Best IT Documents.com Blog


PCI, SOX, GLBA and Security Resources

Posted in Application (380),Compliances (1300),Data Center - SOC - NOC,Security (1500) by Guest on the December 3rd, 2018

IT Security / Technology Risk / Control Frameworks

SCF: Simplified Control Framework

http://www.controlframework.com/

 

COBIT 5

http://www.isaca.org/COBIT/Pages/default.aspx

 

COSO:

http://www.coso.org/

 

Risk and Control Frameworks:

http://www.solutionary.com/index/compliance/security-frameworks.php

 

Assessment Areas – PCI, SOX, NIST

  • Expert background in Technical Controls Assessment, Compliance, Risk, and Security control requirements.
  • SOX: SSAE 16 SOC 1 / ISAE 3402, SOC 2, SOC 3 , (Type 2),  (Security, Availability, Processing Integrity, Confidentiality, or Privacy) – (Policies, Communications, Procedures, Monitoring) Detailed vs High-Level
  • PCI DSS / PA-DSS– PCI: CDE, Access, Vendors, Net. Segmentation, ROC/AOC, submission, Management recommendations and Roadmap to compliance.  QSA / PA – QSA, ASV background.

 

Preparatory Research

  • Mapping Application Security to Controls: SDLC Assessments (very good)

https://www.isaca.org/Education/Online-Learning/Documents/Security-Innovation-11Jan12.pdf

  • A Compliance Primer for IT Professionals (Great overview – little dated but very good overview across controls)

http://www.sans.org/reading_room/whitepapers/compliance/compliance-primer-professionals_33538

http://www.corporatecomplianceinsights.com/wp-content/uploads/gravity_forms/14-f3c6012ed7b64af70e209c6db8553b08/2012/02/Aligning+Application+Security+and+Compliance1.pdf

  • SANS – MOACL – Mother of All Control Lists: (dated info but good)

http://www.sans.org/reading_room/whitepapers/compliance/meeting-compliance-efforts-mother-control-lists-moacl_33299

 

Technology Risk / IT Controls Integration Terminology

Technology Risk

Likelihood, Impact, and SDLC Project Mapping, System Characterization, Controls Benchmark, gap analysis, Risk Remediation & Prioritization, Corrective Action Plan (CAP), IT Risk / IT Controls Remediation Roadmap, Risk Register, Risk Framework, Risk Scorecard, KRI, Loss Events. System Characterization, Threat Identification, Vulnerability Identification, Control Analysis, Likelihood Determination, Impact Analysis, Risk Determination, Controls Recommendations, Results Documentation.

 

IT Controls

Security, Documentation, Changes to Documentation, Implementation, Life Expectancy of a Version and a Version Upgrade, Hierarchy of Access – who can inquire versus who can make changes, Approvals, Sign-offs, Maintenance, Back-ups, Disaster Planning and Back-up, Change management, Incident Management, etc.

 

PCI Terminology

PCI DSS 3.0, Qualified Security Assessor (QSA) who creates a Report on Compliance (ROC), or by a Self-Assessment Questionnaire (SAQ), (Internal Security Assessor(ISA), volume of card-holder transactions – Levels 1-4 Merchants,  Attestation of Compliance, ASV (Approved Scan Vendor),  12 Domains / 6 Control Objectives.

 

IT Governance / Regulations – Next PAGES – HIPAA, PCI, SOX, NIST

Omnibus Final Rule Summary

http://www.ama-assn.org/resources/doc/washington/HIPAA-omnibus-final-rule-summary.pdf

 

PCI / DSS

PCI DSS:   PCI DSS: v3.0, changes from 2.o to 3.0, terms, ROC Reporting instructions, prioritized approach tool, FAQ’s, SAQ’s

PCI / DSS 3.1: https://www.pcisecuritystandards.org/security_standards/documents.php

 

TERMINOLOGY:   PCI DSS 3.0, Qualified Security Assessor (QSA) who creates a Report on Compliance (ROC), or by a Self-Assessment Questionnaire (SAQ), (Internal Security Assessor(ISA),dependent on volume of card-holder transactions – Levels 1-4 Merchants,  Attestation of Compliance, ASV (Approved Scan Vendor),  12 Domains / 6 Control Objectives.

