Last Day to Save $250 on SANS Chicago 2014

Reading Room

Compliance

Featuring 19 Papers as of June 17, 2014


  • Securing Static Vulnerable Devices Masters
    by Chris Farrell - September 17, 2013 

    Static vulnerable devices (SVD) can be the bane of any security team regardless of the business size, budget or expertise.

  • Electronic Medical Records: Success Requires an Information Security Culture by Thomas Roberts - June 5, 2013 

    The increased use of electronic medical records (EMR's) is certainly impacting the world of healthcare.

  • Project Management Approach to Yearly PCI Compliance Assessment by Michael Hoehl - February 19, 2013 

    Payment Card Industry Data Security Standard (PCI DSS) has been developed by a collaboration of the credit card companies including VISA, American Express, Mastercard, and JCB.

  • In-house Penetration Testing for PCI DSS by Jeremy Koster - May 11, 2012 

    The Payment Card Industry Data Security Standard, introduced in 1999, is a rigorous set of prescriptive requirements aimed at securing systems that handle credit card numbers.

  • Cloud Computing - Maze in the Haze by Godha Iyengar - October 18, 2011 

    In recent days, Cloud Computing has become a great topic of debate in the IT field. Clouds, like solar panels, appear intriguingly simple at first but the details turn out to be more complex than simple pictures and schematics suggest.

  • Wireless Networks and the Windows Registry - Just where has your computer been? Masters
    by Jonathan Risto - May 6, 2011 

    The Windows Registry stores all of the information that is needed by the host operating system. This database contains all of the configurations, settings and options that are both created initially by the operating system, as well as user configuring settings and installed software.

  • Compliance and Security Challenges with Remote Administration Analyst Paper
    by Dave Shackleford - January 3, 2011 

    This paper focuses on remote administration of systems with regulated data falling under the Payment Card Industry Data Security Standard (PCI DSS).

  • A Compliance Primer for IT Professionals by David Swift - November 29, 2010 

    Fed up and frustrated with ambiguous standards, multiple frameworks, and scattered "best practices" I set out to at least glean the basics of compliance. What regulations apply to whom? What do the auditors want to see? And how as an IT security professional can I help reduce my pain, and my company's expenses in successfully completing and passing an audit. I felt it appropriate, and perhaps even beneficial to share that research and hopefully save others time by putting it down in this paper.

  • PCI 2.0: What's New? What Matters? What's Left? Analyst Paper
    by Dave Hoelzer - November 12, 2010 

    This paper discusses whats new and what still needs more attention in the PCI DSS 2.0 standard, including gaps in storage encryption, wireless networking, and physical security that carry over from version 1.2.

  • Applying Information Security and Privacy Principles to Governance, Risk Management & Compliance by Scott Giordano - October 25, 2010 

    If there is a demarcation line for the start of the modern discipline of corporate governance, risk management and compliance (GRC) in the U.S., then perhaps the best candidate for that line is the handing down of the courts opinion in In Re Caremark International Inc. Derivative Litigation in 1996. Caremark stands for the principle that individual directors of a corporations board may be held liable for failure to properly supervise the activities of that corporation. While the requirement for the creation of a corporate ethics program was promulgated in 1991 with the passage of the Federal Sentencing Guidelines for Organizations (FSGO), Caremark seems to have made a substantial impact on the resources dedicated to proper corporate governance. Completing this genesis period of corporate governance jurisprudence and guidelines was the legislative response to the Enron scandal and similar scandals at WorldCom and Adelphia, the enactment of Sarbanes-Oxley (SOX) in 2002. Finally, extra-territorial governance regulation has become commonplace. The Foreign Corrupt Practices Act of 1977 (FCPA), a statute designed to combat bribery of foreign officials by U.S. companies, has seen unprecedented use in the past 6 years (Searcey, 2009). This combination of jurisprudence, guidelines, new legislation, and revitalization of statues subsequently precipitated a substantial volume of analysis by commentators. The result: a traditional discipline of law infused with new life and which has evolved ever since.

