The Art of the Compensating Control (Part 6, The Finale)
See part 1 here, part 2 here, part 3 here, part 4 here, part 5 here.
Go Forth and Compensate!
What a pretty mural we have painted over the last several pages! Good compensating controls are the result of a marriage between art and science. We've discussed what compensating controls are, what they are not, some funny examples of how to go wrong, and three solid scenarios from which we created good controls.
Compensating controls are not the golden parachute of compliance initiatives. They require work to build effective ones that will pass the scrutiny of both a QSA and an Acquiring Bank (or card brand). Rarely do they yield lower cost and effort than simply meeting the original requirement. PCI DSS is based on many good (not best) standards of practice for security, and should be viewed as a baseline by which to operate, not a high water mark by which you aspire to be one day. Compensating controls may help you lower the bar of compliance in the short term, but remember, only you can prevent a security breach.
I hope you enjoyed this article on Compensating Controls! Look for links to download the entire articles in the next few days!
Comments
In the end, using PCI DSS as a starting point to a risk management and security program is key. Compensating controls can surely be effective for security and meeting PCI DSS intent as you've shown.
That said, companies using compensating controls with the narrow vision of having their ROC signed are in the danger zone. Passing the audit just gets your name on a pretty list if you don't take security and compliance seriously. Companies land in a world of hurt if they're compromised, regardless of their audit results. The contractually required "PCI compliance" will only become an issue when a company is compromised. As others with bigger titles have stated, nobody has been found to be compliant at time of compromise.
Posted by: Lucas | April 27, 2009 12:33 PM