Compliance-related questions and Governance

[Craig Wright <Craig.Wright () bdo com au>]

There is a need for a resource that can be used to list/summarise all of the MANY separate IT Governance and IT 
regulatory requirements. Andrew has pointed out a site that starts to list these (but is expensive and misses many 
requirements).

What is needed is a simple web driven site where a selection of systems and needs may be matched. I would think that 
selecting a list of descriptors (such as the server is in an Internet connected DMZ, The system is a web server, the 
system processes payment card information, ...)

I have all of the data in one form or another from research I have completed in academic study and book writing. I am 
happy to lead this effort. What I think is needed is more than I alone can do.

So consider this a call for interested parties. The idea is to make this an open source effort.

I would like to start a consensus compliance effort. Something like the centre for Internet security (CIS) and OWASP 
does for their areas, but with the controls that are required. Somewhere that people can go and find answers to what 
types of controls they need to implement.

So who is up to staring an interactive controls checklist project?

The idea is that you will be able to enter details system by system or for a site. Answer a set of questions and get a 
list of requirements and controls that are needed. So as an example I could go through something like:

- DMZ Web Server
- Located in the US
- Processes credit card information - 20,000 transactions per month
- Non-listed private company
- Banking and Finance industry
- GLBA requirements
- BASEL II requirements
- Dealings with the EU

An the result will be a set of necessary controls and links to how to achieve these (eg CIS and OWASP frameworks etc):
- Security Policy ... (eg SANS Policy project) and details of this and the processes that are necessary
- Change management needs...
- Protocol Justification (PCI-DSS 1.1.6)
- Firewall (Pci...)
- System Standards (eg see CIS IIS baselines) aim for a min. score of 85% on test xxx
- Etc.

So this is a preliminary call for interest to see what type of support I can get in the industry for this. As stated, 
this would be a GPL'd effort and one designed as a resource that will aid both vendors and end users and make all of 
our lives easier.

Please let me know if you are interested and let us see if we can start to align security and compliance and thus make 
the effort worthwhile.

Regards,
Dr Craig Wright (GSE-Compliance)


-------------------------------------------------
From: Andrew Hay [mailto:andrew.hay () koteas com]
Sent: Wednesday, 6 February 2008 10:31 PM
To: Craig Wright
Cc: sans-community () lists sans org
Subject: Re: [sans-community] Great resource for compliance-related questions from students

Thanks for the eye-opener Craig.

Do you know of a similar resource that has accurate information that I could use as an alternative? Please let me know.
--------------------------------------------------
On 2/6/08, Craig Wright <Craig.Wright () bdo com au> wrote:

Except it is not accurate.

It has missed many things and has listed similar controls as both necessary and not being needed. Looking at PCI-DSS 
alone, I will go through a number of controls that are not listed as necessary for PCI.

Log successful and unsuccessful logons and logoffs [UCF ID: 01915]
-  This is covered in PCI-DSS v1.1 at 8.5 and 10.2.1/10.2.4 and 10.3.4 and is listed as not required on the matrix

Log successful and unsuccessful accesses to security-relevant objects and directories [UCF ID: 01916]
-  This is covered in PCI-DSS v1.1 at 10.2 and 10.3 and is listed as not required on the matrix. The page - 
http://www.unifiedcompliance.com/matrices/live/01915.html mentions nothing re the PCI requirements. This is a little 
misleading.

Log changes in user authenticators [UCF ID: 01917]
-  This is covered in PCI-DSS v1.1 at 10.2.2 and is listed as not required on the matrix. Again nothing on the page for 
PCI.

Log denial of access resulting from an excessive number of unsuccessful logon attempts [UCF ID: 01919]
-  This is covered in PCI-DSS v1.1 at section 10 and is listed as not required on the matrix. PCI requires that all 
events of the type are monitored. 10.3.4 will cover this. Nothing on the page again stating that this is a control for 
PCI.

Protect the audit logs from failure [UCF ID: 01426]
-  This is covered in PCI-DSS v1.1 at section 10 and is listed as not required on the matrix

In fact, there are also huge gaps in the SOX requirements of the matrix. COPA is blank on the monitoring matrix, which 
is wrong.

For $10k a corporate license I would expect a little more accuracy. The Monitoring and Measurement sheet alone has over 
350 errors or omissions. When it comes to Australia, the spread sheets state that there are no compliance requirements. 
This may be a common belief, but it is not one based on the law.

Most of what they have noted is correct, but the omissions are deadly.

Regards,
Dr Craig Wright (GSE-Compliance)