Solutionary Minds - Your Information Security Blog Source

Over the past few weeks, I have been writing about the merits, pangs and nuances of compliance. It's a pretty deep topic, so today I am revisiting the issues with a look at Compensating Controls. This post will tie everything together and give practitioners a semblance of order.

The last piece of the compliance puzzle for many organizations is the development, documentation, and maintenance of compensating controls. Once an organization has completed data removal, network segmentation, and/or tokenization, there may be PCI DSS control objectives that remain unaddressed due to some business or technical constraint. In those cases compensating controls are required to address the risk that remains.

For example, consider a system or application that requires a shared login for application functionality or does not support password complexity requirements. In these cases the risk of credential misuse or compromise is elevated. To address this residual risk you must explicitly identify and document controls that meet the specific criteria defined within Appendix C of the PCI DSS Assessment Procedures.

In this scenario, some controls that would meet the requirements would include:
1.) Increased logging to include specific actions being taken by the shared account.
2.) Increased logging of the systems and accounts that do not enforce complexity requirements.
3.) Defining thresholds for activity conducted by the shared account and any account that does not meet password complexity requirements. Monitor and alert on system and account usage over the thresholds.
4.) Increasing the frequency with which you change passwords.
5.) Restricting the shared account to non-administrative functions.
6.) Removing the ability for the shared account to log on to the system.

Take the responsibility for identifying and documenting the compensating controls which you believe address any item that is not explicitly addressed based on this guidance and present them to your QSA for review. Ultimately it is up to the QSA to test these controls and determine whether they sufficiently address the risk.

So, whether it's an internal or external mandate, it's important for your IT team and compliance professionals to work together to ensure you are protecting data and maintaining control of your systems. Like getting up for work every day, this is something that must be part of the daily routine. If you have any ideas or would like to share thoughts on the commentary, I would love to hear them.

NOTE:
For a compensating control to be valid, it must:
1. Meet the intent and rigor of the original PCI DSS requirement;
2. Provide a similar level of defense as the original PCI DSS requirement;
3. Be "above and beyond" other PCI DSS requirements (not simply in compliance with other PCI DSS requirements); and
4. Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement.
For an example of a completed compensating control, review Appendix C of the PCI Security Assessment Procedures.