SMARTFENSE - Compliance

Currently, there exist a wide variety of rules and standards that organizations must comply with.

SMARTFENSE gives direct compliance with the mandatory requirements of the following rules.

9.9.3 - Train the personnel to detect signs of tampering or replacement in devices. The training should cover the following:

9.9.3.a - Review the training material (coverage).
9.9.3.b - Verify that you have received the training and that you know the procedures.

12.6.1 - Train the personnel immediately after hiring them and, at least, once a year.

12.6.1.a - Verify that the security awareness program provides diverse methods.
12.6.1.b - Verify that the personnel attend the security awareness program when hired and, at least, once a year.
12.6.1.c - Verify that they have done the awareness training and that they know the importance of the data security of the cardholder.

6.2 - Entities must have the functionality and purpose described in the reference process and inform this Central Bank of the organic and operational structure and interrelations that correspond to their organizations:

6.2.1 - Awareness and Training: process related to the acquisition and delivery of knowledge in security practices, its dissemination, training, and education for the development of preventive, detective, and corrective tasks of security incidents in electronic Channels (enunciated in 6.1).

6.3.2.2 - Within tasks of security management, and regardless of the area, people, or third parties who are responsible for task functions and running, entities must have functions and tasks related to the following security processes for their electronic Channels:

6.3.2.2.1 - Awareness and Training. In addition to what is indicated in point 6.2.1, entities must have an annual information security awareness and training program, measurable and verifiable, whose contents address all internal and external needs in progress, knowledge, prevention, and complaint of incidents, escalation, and responsibility of electronic Channels they have.

2.1.1. - Culture.
The entity's management is expected to accompany the creation of an organizational environment where cyber-incidents are reported or escalated through a channel established for this purpose, considering:

2.1.1.1. - The establishment of training programs for all levels of the entity, which promote proactive behaviors, where the possibility of cyber-incidents and learning based on errors are accepted.
2.1.1.2. - Promote a positive culture towards cyber-incident management, ensuring that this information is used as a source to improve the preparation stage.
2.1.1.3. - Promote continuous and sustained actions with providers and third parties in the preparation of response and recovery tasks against cyber-incidents, so that they can be timely and adapt to different situations.

3.1. - Establishing a policy that contains the principles, procedures, and guidelines for the management of information security and cybersecurity risk in the entity. This policy must have the following characteristics:

3.1.4. - Establishing the principles and guidelines to promote a cybersecurity culture that includes dissemination, training, and awareness activities both within the entity and with users and third parties that it considers relevant within the cybersecurity policy. These activities must be conducted periodically and may additionally be included in the courses on operational risk conducted by the entity.

3.2. - Establishing a unit to manage information security and cybersecurity risks. This unit must have, at least, the following characteristics and responsibilities:

3.2.5. - It should suggest the training that the entity's officials should receive regularly on issues related to cybersecurity and keep them updated on new cyberthreats.

Compliance