Compensating Controls Worksheet

Uploaded by

mrehan2k2

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as DOCX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

57 views3 pages

Compensating Controls Worksheet

Uploaded by

mrehan2k2

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as DOCX, PDF, TXT or read online on Scribd

You are on page 1/ 3

Appendix C: Compensating Controls Worksheet

Use this worksheet to define compensating controls for any requirement where compensating controls are used to meet a PCI DSS requirement. Note
that compensating controls should also be documented in the Report on Compliance in the corresponding PCI DSS requirement section.
Note: Only companies that have undertaken a risk analysis and have legitimate technological or documented business constraints can consider the use
of compensating controls to achieve compliance.

Requirement Number and Definition:

Information Required Explanation

1. Constraints List constraints precluding compliance with
the original requirement.
2. Objective Define the objective of the original control;
identify the objective met by the
compensating control.
3. Identified Risk Identify any additional risk posed by the lack
of the original control.
4. Definition of Define the compensating controls and
Compensating explain how they address the objectives of
Controls the original control and the increased risk, if
any.
5. Validation of Define how the compensating controls were
Compensating validated and tested.
Controls
6. Maintenance Define process and controls in place to
maintain compensating controls.

PCI DSS v3.2.1 Template for Report on Compliance, Rev. 1.0, Appendix C: Compensating Controls Worksheet June 2018
Copyright 2018 PCI Security Standards Council LLC Page 1
Compensating Controls Worksheet – Completed Example
Use this worksheet to define compensating controls for any requirement noted as being “in place” via compensating controls.
Requirement Number: 8.1.1 – Are all users identified with a unique user ID before allowing them to access system components or cardholder data?

Information Required Explanation

1. Constraints List constraints precluding Company XYZ employs stand-alone Unix Servers without LDAP. As such, they each require a
compliance with the original “root” login. It is not possible for Company XYZ to manage the “root” login nor is it feasible to
requirement. log all “root” activity by each user.
2. Objective Define the objective of the The objective of requiring unique logins is twofold. First, it is not considered acceptable from a
original control; identify the security perspective to share login credentials. Secondly, having shared logins makes it
objective met by the impossible to state definitively that a person is responsible for a particular action.
compensating control.
3. Identified Risk Identify any additional risk Additional risk is introduced to the access control system by not ensuring all users have a
posed by the lack of the original unique ID and are able to be tracked.
control.
4. Definition of Define the compensating Company XYZ is going to require all users to log into the servers using their regular user
Compensating controls and explain how they accounts, and then use the “sudo” command to run any administrative commands. This allows
Controls address the objectives of the use of the “root” account privileges to run pre-defined commands that are recorded by sudo in
original control and the the security log. In this way, each user’s actions can be traced to an individual user account,
increased risk, if any. without the “root” password being shared with the users.
1. Validation of Define how the compensating Company XYZ demonstrates to assessor that the sudo command is configured properly using
Compensating controls were validated and a “sudoers” file, that only pre-defined commands can be run by specified users, and that all
Controls tested. activities performed by those individuals using sudo are logged to identify the individual
performing actions using “root” privileges.
2. Maintenance Define process and controls in Company XYZ documents processes and procedures to ensure sudo configurations are not
place to maintain compensating changed, altered, or removed to allow individual users to execute root commands without being
controls. individually identified, tracked and logged.

PCI DSS v3.2.1 Template for Report on Compliance, Rev. 1.0, Appendix C: Compensating Controls Worksheet June 2018
Copyright 2018 PCI Security Standards Council LLC Page 2
PCI DSS Template for Report on Compliance, Appendix D: Segmentation and Sampling of Business Facilities/System Components June 2018
© 2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 3

