9. Audit
The product’s environment should be audited regularly to ensure that the appropriate set
of procedures, satisfying the requirements laid down in this document and any customer
Security Procedures, is in place and is being used. A mechanism should be in place to
enable corrective action to be taken if any procedure is not being observed or is failing.
The Auditor should be independent of the Administrator of the product.
9.1. HSM and card reader location
Customer Security Procedures should state that a record is kept of the location of each
HSM and card reader referenced by unique identifiers. This may include its model, serial
and any local asset id numbers. This record should be updated if the HSM or card reader
is moved.
•
Customer Security Procedures should state the frequency for verifying the recorded
location of each HSM and card reader.
9.1.1. Physical inspection
Whilst checking the HSM and card reader location, inspections should also be carried to
ensure the integrity of the HSM and card reader including any tamper mechanisms as
described in Tamper inspection.
•
Customer Security Procedures should state the frequency for verifying the integrity
of the HSM and card reader including any tamper mechanisms.
9.2. ACS and OCS
Customer Security Procedures should state that a record is kept of either the location
(e.g. in a safe) of each card in an ACS and OCS or the owner depending on the policy
stated in the customer’s security policy. This record should be updated if a card is moved
or transferred.
•
Customer Security Procedures should state the frequency for verifying the recorded
location or owner each card in an ACS and OCS.
Guidance on how to respond to a missing ACS and OCS cards can be found in Security
Incident and Response.
9.3. Logs
Logging and debugging identifies the types of log available across the different nShield
nShield® Security Manual 64 of 90
To Next Page
Loading...
