IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [compliance]

Aspects of compliance with regulations, standards, laws, and policies.

264 questions
1
vote
1 answer

Do cloud service providers offer insights on their security issues?

Should someone want a highly secured cloud environment, having the whole infrastructure managed by a third party could be quite stressful I guess. There are things you can't manage yourself in a cloud environment, like collecting every needed log…
Kaël
  • 352
  • 2
  • 10
1
vote
2 answers

How to timestamp a document without electronic signature under eIDAS

I need to timestamp a file to prove data integrity, not authorship. I will use a RFC3161 qualified timestamping service. From the EU Regulation Section 6, Article 41, I understand that I can use a timestamp without an electronic signature*, as they…
Victor
  • 373
  • 1
  • 10
1
vote
1 answer

Required security for storing bank transactions, but not credentials

If I'm using an external bank data aggregation service to get user credit and banking transactions, but the external service itself is handling the process of collecting and managing banking credentials, I'm just storing lists of recent transactions…
TheEnvironmentalist
  • 505
  • 3
  • 10
1
vote
1 answer

Are there any FIPS140-2 requirements that apply when boot code is updated in the field?

FIPS140-2 standard specifies the following conditional test to be performed by the cryptographic module if software or firmware components can be externally loaded into a cryptographic module: An Approved authentication technique (e.g., an…
Drew Lex
  • 2,013
  • 2
  • 19
  • 24
1
vote
1 answer

What compliance does my mobile application need?

We are going to develop an application for payment gateway which is already PCI DSS compliant, This application will be handling the payment through the API. My questions is is the application needs to be PA-DSS, P2PE, or PCI-DSS ?
Petr
  • 665
  • 6
  • 12
1
vote
2 answers

PCI DSS 3.2 SAQ A and SAQ A-EP - 2 different web shops

I did a pre-assessment of 2 web shops of one company today. One web shop uses Direct Post based forms to insert and forward cardholder data. Doing this means the company is eligible for an SAQ A-EP. It's hosted in Azure, in a small environment,…
0x90
  • 113
  • 5
1
vote
2 answers

PCI DSS for web servers not storing credit card info

I plan on deploying our new company website to a dedicated server through a hosting provider. I will personally maintain the server with the exception of dealing with the physical hardware. The company itself does possess credit card info through…
AirmanAJK
  • 11
  • 1
1
vote
2 answers

is Cryptpad safe for corporate use (logs which includes hostnames, IP and internal configuration)

We don't have an internal Gist for fast sharing snippets and logs extracts with co workers. Is it safe to use this web service? quote from GitHub site: CryptPad is private, not anonymous. Privacy protects your data, anonymity protects you. As…
Sybil
  • 1,435
  • 2
  • 15
  • 29
1
vote
1 answer

Crosswalks (aka Matrix) for InfoSec Compliance Standards

Looking to find a reference that maps the various control standards (i.e. HIPAA, PCI-DSS, GLBA, ISO) to each other. I envision the answer being a spreadsheet that outlines the controls for one standard (say ISO-27002) as row items and the other…
HashHazard
  • 5,105
  • 1
  • 17
  • 29
1
vote
1 answer

Does PCI DSS require an SAQ for each site?

I am with an organization that is just starting to work on PCI. We have 3 sites that are connected via point to point connections. Only the main site stores the card holder data. The other two sites have workstations that connect to the card holder…
Fox2020
  • 51
  • 1
1
vote
2 answers

Client's Personally Identifiable Information (PII) in the Cloud

Is it safe to put a client's personally identifiable information on Microsoft's Office-365, or another Cloud provider storage?
AlB
  • 11
  • 1
1
vote
1 answer

Would the following practice make email PCI compliant?

If a system applied to the following three practice/technologies to each e-mail, would it rate as PCI compliant? The email itself is encrypted Encryption is applied end-to-end in the transport layer The recipients were authenticated. The encryption…
Dan Aronson
  • 11
  • 2
1
vote
2 answers

Can I instruct a Telco to prevent 2G connections from our phones?

Given that 2G is proven to be insecure (broken) at DefCon, is it possible for a Corporate IT department to work with the Telco and ban 2G connections for their devices? Some cell phones are unable to disable 2G connections or exclusively use 3G, and…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
1
vote
1 answer

Are Windows Superseding Patches not fully securing my systems?

I have completed a Nessus vulnerability scan of a Windows system. The scan is indicating that some windows patches are missing, but the patches are superseded patches and the most recent version of the patch is installed. I researched the two…
alwaysshuffling
  • 13
  • 3
1
vote
1 answer

Help with scope clarification of PCI requirement 8.5.15

Section 8.5.15 reads: If a session has been idle for more than 15 minutes, require the user to re-enter the password to re-activate the terminal. Section 8 Accompanying note reads: These requirements are applicable for all accounts,…
François Lamarre
  • 147
  • 1
  • 7
1 2 3
17 18