Safety Performance Indicators: Development and Use of
No ratings yet
Safety Performance Indicators: Development and Use of
54 pages
Pressman Books Question Solution Chapter
No ratings yet
Pressman Books Question Solution Chapter
45 pages
Medical Store Management
No ratings yet
Medical Store Management
17 pages
Cloud Computing
0% (1)
Cloud Computing
97 pages
SEI ATAM Example
No ratings yet
SEI ATAM Example
31 pages
Car PArk System Report
0% (1)
Car PArk System Report
152 pages
Airline Ticket Management System PROJECT
36% (11)
Airline Ticket Management System PROJECT
56 pages
SQAT - Ch.01 - Basics of Software Quality Assurance
No ratings yet
SQAT - Ch.01 - Basics of Software Quality Assurance
18 pages
Security Requirements Engineering Framework-Compressed
No ratings yet
Security Requirements Engineering Framework-Compressed
24 pages
W17 Clad Steel Plate
No ratings yet
W17 Clad Steel Plate
13 pages
Aop-52 Edb V1 e
No ratings yet
Aop-52 Edb V1 e
208 pages
Hipaa Nist Standard
No ratings yet
Hipaa Nist Standard
152 pages
Siaa Prelim
No ratings yet
Siaa Prelim
10 pages
Executive Summary: de Guzman'S Sari-Sari Store - System Proposal
100% (2)
Executive Summary: de Guzman'S Sari-Sari Store - System Proposal
20 pages
Nimish
No ratings yet
Nimish
4 pages
CETM46 Asst2 Sample1
No ratings yet
CETM46 Asst2 Sample1
9 pages
The Business Analysis Standard
No ratings yet
The Business Analysis Standard
58 pages
The Different Stages in Software Test Life Cycle
No ratings yet
The Different Stages in Software Test Life Cycle
4 pages
Final Project Report: Locate A Tutor
No ratings yet
Final Project Report: Locate A Tutor
65 pages
Adversary Engagement, A Practical Guide by MITRE
No ratings yet
Adversary Engagement, A Practical Guide by MITRE
48 pages
Fs - Form - Fi 04 05-Gap 05-For01v1 0
No ratings yet
Fs - Form - Fi 04 05-Gap 05-For01v1 0
9 pages
Unit-4: Software Requirement Engineering
No ratings yet
Unit-4: Software Requirement Engineering
80 pages
Payroll Management System
84% (64)
Payroll Management System
56 pages
2 Labview Fpga Basics PDF
No ratings yet
2 Labview Fpga Basics PDF
46 pages
A Review of Supply Chain Complexity Drivers PDF
No ratings yet
A Review of Supply Chain Complexity Drivers PDF
6 pages
PCI DSS v3 - 2 - 1 ROC S6 R3 Protect Stored Cardholder Data
No ratings yet
PCI DSS v3 - 2 - 1 ROC S6 R3 Protect Stored Cardholder Data
18 pages
PMP Prep Exam 6th Edition Full Slides PDF
100% (4)
PMP Prep Exam 6th Edition Full Slides PDF
573 pages
PCI DSS v3 2 1 ROC S1 Contact Information
No ratings yet
PCI DSS v3 2 1 ROC S1 Contact Information
14 pages
PCI DSS v3 - 2 - 1 ROC S6 R2 Do Not Use Vendor Supplied Defaults
No ratings yet
PCI DSS v3 - 2 - 1 ROC S6 R2 Do Not Use Vendor Supplied Defaults
11 pages
Pci DSSS
No ratings yet
Pci DSSS
8 pages
Cit 309 Project
No ratings yet
Cit 309 Project
26 pages
CBAP - Exam.183q: Number: CBAP Passing Score: 800 Time Limit: 120 Min File Version: 1
No ratings yet
CBAP - Exam.183q: Number: CBAP Passing Score: 800 Time Limit: 120 Min File Version: 1
78 pages
Internal Audit Checklist Q1 - IsO 2015 - Final Format
No ratings yet
Internal Audit Checklist Q1 - IsO 2015 - Final Format
30 pages
RSM Toc
No ratings yet
RSM Toc
10 pages
03 - SRS-Template-Annuxure-B-03Dec18
No ratings yet
03 - SRS-Template-Annuxure-B-03Dec18
6 pages
Fundamental Testing Istqb
No ratings yet
Fundamental Testing Istqb
24 pages
Future I 20 Questions Exercises
No ratings yet
Future I 20 Questions Exercises
1 page
CS8494 Software Engineering
No ratings yet
CS8494 Software Engineering
21 pages
Pci DSS V4
100% (3)
Pci DSS V4
30 pages
Pci Dss v4 0 at A Glance
No ratings yet
Pci Dss v4 0 at A Glance
2 pages
RAD and Agile Approach - Updated
No ratings yet
RAD and Agile Approach - Updated
29 pages
The Sympathizer: A Novel (Pulitzer Prize for Fiction)
