Monthly ArchivesJanuary 2011

Sin #2 – Compensating Control Chaos Compensating controls are a challenging and somewhat confusing nuance to PCI DSS. In Chapter 12 of PCI Compliance: Understand and Implement Effective PCI Compliance I delve into this perceived “Get out of jail free” card. Many companies have found this a useful guide for creating compensating controls during their PCI DSS journey1. Compensating controls are designed to allow companies to meet the controls laid out in PCI DSS in alternate ways. For example, a company that cannot put Secure SHell (SSH) on all of their routers and switches due to technical constraints may be able to do something different that would meet requirements for a compensating control as laid out in the PCI DSS ...

How to Avoid a Made Up Requirement The only way to avoid a made up requirement is to ensure that there is material in the PCI DSS that supports a recommendation before a it’s made. There are two main areas where you can find information on how to handle strange situations—PCI DSS itself as well as the FAQ that can be found on the PCI Security Standards Council’s website. The “Navigating PCI DSS” series is also useful, but supplementary and cannot be assessed against. Any guidance taken from documents other than the PCI DSS should be written up as a compensating control where appropriate. Additional documentation such as Special Interest Group (SIG) whitepapers, do not indicate changes in the standard ...

Mis-hearing the Trainer QSAs must be pass evaluation from the Council every year in addition to earning at least forty CPEs in order to maintain their QSA designation. Prior to 2010, this meant finding a QSA Requal class near you and having your primary contact book your attendance in said class1. Trainers come and go as we have seen over the years, and I sat through a session with a good number of my team lead by a new trainer a few years ago. One of the most important steps a QSA must get right is choosing the correct scope for the assessment. Getting that step wrong sets the whole assessment and the PCI experience up for failure. This topic tends ...

Those of you that attended HoustonSecCon or #BSidesDFW, you saw my presentation entitled “The Mistakes QSAs Make.” After presenting, I thought the overall message needed to get to a wider audience and not just the slides I present. I set upon this endeavor and came up with the following series entitled, the Seven Deadly Sins of a QSA. I’m going to be posting this over the next couple of months (and a single PDF in its entirety when I finish) for you guys out in the tubes. Here is a brief intro to get things going! People make mistakes—and in a people business like consulting, you can expect to see more than a few of them. This series explores seven ...