View Full Version : Compensating Controls - Lack of IDS
Ron R
03-19-2007, 05:42 AM
Relative to Requirement 11.4; Has anyone had success with compensating controls in the absence of a formal IDS system?
jbhall56
03-22-2007, 04:50 AM
With the exception of 3.2, all other items in the PCI Security Audit Procedures can have compensating controls. The key is that whatever the compensating controls are, they must meet and exceed the PCI Data Security Standards requirement. As a QSA, it is your responsibility to evaluate the compensating controls and determine if they meet and exceed the PCI Data Security Standards requirements.
Appendices B & C of the PCI Security Audit Procedures documents how to document and evaluate compensating controls. I would recommend using that process.
mdahn
03-24-2007, 09:13 PM
It sounds like Jeff has been listening closely in the QSA class and reading the blog (http://pcianswers.com/) diligently. He is correct in that there are compensating controls for everything except 3.2.
If you do not have an IDS, how about these options:
* IPS (ok, I had to mention it)
* host based IDS instead of network based
* something else that meets the criteria (http://pcianswers.com/2007/02/28/compliance-through-compensating-controls/) of compensating controls
If you provide more information about the environment perhaps we can suggest other compensating controls. For example, how many systems? who has physical access to them? is the network enclosed or spread across multiple geographic locations?
Nerdboy
03-25-2007, 07:26 AM
I am not sure that a host based IDS is a full compensating control for not having a NIDS (Network IDS) solution. Several of the host based IDS products that I have seen are really more focussed on file changes, and therefore won't tell you if someone has taken control of your web server and is simply using it as a jump-point into other areas of your network.
We typically have implimented a combination of host-based IDS and network based IDS. The host based is primarily for IT policy enforcement (change management practices), the network based IDS is more aligned with supporting the network policy enforcement (only known traffic in know directions are permitted).
Nerdboy
PCI Hosting In The Trenches
http://pcihost.wordpress.com/
vBulletin® v3.7.4, Copyright ©2000-2010, Jelsoft Enterprises Ltd.