Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact email@example.com.
In recent days, “Cloud Computing” has become a great topic of debate in the IT field. Clouds, like solar panels, appear intriguingly simple at first but the details turn out to be more complex than simple pictures and schematics suggest.
The Windows Registry stores all of the information that is needed by the host operating system. This database contains all of the configurations, settings and options that are both created initially by the operating system, as well as user configuring settings and installed software.
Fed up and frustrated with ambiguous standards, multiple frameworks, and scattered "best practices" I set out to at least glean the basics of compliance. What regulations apply to whom? What do the auditors want to see? And how as an IT security professional can I help reduce my pain, and my company's expenses in successfully completing and passing an audit. I felt it appropriate, and perhaps even beneficial to share that research and hopefully save others time by putting it down in this paper.
If there is a demarcation line for the start of the modern discipline of corporate governance, risk management and compliance (GRC) in the U.S., then perhaps the best candidate for that line is the handing down of the court’s opinion in In Re Caremark International Inc. Derivative Litigation in 1996. Caremark stands for the principle that individual directors of a corporation’s board may be held liable for failure to properly supervise the activities of that corporation. While the requirement for the creation of a corporate ethics program was promulgated in 1991 with the passage of the Federal Sentencing Guidelines for Organizations (FSGO), Caremark seems to have made a substantial impact on the resources dedicated to proper corporate governance. Completing this genesis period of corporate governance jurisprudence and guidelines was the legislative response to the Enron scandal and similar scandals at WorldCom and Adelphia, the enactment of Sarbanes-Oxley (“SOX”) in 2002. Finally, extra-territorial governance regulation has become commonplace. The Foreign Corrupt Practices Act of 1977 (FCPA), a statute designed to combat bribery of foreign officials by U.S. companies, has seen unprecedented use in the past 6 years (Searcey, 2009). This combination of jurisprudence, guidelines, new legislation, and revitalization of statues subsequently precipitated a substantial volume of analysis by commentators. The result: a traditional discipline of law infused with new life and which has evolved ever since.
Companies should carefully review and amend their agreements with third party service providers that handle or have access to cardholder data. Having the proper legal language in place is one of the key factors to reduce liability when dealing with third parties and limiting your companies’ exposure to additional risk.
With today’s technology there exist many methods to subvert an information system which could compromise the confidentiality, integrity, or availability of the resource. Due to the abstract nature of modern computing, the only way to be reliably alerted of a system compromise is by reviewing the system’s actions at both the host and network layers and then correlating those two layers to develop a thorough view into the system’s actions. In most instances, the computer user often has no indication of the existence of the malicious software and therefore cannot be relied upon to determine if their system is indeed compromised.
With the multitude of different compliance efforts an organization could be subjected to, it is not uncommon to hear confusion on what may or may not apply. What compliance regulations does the organization fall under? What must the organization do to meet a specific compliance effort and not conflict with a separate one? How can the organization know it is meeting required compliance controls? Can anything be done to reduce the amount of work needed to meet these objectives? The answers lay in the details of the many controls of each of these efforts and the ability for technology practitioners to find commonalities that will ease redundant testing. By reviewing each of the compliance frameworks, technologists can define a set of generic controls such that when a control is met for one objective it can meet additional objectives in other compliance frameworks. The creation of the Mother of all Control Lists (MOACL) will be a one-to-many relationship between a general control and varying compliance controls.
With the advent of the Internet, companies have an increased need to monitor their networks for external compromises and as well as inappropriate use on the part of their own employees. This paper looks at the risks and issues related to the electronic monitoring of employees by corporations under United States law. The intent is to provide awareness of issues involved with employee monitoring and to suggest some best practices.
This paper addresses some of the issues faced in working towards a deadline of PCI (Payment Card Industry) Compliance at a major international corporation. – including the key challenges we faced and the current progress as a set of specific changes to the architecture.