Posts Tagged ‘compliance’
For technical writers it is always difficult to get external feedback and comments on the manuals and other documentations. Therefore, it was a real pleasure to read how useful our system logging and regulatory compliance whitepaper was to Nico de Wet when he encountered a problem regarding trusted log collection and management. Also, it was great to see that concepts and best practices focusing on the needs of a specific industry (like the PCI-DSS for the IT needs of financial institutions) can be applied across different fields and locations.
As a sidenote, I think that the syslog-ng compliance whitepaper (and its twin that describes how the syslog-ng Store Box can help you to comply with the logging requirements of PCI-DSS, COBIT, or HIPAA) should be revisited and reviewed in the future – new versions of both syslog-ng and the syslog-ng Store Box have been released since the whitepapers were published. Version 2.0 of the PCI-DSS standard will be released at the end of the month, detailing requirements about virtualization among others, not to mention some other laws and compliance requirements that would worth to look at from a logging point of view.
On the other hand, the trend seems to be that traditional system logging is not adequate for many business-critical or high-security environments, and often other, independent technologies (like the Shell Control Box) are used to augment system logging and create a retraceable audit trail about what exactly happens on the production servers, and oversee the work of system administrators.
After long weeks of work, the new version of the PCI-DSS compliance with SCB (PCI compliance and forensics in auditing remote server access with SCB 2.0) is finished. SCB 2.0 has many new and interesting features that can be used for PCI compliance, for example gateway authentication that can connect general usernames to real users, the 4-eyes authorization and together with real-time monitoring, or the possibility to authenticate the users separately both on SCB and on the accessed server and implement a simple two-factor authentication process.
But not only SCB has changed since the previous release of this document: the PCI data security standard have been updated as well, so the entire document was checked for compliance with the requirements of PCI-DSS v1.2.1.
Originally I planned to add further sections to cover other types of compliance (e.g., COBIT) like in our other compliance whitepapers (Regulatory compliance and system logging with SSB and Regulatory compliance and system logging with syslog-ng), but after the updates this document is already 15+ pages long, so I decided to skip it. COBIT compliance will have to wait, and most probably will get a separate whitepaper anyway.