Security Basics mailing list archives
Compliance-related questions and Governance
From: Craig Wright <Craig.Wright () bdo com au>
Date: Fri, 8 Feb 2008 13:35:33 +1100
There is a need for a resource that can be used to list/summarise all of the MANY separate IT Governance and IT regulatory requirements. Andrew has pointed out a site that starts to list these (but is expensive and misses many requirements). What is needed is a simple web driven site where a selection of systems and needs may be matched. I would think that selecting a list of descriptors (such as the server is in an Internet connected DMZ, The system is a web server, the system processes payment card information, ...) I have all of the data in one form or another from research I have completed in academic study and book writing. I am happy to lead this effort. What I think is needed is more than I alone can do. So consider this a call for interested parties. The idea is to make this an open source effort. I would like to start a consensus compliance effort. Something like the centre for Internet security (CIS) and OWASP does for their areas, but with the controls that are required. Somewhere that people can go and find answers to what types of controls they need to implement. So who is up to staring an interactive controls checklist project? The idea is that you will be able to enter details system by system or for a site. Answer a set of questions and get a list of requirements and controls that are needed. So as an example I could go through something like: - DMZ Web Server - Located in the US - Processes credit card information - 20,000 transactions per month - Non-listed private company - Banking and Finance industry - GLBA requirements - BASEL II requirements - Dealings with the EU An the result will be a set of necessary controls and links to how to achieve these (eg CIS and OWASP frameworks etc): - Security Policy ... (eg SANS Policy project) and details of this and the processes that are necessary - Change management needs... - Protocol Justification (PCI-DSS 1.1.6) - Firewall (Pci...) - System Standards (eg see CIS IIS baselines) aim for a min. score of 85% on test xxx - Etc. So this is a preliminary call for interest to see what type of support I can get in the industry for this. As stated, this would be a GPL'd effort and one designed as a resource that will aid both vendors and end users and make all of our lives easier. Please let me know if you are interested and let us see if we can start to align security and compliance and thus make the effort worthwhile. Regards, Dr Craig Wright (GSE-Compliance) ------------------------------------------------- From: Andrew Hay [mailto:andrew.hay () koteas com] Sent: Wednesday, 6 February 2008 10:31 PM To: Craig Wright Cc: sans-community () lists sans org Subject: Re: [sans-community] Great resource for compliance-related questions from students Thanks for the eye-opener Craig. Do you know of a similar resource that has accurate information that I could use as an alternative? Please let me know. -------------------------------------------------- On 2/6/08, Craig Wright <Craig.Wright () bdo com au> wrote: Except it is not accurate. It has missed many things and has listed similar controls as both necessary and not being needed. Looking at PCI-DSS alone, I will go through a number of controls that are not listed as necessary for PCI. Log successful and unsuccessful logons and logoffs [UCF ID: 01915] - This is covered in PCI-DSS v1.1 at 8.5 and 10.2.1/10.2.4 and 10.3.4 and is listed as not required on the matrix Log successful and unsuccessful accesses to security-relevant objects and directories [UCF ID: 01916] - This is covered in PCI-DSS v1.1 at 10.2 and 10.3 and is listed as not required on the matrix. The page - http://www.unifiedcompliance.com/matrices/live/01915.html mentions nothing re the PCI requirements. This is a little misleading. Log changes in user authenticators [UCF ID: 01917] - This is covered in PCI-DSS v1.1 at 10.2.2 and is listed as not required on the matrix. Again nothing on the page for PCI. Log denial of access resulting from an excessive number of unsuccessful logon attempts [UCF ID: 01919] - This is covered in PCI-DSS v1.1 at section 10 and is listed as not required on the matrix. PCI requires that all events of the type are monitored. 10.3.4 will cover this. Nothing on the page again stating that this is a control for PCI. Protect the audit logs from failure [UCF ID: 01426] - This is covered in PCI-DSS v1.1 at section 10 and is listed as not required on the matrix In fact, there are also huge gaps in the SOX requirements of the matrix. COPA is blank on the monitoring matrix, which is wrong. For $10k a corporate license I would expect a little more accuracy. The Monitoring and Measurement sheet alone has over 350 errors or omissions. When it comes to Australia, the spread sheets state that there are no compliance requirements. This may be a common belief, but it is not one based on the law. Most of what they have noted is correct, but the omissions are deadly. Regards, Dr Craig Wright (GSE-Compliance)
Current thread:
- Compliance-related questions and Governance Craig Wright (Feb 08)
- RE: Compliance-related questions and Governance Palmer, Mark (Feb 11)