Secure Payments, PCI DSS, Regulatory Compliance Blog

Compliance through compensating controls

February 28th, 2007 by datasecurity Posted in Compensating Controls, Compliance

controls.jpgI agree with Michael that security is not seasonal but feel a little education is needed for the other Mike when it comes to his views on compensating controls.  I used to be in the criticize-and-critique camp, but that was before I spent so much time with PCI that I taught it to others.  (Am I sounding like a religious convert?)

Mike argues the following:

For a little while, the way PCI was structure was actually pretty good and made it relatively clear where the line would be drawn relative to network and data protection. But then they introduced this concept of “compensating controls” back in November. That really screwed things up. Why? Because basically it gives every vendor a way to spin how their stuff offers an alternative to the right answer of actually protecting the data.

It sure sounds like it doesn’t it.  I mean if any merchant can get out of a compensating control just by invoking the ghost of “compensating controls” then where are we left in terms of security?

The problem with this logic is several pieces.

  • First, let’s define compensating controls.  These are controls that are “above and beyond the current control” and “meet the intent and rigor of the original requirement.”  Two criteria that are not so easy to meet.
  • Second, the company’s auditor (the QSA) must sign off on all compensating controls.  This means that the auditor is putting their company on the line for the work they do.  Do you remember the CSSI data compromise?  Did you notice that one assessor was no longer on the approved list after that event?  Coincidence?
  • Third, compliance is just a point in time (as many people have agreed.)  The state of being in compliance for one audit means very little compared with the loss that can occur if you are out of compliance while the attackers are siphoning credit card data from your network.  The trade-off is not worth it.
  • Finally, the requirements could not be written in such a way that they are both specific (a very good thing) and apply to companies of all sizes.  The concept of compensating controls is necessary to enable companies to map their compliance program back to their security program!

PCI was not meant to create more paperwork and documentation (that is called SOX… the real test of this is how many “SOX Auditor” rooms have you seen in a company?  Ok, now how many “PCI Auditor” rooms have you seen?)

The reason for having concepts such as “compensating controls” is to companies who are securing their networks properly can leverage those controls instead of implementing other just in the name of security.  Could this concept be abused? Certainly, any concept can.  Even compliance requirements can be abused.  But try to look at the good instead of the bad.

An example of compensating controls would be a mid-range AS/400 system that stores credit card data.  If that system wanted to be in compliance it would have to encrypt the data on the disk.  The AS/400 administrator would argue that they have RACF installed, secured, and are properly implementing their security program.  In addition, they monitor and log every action of every user.  They may also have an IPS blocking rogue attacks against the system.  Do they really need to encrypt the data?  or do these controls compensate for the lack thereof?  I would say that compensating controls is not only a good thing but a necessary aspect of or any compliance program.

Remember COBIT?  That takes a risk based approach to compliance and so should PCI.  Thus the compensating controls.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

  1. 1 Trackback(s)

  2. Jun 21, 2007: Understanding Compensating Controls at PCI Compliance Demystified

Sorry, comments for this entry are closed at this time.