Documenting compensating controls
August 21st, 2007 by admin Posted in Compensating Controls
As many of you know by now, when meeting a PCI control requirement with a compensating control two things should happen:
- The control should be marked “In Place” with a comment added that it is being met with a compensating control, and
- The Compensating Control Worksheet should be completed. This can be found in the Appendix of the Security Audit Procedures (SAP)
In order to determine the “Objective” one must first understand the intent of the original control. What many people forget is that they want to know not only what the requirement intended, but also what it did NOT intend. Sound confusing? This is an advanced area of PCI compliance.
The intent only tells you the direction you want to go, but does not tell you the directions you want to avoid. For example, if a requirement says you should not use FTP because it is susceptible to password sniffing you can either leverage:
- VLAN+ACLs, IP address restrictions, or tunnel it through FTP
- Truncate the card number or encrypt the payload with public-private key pairs
Both methods work to mitigate the risk, but from different control vectors.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
Sorry, comments for this entry are closed at this time.