Learning regulatory compliance

docrice · April 2011

Shifting the topic away from the more common technical side of security, does anyone here have a little / lot of experience dealing with areas like PCI-DSS, HIPPA, SOX, etc.? How difficult is it to pick this stuff up? SANS has a two-day PCI-DSS course, but in practice how involved is the effort to pick up PCI and SOX? I've noticed many job postings list these as a requirement.

Where would one get training on these areas?

JDMurray · April 2011

With HIPAA, SOX, GLB, etc. you are entering the world of policies, procedures, compliance, and government regulations. You will find the regulations put forth by these Federal acts are purposely very non-technical. This allow organizations to implement the requirements of the regulations in ways that best fits their technology and financial plans. This flexibility is necessary, but it leads to a lot of ambiguity and head-scratching from us technical types.

For example, California law SB 1386 requires that all databases containing PII be encrypted, but it doesn't specify what encryption to use, or even define what encryption is. As a result, simple rot13 encoding will satisfy the encryption requirements of SB 1386. (Thank goodness security product vendors know better than to try this.)

There are lots of non-technical people in the compliance game. Sort of like the difference between people that build houses and people who insure the houses. Although insurance people tend to be savvy at risk management, while compliance people are all too often content with just making sure a specific security control is present to fill a check box on an auditor's form. So a major complaint of all these regulations is that an organization that only minimally complies with the requirements of PCI, HIPAA, SB 1386, etc. is only providing the illusion of actual security and accountability, but likely has other security issues that go beyond what these regulations cover.

There are "people certifications" for HIPAA, SOX, etc. from organizations that train auditors. The CISA cert from ISACA is a big, non-specific auditing cert. Risk management companies also have their own training and certification programs.

the_Grinch · April 2011

I can speak on the PCI compliance side of the house. It isn't overly difficult, but like JD has stated don't just look to get the check in the box. That is the nice part of having a technical background when doing audits. PCI isn't too difficult and for the most part it is fairly automated. The hardest part about a PCI audit is determining which questionnaire the client will need to look at. There are 4 questionnaire and based on how they process the credit cards decides which questionnaire they must complete. From there, you answer the questionnaire and all the answers have to be Yes. If you answer no, you have to fix the deficiency. https://www.pcisecuritystandards.org/security_standards/documents.php This link has all the documentation so you can take a look at those. The questionnaires are at the bottom (Self Assessment Questionnaire). There are a couple of things to remember for PCI compliance:

1. The audit scans must be done quarterly, if there are any changes to the infrastructure or config changes, the audits must be run at that time

2. Once a year a penetration test must be run, again if there are any changes to the infrastructure or config changes, the penetration test must be done at the time.

3. Finally, they made the change that WEP can no longer be used.

4. Backups must be encrypted

I really like PCI compliance because generally their requirements should be something every company does regardless of whether or not they accept credit cards. It was very easy for me to say to the customer that such and such changes needed to be made. When they asked why, I'd state the security reasons and then follow that with that it was required for PCI compliance and that they would face fines if the changes weren't complete. You will find a lot of information online for PCI compliance.

ipchain · May 2011

I can also speak from the PCI-DSS side of things, so I would echo the_Grinch's advise.

JDMurray · May 2011

Anybody have a look at this book?

Amazon.com: PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance (9781597494991): Dr. Anton Chuvakin, Branden R. Williams: Books

Chuvakin is very well-respected in the SIEM and log management industries.

ipchain · May 2011

JDMurray wrote: »

Anybody have a look at this book?

Amazon.com: PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance (9781597494991): Dr. Anton Chuvakin, Branden R. Williams: Books

Chuvakin is very well-respected in the SIEM and log management industries.

Looks like a great read - thanks for pointing it out, JD. I might have to check it out at some point. Don't mean to hijack this thread, but are there any other books by Chuvakin that you'd recommend? I am currently working on the deployment of our SIEM infrastructure.

colemic · May 2011

I had a good post here but the interwebz ate it.

so here's the cliff notes.

I do security audits for banks, and deal with GLBA on a daily basis, along with FDIC regs, FFIEC exams, state regs, and so on.

One thing to remember with PCI, is that they are guidelines, not law... so the fines the Grinch was talking about come from the card processors, not the government. They claim that every breach occurred on a merchant system that did not fully meet PCI-DSS requirements... but those can be quite onerous to a small business, which is one of the leading causes of mom and pop shops getting hit. Tied into those (especially those businesses that are growing) are the requirements that banks impose for remote deposit capture which right now is all the rage amongst scammers and thieves (not to short wire scams, which, when successful, are probably the biggest grossing revenue streams for thieves right now.)

Sorry that its a lot shorter and more disorganized than what I had written out originally.

ChooseLife · May 2011

JDMurray wrote: »

Anybody have a look at this book?

Amazon.com: PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance (9781597494991): Dr. Anton Chuvakin, Branden R. Williams: Books

Chuvakin is very well-respected in the SIEM and log management industries.

Sweet, thanks for the link!

Btw, this book is also available for free at Books24x7: PCI Compliance by Chuvakin and Williams

Learning regulatory compliance

Comments