SANS InfoSec Reading Room - Compliance

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

Featuring 15 papers as of May 21, 2013

Project Management Approach to Yearly PCI Compliance Assessment

By: Michael Hoehl (posted on February 19, 2013)

Payment Card Industry Data Security Standard (PCI DSS) has been developed by a collaboration of the credit card companies including VISA, American Express, Mastercard, and JCB.

In-house Penetration Testing for PCI DSS

By: Jeremy Koster (posted on May 11, 2012)

The Payment Card Industry Data Security Standard, introduced in 1999, is a rigorous set of prescriptive requirements aimed at securing systems that handle credit card numbers.

Cloud Computing - Maze in the Haze

By: Godha Iyengar (posted on October 18, 2011)

In recent days, “Cloud Computing” has become a great topic of debate in the IT field. Clouds, like solar panels, appear intriguingly simple at first but the details turn out to be more complex than simple pictures and schematics suggest.

Wireless Networks and the Windows Registry - Just where has your computer been?

By: Jonathan Risto (posted on May 6, 2011)

The Windows Registry stores all of the information that is needed by the host operating system. This database contains all of the configurations, settings and options that are both created initially by the operating system, as well as user configuring settings and installed software.

A Compliance Primer for IT Professionals

By: David Swift (posted on November 29, 2010)

Fed up and frustrated with ambiguous standards, multiple frameworks, and scattered "best practices" I set out to at least glean the basics of compliance. What regulations apply to whom? What do the auditors want to see? And how as an IT security professional can I help reduce my pain, and my company's expenses in successfully completing and passing an audit. I felt it appropriate, and perhaps even beneficial to share that research and hopefully save others time by putting it down in this paper.

Applying Information Security and Privacy Principles to Governance, Risk Management & Compliance

By: ScottM Giordano (posted on October 25, 2010)

If there is a demarcation line for the start of the modern discipline of corporate governance, risk management and compliance (GRC) in the U.S., then perhaps the best candidate for that line is the handing down of the court’s opinion in In Re Caremark International Inc. Derivative Litigation in 1996. Caremark stands for the principle that individual directors of a corporation’s board may be held liable for failure to properly supervise the activities of that corporation. While the requirement for the creation of a corporate ethics program was promulgated in 1991 with the passage of the Federal Sentencing Guidelines for Organizations (FSGO), Caremark seems to have made a substantial impact on the resources dedicated to proper corporate governance. Completing this genesis period of corporate governance jurisprudence and guidelines was the legislative response to the Enron scandal and similar scandals at WorldCom and Adelphia, the enactment of Sarbanes-Oxley (“SOX”) in 2002. Finally, extra-territorial governance regulation has become commonplace. The Foreign Corrupt Practices Act of 1977 (FCPA), a statute designed to combat bribery of foreign officials by U.S. companies, has seen unprecedented use in the past 6 years (Searcey, 2009). This combination of jurisprudence, guidelines, new legislation, and revitalization of statues subsequently precipitated a substantial volume of analysis by commentators. The result: a traditional discipline of law infused with new life and which has evolved ever since.

Contracting for PCI DSS Compliance

By: ChristianJ. Moldes (posted on July 15, 2010)

Companies should carefully review and amend their agreements with third party service providers that handle or have access to cardholder data. Having the proper legal language in place is one of the key factors to reduce liability when dealing with third parties and limiting your companies’ exposure to additional risk.

Effective Use Case Modeling for Security Information & Event Management

By: Daniel Frye (posted on March 10, 2010)

With today’s technology there exist many methods to subvert an information system which could compromise the confidentiality, integrity, or availability of the resource. Due to the abstract nature of modern computing, the only way to be reliably alerted of a system compromise is by reviewing the system’s actions at both the host and network layers and then correlating those two layers to develop a thorough view into the system’s actions. In most instances, the computer user often has no indication of the existence of the malicious software and therefore cannot be relied upon to determine if their system is indeed compromised.

Meeting Compliance Efforts with the Mother of All Control Lists (MOACL)

By: Tim Proffitt (posted on March 4, 2010)

With the multitude of different compliance efforts an organization could be subjected to, it is not uncommon to hear confusion on what may or may not apply. What compliance regulations does the organization fall under? What must the organization do to meet a specific compliance effort and not conflict with a separate one? How can the organization know it is meeting required compliance controls? Can anything be done to reduce the amount of work needed to meet these objectives? The answers lay in the details of the many controls of each of these efforts and the ability for technology practitioners to find commonalities that will ease redundant testing. By reviewing each of the compliance frameworks, technologists can define a set of generic controls such that when a control is met for one objective it can meet additional objectives in other compliance frameworks. The creation of the Mother of all Control Lists (MOACL) will be a one-to-many relationship between a general control and varying compliance controls.

Six Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder data

By: nuBridges, inc (posted on September 29, 2009)

Exploring the use of tokenization as a best practice in improving PCi dss compliance, while at the same time minimizing the cost and complexity of PCi dss compliance by reducing audit scope.

PCI DSS and Incident Handling: What is required before, during and after an incident

By: Christian J. Moldes (posted on June 16, 2009)

This paper intends to be a guideline for chief security officers, compliance directors, IT auditors, and anyone responsible for PCI DSS compliance.

Content Monitoring Issues – Legal and Otherwise

By: Darryl T Barnes (posted on April 23, 2009)

With the advent of the Internet, companies have an increased need to monitor their networks for external compromises and as well as inappropriate use on the part of their own employees. This paper looks at the risks and issues related to the electronic monitoring of employees by corporations under United States law. The intent is to provide awareness of issues involved with employee monitoring and to suggest some best practices.

There's a hole in my infrastructure? The road to PCI Compliance

By: Jonathan Chaitow (posted on July 3, 2008)

This paper addresses some of the issues faced in working towards a deadline of PCI (Payment Card Industry) Compliance at a major international corporation. – including the key challenges we faced and the current progress as a set of specific changes to the architecture.

Requirements For Record Keeping and Document Destruction in a Digital World

By: Craig Wright (posted on January 21, 2008)

Implementing Single Sign-On — Imprivata OneSign™

By: Robert Turner (posted on August 7, 2007)