PCI/DSS 2.0:  https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

(compensating controls p. 64+)

 

PCI / DSS Risk Assessment Guidelines: https://www.pcisecuritystandards.org/documents/PCI_DSS_v2_Risk_Assmt_Guidelines.pdf

 

PCI DSS – QSA – ROC:   PCI – Data Security Std – Validation Requirements

PCI-DSS: (SAQ/Attestation guide): http://www.elementps.com/merchants/pci-dss/compliance-level/

PCI / DSS:     https://www.pcisecuritystandards.org/security_standards

(ISO 27005, NIST SP 800-XX/30, Octave)

 

HIPAA and PCI Compliance ARE NOT INTERCHANGABLE (Data Center Knowledge.com)

SOX:

http://www.sox-online.com/act_section_404.html

SOX:SANS: Overview:        An Overview of Sarbanes-Oxley for the Information Security Professional

SSAE 16  / ISAE 3402 / SOC 1-3: Service Organization Controls Report:  https://www.ssae-16.com/

IACPA – SOC – Service Organization Controls:

SOC 1 / SOC 2, SOC3 (Type 2): http://www.ssae16.org/white-papers/ssae-16-soc-1-2-3.html

 

Understanding SaaS Compliance – SSAE 16 / SOC 1 / SOC 2: https://en.wikipedia.org/wiki/Service_Organization_Controls

 

Terminology: (Security, Availability, Processing Integrity, Confidentiality, or Privacy) – (Policies, Communications, Procedures, Monitoring) Detailed vs High-Level

GLBA:

http://searchcio.techtarget.com/definition/Gramm-Leach-Bliley-Act

 

ISO:

ISO/27001 / 2:

http://www.27000.org/iso-27001.htm

http://www.27000.org/iso-27002.htm

 

ISO/27005:

http://www.27000.org/iso-27005.htm

 

NIST:

NIST SP 800 Series

NIST SP 800-53 (R4):

http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf

NIST RMF RISK MANAGEMENT FRAMEWORK (800-37):

NIST SP 800-64: Security in the SDLC: http://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-Revision2.pdf

NIST SP 800-30: http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf

IT Controls Checklists:  http://www.checklist20.com/

 

Technology Risk

5 Biggest IT risks explained (very good): http://www.youtube.com/watch?v=5UXhJyTunhM

(Hacking/ social engineering, Fraud, Disasters, Change / Disruptive, ROI)

 

Risk Register: 4 Steps (very good):  http://www.youtube.com/watch?v=mNQzRdWy9Ow

(Risk Frameworks, Categories, Strategic Objectives/Map / Balanced Scorecards / Weightings / Likelihood / Impacts / Risk Score)

Why most Risk Assessments are Wrong (TR): http://www.youtube.com/watch?v=PA9rqNBZWIw&feature=endscreen&NR=1

 

Risk Assessment (TR): http://www.youtube.com/watch?v=eD2mQ6ooYO4

Archer: Risk Management: http://www.youtube.com/watch?v=6KaapSEkOlQ

 

IT Risk Management 2.0: http://www.youtube.com/watch?v=VkmIOJYA3hM

Strategic Risk Management Dashboards: http://www.otusanalytics.com/wp/?p=422

Risk, Event Management& Importance of Excellence (Great ): http://www.youtube.com/watch?v=t8Mr23rLps0

 

Technology Risk Radar: http://www.kpmg.co.uk/email/11Nov13/OM006033A/index.html#46

Archer: eGRC:  http://www.youtube.com/watch?v=SMkj8twTM6c

Archer Smart Suite Framework: http://www.infosecurityproductsguide.com/technology/2007/Archer_Compliance.html

Technology Risk Assessments

RISK Assessments:   https://www.smart-ra.com/News/Uploads/100511122641_ISACA_CPE%20Meet_May%202011_1.pdf

Risk Assessment Report Template – example: Risk Assessment Report Template (CDC – OCIO)

Information Risk Assessments: Understanding the process:

OCTAVE – Method – Intro: http://www.cert.org/octave/methodintro.html

 

IT Information Security Risk Assessments Tools / Templates / Audit Guides:

RISK Assessment Toolkit: CA – CIO.gov (good info):  http://www.cio.ca.gov/OIS/government/risk/toolkit.asp

 

Agile Risk Management in 5 simple steps: http://michaellant.com/2010/06/04/five-simple-steps-to-agile-risk-management

Burndown Chart: http://www.mountaingoatsoftware.com/blog/managing-risk-on-agile-projects-with-the-risk-burndown-chart

 

Some of the independent resources available include:

·         Center for Internet Security (CIS):  http://benchmarks.cisecurity.org/

·         National Institute of Standards and Technology (NIST):  http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf

·         National Security Agency (NSA):  https://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml

Comments Off on PCI, SOX, GLBA and Security Resources

Comments are closed.