Es posible
que los controles de compensación se consideren cuando una entidad no puede
cumplir un requisito de manera explícita según lo establecido, debido a
limitaciones técnicas legítimas o comerciales documentadas, pero ha mitigado de
manera suficiente el riesgo asociado con el requisito a través de la implementación
de controles. Los controles de compensación deben:
(1) Cumplir
con el propósito y el rigor del requisito original de las PCI DSS;
(2)
Proporcionar un nivel similar de defensa, como el requisito original de las PCI
DSS;
(3) Superar
ampliamente otros requisitos de las PCIDSS (no simplemente en cumplimiento de
otros requisitos de las PCI DSS); y
(4) Ser
cuidadoso con el riesgo adicional que impone la no adhesión al requisito de las
PCI DSS.
Para obtener
información acerca del uso de los controles de compensación, consulte los
Anexos B y C de los Controles de compensación que se encuentran en los
Requisitos de las PCI DSS y procedimientos para la evaluación de la seguridad.
http://es.pcisecuritystandards.org/
Compensating
controls may be considered when an entity cannot meet a requirement explicitly
as stated, due to legitimate technical or documented business constraints, but
has sufficiently mitigated the risk associated with the requirement through
implementation of other controls. Compensating controls must:
(1) Meet the
intent and rigor of the original PCI DSS requirement;
(2) Provide a
similar level of defense as the original PCI DSS requirement;
(3) Be above and
beyond other PCI DSS requirements (not simply in compliance with other PCI DSS
requirements); and
(4) Be
commensurate with the additional risk imposed by not adhering to the PCI DSS
requirement.
See Compensating
Controls Appendices B and C in PCI DSS Requirements and Security Assessment
Procedures for guidance on the use of compensating controls.
https://www.pcisecuritystandards.org/security_standards/glossary.php
The term
compensating controls is typically used within regulatory standards or
guidelines to indicate when an alternative method than those specifically
addressed by the standard or guideline is used. [knapp:2014]
A management,
operational, and/or technical control (i.e., safeguard or countermeasure)
employed by an organization in lieu of a recommended security control in the
low, moderate, or high baselines that provides equivalent or comparable
protection for an information system.
NIST SP 800.53: A
management, operational, and/or technical control (i.e., safeguard or
countermeasure) employed by an organization in lieu of a recommended security
control in the low, moderate, or high baselines described in NIST Special
Publication 800-53 or in CNSS Instruction 1253, that provides equivalent or
comparable protection for an information system.
[CNSSI_4009:2010]
The management,
operational, and technical controls (i.e., safeguards or countermeasures)
employed by an organization in lieu of the recommended controls in the low,
moderate, or high baselines described in NIST SP 800-53, that provide
equivalent or comparable protection for an information system.
[NIST-SP800-18:2006]
Il est possible
denvisager des contrôles compensatoires lorsquune entité ne peut pas remplir
une condition exactement comme elle est stipulée, en raison de contraintes
techniques légitimes ou de contraintes commerciales documentées, mais quelle a
suffisamment atténué les risques associés par la mise en uvre dautres
contrôles. Les contrôles compensatoires doivent:
(1) Respecter
lintention et la rigueur de la condition initiale de la normePCI DSS;
(2) Fournir une
protection similaire à celle de la condition initiale de la norme PCI DSS;
(3) Excéder les autres
conditions de la norme PCI DSS (et non être en simple conformité aux autres
conditions de la norme).
(4) Correspondre aux
risques supplémentaires quimplique la non-conformité à la condition de la
norme PCI DSS.
Voir les annexes B et C
sur les «contrôles compensatoires» dans les Conditions et procédures
dévaluation de sécurité PCI DSS pour plus dinformations sur leur utilisation.
http://fr.pcisecuritystandards.org/
Temas relacionados