Understanding Compensating Controls
June 21st, 2007 Posted in Compensating Controls, Encryption
Mike Rothman of Security Insight regularly links to our blog so we figure it’s time we return the favor in an article on compensating controls. I should first point out that we have written on PCI compensating controls in several key articles: compliance through compensating controls and the category ‘compensating controls‘.
I disagree with this article’s view of compensating controls as a “loophole”. The reasons is that because compensating controls are sometimes based on subjective information, the process is flawed. To say this would be the equivalent of saying there is a loophole in every compliance program. Let’s just nip this one in the but and say that “security” is subjective.
I like that Mike went into some potential security measures that a company may try to leverage as compensating controls, but the fact of the matter is that compensating controls are (still) situational. There were several ways to take this article. It could have been written from “here are several areas that could use compensating controls” or (as this article did) “here is one requirement and several items that companies leverage as compensating controls.”
From this second perspective the subject of evaluation was encryption and alternatives to implementing it as required. With this requirement I almost always have seen multiple controls used to compensate for the lack of encryption. The article lists the several controls and puts database security as the only one really good enough. I would say that any compensating control for encryption should include several of the security measures listed in the article, not just one.
Another thing the article does not discuss (probable due to space limitations) is that “encryption” is a nebulous area and applies to many different data stores: database, flat file, email, etc. So, when the article says that email encryption is a bad alternative to data encryption one has to ask, where is the data we are trying to protect? If it is being sent via email then, yes, email encryption will actually meet the requirement without a compensating control.
I like that people are writing about examples and case studies, but it’s a little more situational specific.
Update: Any time we reference compensating controls it is important to reference the PCI Security Audit Procedures (SAP), which contains Appendix B - Compensating Controls for requirement 3.4 (encryption) and Appendix C - Compensating Controls Worksheet.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
5 Responses to “Understanding Compensating Controls”
By DAG on Jun 21, 2007
As always, care must be taken when citing compensating controls. The thing I liked about PCIv1.1 is that it made explicit the need to justify them.
BTW. The official position of ISACA (CISA) is that risk assessment is subjective. Since, security is based on risk assessment your statement follows naturally.
By DAG on Jun 21, 2007
Mike Rothman’s wrote, “But it’s important to know how and when vendors will use compensating controls as a way to justify the purchase of their products,…”
Anyone suggesting you buy a new solution based on compensating controls, ie. it fails to meet a current requirement, should raise alarm bells.
By rybolov on Jun 21, 2007
Hiyas
That’s the best post I’ve seen you guys do. Smart, intuitive, showing that you “get it” =)
If you’re smart, when you decide to use a compensating control, you would write a justification that is something like the following:
-Description of PCI control
-Objective of the PCI control
-Description of why the control can’t be built/established/used
-Risk assessment without the control in place
-Description of compensating control
-Risk assessment of the previously identified risk with the compensating controls in place (residual risk)
It’s partly BIA, partly RA, but along the lines of what we all would call “risk management”
By apm on Jun 21, 2007
I think the “Compensating Controls” aspect of PCI DSS is one of it’s main strengths. It allows the organisation approaching PCI DSS compliance to live in the real world and not the world of the Standard’s author.
Let’s face it, many standards (or even aspects of standards) are written from the “ideal world” viewpoint and not the real world. The availability of compensating controls means that if, for a GENUINE reason you can not meet the stated requirement in the way it requires, you can substitute a different BUT EQUALLY AS EFFECTIVE control to deal with the potential issue.
However, there are many things that need to be accepted with this approach.
A Risk Assessment of the situation MUST be completed and documented before you do anything.
Then, as rybolov says, an assessment of the requirement from PCI DSS needs to be carried out.
You then have your gap analysis process which gives you the target of your compensating control.
Only then can you determine how you deal with the issue.
Unfortunately, I suspect that Compensating Controls will be used as “get outs” to prevent the implementation of “proper” security controls. However, this is not a failing of PCI DSS, it’s a failing of the organisations trying to achieve compliance with a quick and cheap approach.
By Michael Dahn on Jun 21, 2007
@DAG - so true, in fact we should make reference to the Appendix in the Security Audit Procedures that addresses compensating controls for encryption and the compensating controls worksheet.
@rybolov - thanks for the positive comments. I like to think we “get it” and help others do the same.
@apm - I totally agree with you that compensating controls is one of the strengths of PCI. In fact, I think it’s just as integral as any other part of the standard because it (along with 12.1) enables the assessed to integrate ‘risk’ into the equation of compliance validation.