  • Contracting for PCI DSS Compliance Masters
    by Christian Moldes - July 15, 2010 

    Companies should carefully review and amend their agreements with third party service providers that handle or have access to cardholder data. Having the proper legal language in place is one of the key factors to reduce liability when dealing with third parties and limiting your companies exposure to additional risk.

  • Effective Use Case Modeling for Security Information & Event Management by Daniel Frye - March 10, 2010 

    With todays technology there exist many methods to subvert an information system which could compromise the confidentiality, integrity, or availability of the resource. Due to the abstract nature of modern computing, the only way to be reliably alerted of a system compromise is by reviewing the systems actions at both the host and network layers and then correlating those two layers to develop a thorough view into the systems actions. In most instances, the computer user often has no indication of the existence of the malicious software and therefore cannot be relied upon to determine if their system is indeed compromised.

  • Meeting Compliance Efforts with the Mother of All Control Lists (MOACL) Masters
    by Tim Proffitt - March 4, 2010 

    With the multitude of different compliance efforts an organization could be subjected to, it is not uncommon to hear confusion on what may or may not apply. What compliance regulations does the organization fall under? What must the organization do to meet a specific compliance effort and not conflict with a separate one? How can the organization know it is meeting required compliance controls? Can anything be done to reduce the amount of work needed to meet these objectives? The answers lay in the details of the many controls of each of these efforts and the ability for technology practitioners to find commonalities that will ease redundant testing. By reviewing each of the compliance frameworks, technologists can define a set of generic controls such that when a control is met for one objective it can meet additional objectives in other compliance frameworks. The creation of the Mother of all Control Lists (MOACL) will be a one-to-many relationship between a general control and varying compliance controls.

  • Six Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder data by nuBridges, inc - September 29, 2009 

    Exploring the use of tokenization as a best practice in improving PCi dss compliance, while at the same time minimizing the cost and complexity of PCi dss compliance by reducing audit scope.

  • PCI DSS and Incident Handling: What is required before, during and after an incident Masters
    by Christian J. Moldes - June 16, 2009 

    This paper intends to be a guideline for chief security officers, compliance directors, IT auditors, and anyone responsible for PCI DSS compliance.

  • Content Monitoring Issues Legal and Otherwise by Darryl T Barnes - April 23, 2009 

    With the advent of the Internet, companies have an increased need to monitor their networks for external compromises and as well as inappropriate use on the part of their own employees. This paper looks at the risks and issues related to the electronic monitoring of employees by corporations under United States law. The intent is to provide awareness of issues involved with employee monitoring and to suggest some best practices.

  • There's a hole in my infrastructure? The road to PCI Compliance by Jonathan Chaitow - July 3, 2008 

    This paper addresses some of the issues faced in working towards a deadline of PCI (Payment Card Industry) Compliance at a major international corporation. including the key challenges we faced and the current progress as a set of specific changes to the architecture.

  • Requirements For Record Keeping and Document Destruction in a Digital World Masters
    by Craig Wright - January 21, 2008 

    In the day-to-day management of their organisation, company directors, accountants and management often overlook the importance of the documents used by the business. It is crucial to remember that the final accounts are not the only documents with a retention requirement. Further, as businesses move towards a "paperless office", they have to consider the evidentiary requirements.

  • Implementing Single Sign-On — Imprivata OneSign™ by Robert Turner - August 7, 2007 

    In this paper, I will focus on the implementing SSO with the Imprivata OneSign Appliance. The Imprivata website boasts, OneSign Single Sign-On quickly and effectively solves password management and user access issues. OneSign single sign-on enables ALL applications legacy, client/server, and web - without requiring any custom scripting, changes to existing directories, or inconvenient end-user workflow changes. OneSign Single Sign-On dramatically lowers Help Desk costs associated with forgotten password resets, increases user productivity and satisfaction, strengthens password security, and supports regulatory compliance initiatives.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

All papers are copyrighted. No re-posting or distribution of papers is permitted.

Masters - This paper was created by a SANS Technology Institute student as part of their Master's curriculum.