Aspects of compliance with regulations, standards, laws, and policies.
Questions tagged [compliance]
264 questions
134
votes
19 answers
Is it common to allow local desktop and/or active directory admin access and rights for developers in organizations?
I work at a company with a staff of about 1000+. We currently have programming development staff that work on web based projects (approx 50 people).
Recently due to security concerns our IT and Security department implemented a restriction no…
TroySteven
- 1,329
- 2
- 7
- 11
72
votes
2 answers
Minimum requirements for storing last 4 digits of credit card number?
We have a merchant website that uses Autorize.net's CIM and AIM. Our users may have multiple credit cards so we'd want to give them opportunity to distinguish between credit cards that they use on site. Currently we think about storing cardholder…
Andrei Botalov
- 5,267
- 10
- 45
- 73
63
votes
5 answers
Is it common practice to log rejected passwords?
While selecting unique passwords for each purpose is a great idea, in practice this rarely happens. Therefore many select passwords from a personal pool of passwords that are easily remembered. When authenticating into systems that are used…
Drew Lex
- 2,013
- 2
- 19
- 24
40
votes
2 answers
Why does Google cripple the 2FA Google Authenticator PAM module?
If you enable 2FA for Google Apps the shared secret is 160 bits. The google_authenticator PAM module on the other hand seems to use 80 bits for the shared secret.
According to RFC 4226:
R6 - The algorithm MUST use a strong shared secret. The…
Akshay Kumar
- 502
- 4
- 7
31
votes
4 answers
Comply with data protection requirements without giving away too much?
I'm a contractor for a few companies. I build and host their systems on servers I rent from a popular international host. I store the system code on a popular, internationally hosted version control system. There are a mix of authentication…
Oli
- 1,121
- 9
- 13
25
votes
4 answers
Difference between hardening guides (CIS, NSA, DISA)
I'm researching OS hardening and it seems there are a variety of recommended configuration guides. I realize the different configuration providers supply different offerings per Operating System, but let's assume (for convenience) we're talking…
blong
- 359
- 1
- 3
- 9
25
votes
5 answers
Does PCI compliance really reduce risk and improve security?
Might as well bring this hot topic to here!
For those not in the know: https://www.pcisecuritystandards.org/
Tate Hansen
- 13,714
- 3
- 40
- 83
25
votes
1 answer
Has anyone achieved PCI compliance on AWS?
All the FAQs, documents and statements published by AWS aside, did any Level 1 merchant or service provider actually achieve PCI compliance on AWS yet? We're evaluating moving some of our services to EC2/VPC, but our auditor is saying that AWS…
Boris Slobodin
- 351
- 3
- 3
23
votes
4 answers
Why doesn't the client's web browser need to be PCI compliant?
A hypothetical online store that accepts credit card payment will have to be PCI compliant because it receives (transmit), process and possibly store credit card numbers.
But the client's web browser is also transmitting a credit card number, albeit…
ixe013
- 1,912
- 15
- 20
22
votes
3 answers
Is SSL terminated at a load balancer PCI compliant?
I've read this nice question:
Should SSL be terminated at a load balancer?
And I have the same question, but with PCI-DSS compliance in mind.
Is SSL terminated at the load balancer, with clear communication between the load balancer and the web…
BenMorel
- 909
- 1
- 7
- 13
22
votes
5 answers
PCI Encryption Key Management
(Full disclosure: I'm already an active participant here and at StackOverflow, but for reasons that should hopefully be obvious, I'm choosing to ask this particular question anonymously).
I currently work for a small software shop that produces…
Unicorn Bob
- 323
- 2
- 4
19
votes
4 answers
The non-compliance of the EU cookie law as a finding in a penetration test report?
I recently noticed a penetration test report wherein the non-compliance of the European Union (EU) cookie law was stated as a finding under an "other" category. I consider this more of a legal, privacy-related matter and not so much security.
Why…
Bob Ortiz
- 6,234
- 8
- 43
- 90
19
votes
3 answers
Do HIPAA Security Officers face personal liability for breaches?
The role of HIPAA Security Officer is very important in maintaining compliance. In smaller organizations, there's overlap in employees' roles, so the person that ends up as the HIPAA Security Officer may not have a whole lot of background in…
John Straka
- 771
- 7
- 11
18
votes
3 answers
Is storing CVV compliant with PCI standards?
From personal, job-related experience I know that many "Booking Engines" store the CVV info for customers' credit cards from the time a reservation is made until the time the guest leaves the hotel. For people who reserve their rooms a year in…
Andras Gyomrey
- 821
- 3
- 9
- 17
18
votes
3 answers
Any comments or advice on OWASP-2013 top 10 number A9
In this iteration of the OWASP top 10 application security vulnerabilities list (https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project), a new category 'A9 Using Components with Known Vulnerabilities' has been introduced. This appears to…
David Scholefield
- 1,824
- 12
- 21