensure that American Express computing security requirements are compliant with globally-accepted standards for “trusted” systems. The MSB is structured according to an eight part model. The figure below identifies the components of the model and depicts their relationship.
Standards Description. American Express MSB requirements are derived in part from the United States Government’s Trusted Computer System Evaluation Criteria (TCSEC) Controlled Access Protection (“C2”) requirements. These requirements have been modified to reflect current computer industry “Best Practices” and security considerations. This was done to ensure that American Express computing security requirements are compliant with globally-accepted standards for “trusted” systems. The MSB is structured according to an eight part model. The figure below identifies the components of the model and depicts their relationship. * * CONFIDENTIAL TREATMENT REQUESTED
3.1 Applying the Minimum Security Baseline The MSB control requirements must be applied consistently to all American Express information and technology. However, in some cases the impact of replicated controls across multiple environments may be inefficient and costly. To help reduce the redundancy, a series of technical standards have been produced. The objectives of these technical standards are to: * This process views information and technology as a composite. This single view approach can be applied to stand-alone and networked environments alike and identifies security interdependencies across technologies. The result is a cost effective and efficient implementation of one requirement across multiple technologies rather than implementation of redundant control solutions for each technology.
3.2 Minimum Security Baseline Requirements The definition of each component of the MSB is as follows:
5. NOTE #1: Backup must not be confused with the broader subject of Business Continuity Planning (BCP). See the Standard on Business Continuity Planning. NOTE #2: Backup is separate and distinct from record retention. See the Standard on Vital Records.
6. Physical Security - See Standard on Physical Security
7. Risk Assessment - See Standard on Risk Assessment and Management
8. Data Classification - See Standard on Data Classification Management
9. Illicit Code - See Standard on Illicit Code
10. Dial-Up/Remote Control - See Standard on Dial-Up/Remote Control * CONFIDENTIAL TREATMENT REQUESTED 11. IS User Conduct - See Standard on IS User Conduct
Standards Description. 14.1 3.1. Building Physical Access Control Standards The building access control standards implemented must be commensurate with the type of information processing that is occurring at the physical location. Buildings containing a designated data center will necessarily employ stricter access controls than those which do not. *