Monthly ArchivesApril 2009

An alternative to PCI standard

PCI is still a hotly debated topic nearly four and a half years after its initial release on December 15, 2004. You didn’t have to visit too many after hours parties or exhibitors at RSA to see that. Most of the criticism of PCI comes from people who really don’t understand it, or understand how to use it to their advantage. And those people fall into two categories themselves; those who are green to PCI and are overwhelmed, and those who love their soap box. Those in the former bucket just need time to get up to speed. PCI, like Rome, was not built overnight, and it requires weeks of study to fully grasp how it will affect your environment. ...

Continue Reading

The Art of the Compensating Control (Part 6, The Finale) standard

See part 1 here, part 2 here, part 3 here, part 4 here, part 5 here. Go Forth and Compensate! What a pretty mural we have painted over the last several pages! Good compensating controls are the result of a marriage between art and science. We’ve discussed what compensating controls are, what they are not, some funny examples of how to go wrong, and three solid scenarios from which we created good controls. Compensating controls are not the golden parachute of compliance initiatives. They require work to build effective ones that will pass the scrutiny of both a QSA and an Acquiring Bank (or card brand). Rarely do they yield lower cost and effort than simply meeting the original requirement. ...

Continue Reading

The Art of the Compensating Control (Part 5) standard

See part 1 here, part 2 here, part 3 here, part 4 here. How to Create a Good Compensating Control We’ve spent quite a bit of time setting this section up. We talked about what Compensating Controls are, what they are not, and some of the best mis-guided attempts to create them. Before we discuss the examples, please remember that these examples should be used for illustrative purposes only. I have over simplified the scenarios for brevity, and things are rarely as simple in the corporate world. Ultimately, compensating controls must be approved first by a QSA, or barring that, your Acquiring Bank. I know I don’t like it when someone slaps some random article about PCI on me during ...

Continue Reading

Simplified DLP in a Cost Conscious World standard

I’ve been writing Herding Cats for over a year now, and with all this talk about DLP, I wanted to dust off my FIRST EVER Herding Cats. Have you ever wanted to see if sensitive data your company protects exists outside of designated areas? Maybe you are looking for Personally Identifiable Information (PII), intellectual property, or cardholder data that might be sitting around in flat files. I suggest turning to Grep1, a GNU searching tool that is included on most Unix-based operating systems (and there are MS ports)! Grep can use the power of regular expressions to quickly search for patterns in files. The results obtained will help you triage data leakage that may occur through the normal course of ...

Continue Reading

The Art of the Compensating Control (Part 4) Tax day special! standard

See part 1 here, part 2 here, part 3 here. The Funniest Controls that You Didn’t Design Some of my most cherished stories and experiences come from customers and vendors that had the right intentions, but never seemed to follow the basic doctrines listed above on how good compensating controls are made1. During my career I did some IT auditing for a bank that was owned by my employer. I know the drill of responding to auditor findings. They usually start with a meeting bringing all the key stakeholders together, a spreadsheet listing all the findings, and lots of grumbling about how picky “those damn auditors” are. Once the findings are separated out in the legitimate and ridiculous piles2, the ...

Continue Reading

The Art of the Compensating Control (Part 3) standard

See part 1 here, part 2 here. What a Compensating Control Is Not Compensating controls are not a short cut to compliance. In reality, most compensating controls are actually harder to do and cost more money in the long run than actually fixing or addressing the original issue or vulnerability. Imagine walking into a meeting with a customer that has an open, flat network, with no encryption anywhere to be found (including on their wireless network which is not segmented either)1. Now imagine someone in internal audit telling you not to worry because they would just get some compensating controls. Finally, imagine they tell you this in the same voice and tone as if they were going down to the ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!