RE: Compliance-related questions and Governance

["Palmer, Mark" <mpalmer () hoovers com>]

Have you looked at HORSE?
http://www.lazarusalliance.com/horsewiki/index.php/Main_Page

Mark Palmer

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Craig Wright
Sent: Thursday, February 07, 2008 8:36 PM
To: 'security-basics () securityfocus com'
Subject: Compliance-related questions and Governance

There is a need for a resource that can be used to list/summarise all of
the MANY separate IT Governance and IT regulatory requirements. Andrew
has pointed out a site that starts to list these (but is expensive and
misses many requirements).

What is needed is a simple web driven site where a selection of systems
and needs may be matched. I would think that selecting a list of
descriptors (such as the server is in an Internet connected DMZ, The
system is a web server, the system processes payment card information,
...)

I have all of the data in one form or another from research I have
completed in academic study and book writing. I am happy to lead this
effort. What I think is needed is more than I alone can do.

So consider this a call for interested parties. The idea is to make this
an open source effort.

I would like to start a consensus compliance effort. Something like the
centre for Internet security (CIS) and OWASP does for their areas, but
with the controls that are required. Somewhere that people can go and
find answers to what types of controls they need to implement.

So who is up to staring an interactive controls checklist project?

The idea is that you will be able to enter details system by system or
for a site. Answer a set of questions and get a list of requirements and
controls that are needed. So as an example I could go through something
like:

- DMZ Web Server
- Located in the US
- Processes credit card information - 20,000 transactions per month
- Non-listed private company
- Banking and Finance industry
- GLBA requirements
- BASEL II requirements
- Dealings with the EU

An the result will be a set of necessary controls and links to how to
achieve these (eg CIS and OWASP frameworks etc):
- Security Policy ... (eg SANS Policy project) and details of this and
the processes that are necessary
- Change management needs...
- Protocol Justification (PCI-DSS 1.1.6)
- Firewall (Pci...)
- System Standards (eg see CIS IIS baselines) aim for a min. score of
85% on test xxx
- Etc.

So this is a preliminary call for interest to see what type of support I
can get in the industry for this. As stated, this would be a GPL'd
effort and one designed as a resource that will aid both vendors and end
users and make all of our lives easier.

Please let me know if you are interested and let us see if we can start
to align security and compliance and thus make the effort worthwhile.

Regards,
Dr Craig Wright (GSE-Compliance)


-------------------------------------------------
From: Andrew Hay [mailto:andrew.hay () koteas com]
Sent: Wednesday, 6 February 2008 10:31 PM
To: Craig Wright
Cc: sans-community () lists sans org
Subject: Re: [sans-community] Great resource for compliance-related
questions from students

Thanks for the eye-opener Craig.

Do you know of a similar resource that has accurate information that I
could use as an alternative? Please let me know.
--------------------------------------------------
On 2/6/08, Craig Wright <Craig.Wright () bdo com au> wrote:

Except it is not accurate.

It has missed many things and has listed similar controls as both
necessary and not being needed. Looking at PCI-DSS alone, I will go
through a number of controls that are not listed as necessary for PCI.

Log successful and unsuccessful logons and logoffs [UCF ID: 01915]
-  This is covered in PCI-DSS v1.1 at 8.5 and 10.2.1/10.2.4 and 10.3.4
and is listed as not required on the matrix

Log successful and unsuccessful accesses to security-relevant objects
and directories [UCF ID: 01916]
-  This is covered in PCI-DSS v1.1 at 10.2 and 10.3 and is listed as not
required on the matrix. The page -
http://www.unifiedcompliance.com/matrices/live/01915.html mentions
nothing re the PCI requirements. This is a little misleading.

Log changes in user authenticators [UCF ID: 01917]
-  This is covered in PCI-DSS v1.1 at 10.2.2 and is listed as not
required on the matrix. Again nothing on the page for PCI.

Log denial of access resulting from an excessive number of unsuccessful
logon attempts [UCF ID: 01919]
-  This is covered in PCI-DSS v1.1 at section 10 and is listed as not
required on the matrix. PCI requires that all events of the type are
monitored. 10.3.4 will cover this. Nothing on the page again stating
that this is a control for PCI.

Protect the audit logs from failure [UCF ID: 01426]
-  This is covered in PCI-DSS v1.1 at section 10 and is listed as not
required on the matrix

In fact, there are also huge gaps in the SOX requirements of the matrix.
COPA is blank on the monitoring matrix, which is wrong.

For $10k a corporate license I would expect a little more accuracy. The
Monitoring and Measurement sheet alone has over 350 errors or omissions.
When it comes to Australia, the spread sheets state that there are no
compliance requirements. This may be a common belief, but it is not one
based on the law.

Most of what they have noted is correct, but the omissions are deadly.

Regards,
Dr Craig Wright (GSE-Compliance)