Common System Security Deficiencies 2537



  • Just throwing this out there, but i was hoping that someone could help point me in the direction of a resource that states common deficiencies that may compromise SOX and PCI compliancy.
    We have implemented a set of standards that we believe will aid us in obtaining our compliancy, but just to double check i am trying to compile a list of possible deficiencies to see whether or not we have touched on all topics that fall within the scope of PCI and SOX compliancy.
    Thanks for any help you can lend in this regard,
    JL



  • I’ve updated this link with a more comprehensive list of PCI/DSS requirements. I’d read earlier that this standard may change a little more this month, but haven’t been following it closely.
    PCI/DSS Resources
    http://www.sarbanes-oxley-forum.com/modules.php?name=Forums-and-file=viewtopic-and-t=2176
    As some general comments:
    – Yes, various security compliancy standards (SAS-70, HIPAA, PCI/DSS), will have logical intersections with SOX but they also have many unique protective principles as well that don’t intersect
    – I’ve found that it’s helpful to get the 30,000 foot view and look at requirements in a high level fashion. Where possible it’s good to meet both requirements with a single efficient approach. It’s better to look for logical fits at a high level first in designing compliancy procedures
    – However in mapping unions and differences between standards, one should not try to make everything fit where it isn’t logical. For example, as SOX requires all financial related information to be retained for 7 years, it may not be a good fit to require non-financial information to likewise be retained for 7 years.
    There are common points of failure in accommodating multiple standards as well:
    – Management not taking requirements seriously enough in terms of staffing, software, and requirements.
    – Lack of training and expertise by the compliancy team members
    – Trying to make multiple standards fit into one neat efficient package (looking for too many areas of intersection), rather than focusing on the unique requirements to meet each standard.



  • Hi,
    The IT Compliance Institute published a relevant resource in June 2008, entitled, Payment Card Industry (PCI), Practical guidance on how to prepare for successful audits.
    This document is part of their IT Audit Checklist Series and is a 109-page resource that provides a good perspective in connection with the PCI compliance effort and meeting the auditor requirements.
    On page 14 - 22, the document contains a PCI Audit Checklist that is organized by ‘theme’ and describes specific risk areas for PCI compliance. This section provides a good resource to understand some of the common deficiencies found during the PCI compliance effort.
    The resource document can be obtained from www DOT ITCinstitute.com. Since it is sponsored by a company, Configuresoft, it is probably free by simply completing a short questionnaire with contact information on the ITCinstitute.com website.
    I have found other good free resources for auditors that are posted on their website and they seem to be a well regarded entity.
    Hope this helps,
    Milan



  • Hi JL - I just discovered this free 2-hour computer based training resource which covers PCI/DSS v1.1 in depth from a developers standpoint. So far, it looks very good and I plan to more fully evaluate it later. After downloading you should move it to a folder, unzip, and ensure Flash is enabled on your default browser, e.g., I usually have it turned off myself in IE8 but can easily toggle back on 🙂

    This free PCI/DSS training course was downloaded and installed. So far in a brief review, it offers great advice for developers in creating more compliant e-commerce applications .
    Free Computer Based Traing class - PCI DSS for Developers (38MB download) https-and-#58;//www.foundstone.com/us/resources/downloads/pci_compliance_developers.zip
    Foundstone Professional Services, a Division of McAfee, has recently released a free 2-hour computer based training entitled ‘PCI DSS v1.1 Compliance for Developers.’ This hype-free CBT focuses on the PCI DSS requirements and sub-requirements that are most relevant to software developers and offers developer-to-developer technical advice to help achieve compliance. Software security best practices are also stressed throughout the presentation. This is not an advertisement for McAfee products or Foundstone services, just solid information that will help your development teams create more secure software.


Log in to reply