From Everand
The Sympathizer: A Novel (Pulitzer Prize for Fiction)
Viet Thanh Nguyen
4.5/5 (141)
The Little Book of Hygge: Danish Secrets to Happy Living
From Everand
The Little Book of Hygge: Danish Secrets to Happy Living
Meik Wiking
3.5/5 (464)
The Unwinding: An Inner History of the New America
From Everand
The Unwinding: An Inner History of the New America
George Packer
4/5 (45)
On Fire: The (Burning) Case for a Green New Deal
From Everand
On Fire: The (Burning) Case for a Green New Deal
Naomi Klein
4/5 (78)
The Yellow House: A Memoir (2019 National Book Award Winner)
From Everand
The Yellow House: A Memoir (2019 National Book Award Winner)
Sarah M. Broom
4/5 (100)
Grit: The Power of Passion and Perseverance
From Everand
Grit: The Power of Passion and Perseverance
Angela Duckworth
4/5 (650)
Principles: Life and Work
From Everand
Principles: Life and Work
Ray Dalio
4/5 (643)
The Emperor of All Maladies: A Biography of Cancer
From Everand
The Emperor of All Maladies: A Biography of Cancer
Siddhartha Mukherjee
4.5/5 (298)
A Man Called Ove: A Novel
From Everand
A Man Called Ove: A Novel
Fredrik Backman
4.5/5 (5181)
The World Is Flat 3.0: A Brief History of the Twenty-first Century
From Everand
The World Is Flat 3.0: A Brief History of the Twenty-first Century
Thomas L. Friedman
3.5/5 (2289)
Devil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New America
From Everand
Devil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New America
Gilbert King
4.5/5 (280)
Elon Musk: Tesla, SpaceX, and the Quest for a Fantastic Future
From Everand
Elon Musk: Tesla, SpaceX, and the Quest for a Fantastic Future
Ashlee Vance
4.5/5 (582)
Rise of ISIS: A Threat We Can't Ignore
From Everand
Rise of ISIS: A Threat We Can't Ignore
Jay Sekulow
3.5/5 (144)
The Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good Life
From Everand
The Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good Life
Mark Manson
4/5 (6458)
The Hard Thing About Hard Things: Building a Business When There Are No Easy Answers
From Everand
The Hard Thing About Hard Things: Building a Business When There Are No Easy Answers
Ben Horowitz
4.5/5 (361)
Team of Rivals: The Political Genius of Abraham Lincoln
From Everand
Team of Rivals: The Political Genius of Abraham Lincoln
Doris Kearns Goodwin
4.5/5 (244)
Never Split the Difference: Negotiating As If Your Life Depended On It
From Everand
Never Split the Difference: Negotiating As If Your Life Depended On It
Chris Voss
4.5/5 (1005)
Fear: Trump in the White House
From Everand
Fear: Trump in the White House
Bob Woodward
3.5/5 (836)
A Heartbreaking Work Of Staggering Genius: A Memoir Based on a True Story
From Everand
A Heartbreaking Work Of Staggering Genius: A Memoir Based on a True Story
Dave Eggers
3.5/5 (233)
The Constant Gardener: A Novel
From Everand
The Constant Gardener: A Novel
John le Carré
4/5 (278)
Hidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space Race
From Everand
Hidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space Race
Margot Lee Shetterly
4/5 (1022)
Manhattan Beach: A Novel
From Everand
Manhattan Beach: A Novel
Jennifer Egan
3.5/5 (919)
Shoe Dog: A Memoir by the Creator of Nike
From Everand
Shoe Dog: A Memoir by the Creator of Nike
Phil Knight
4.5/5 (629)
John Adams
From Everand
John Adams
David McCullough
4.5/5 (2546)
The Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You Are
From Everand
The Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You Are
Brene Brown
4/5 (1175)
Yes Please
From Everand
Yes Please
Amy Poehler
4/5 (2016)
The Glass Castle: A Memoir
From Everand
The Glass Castle: A Memoir
Jeannette Walls
4.5/5 (1856)
Her Body and Other Parties: Stories
From Everand
Her Body and Other Parties: Stories
Carmen Maria Machado
4/5 (903)
Sing, Unburied, Sing: A Novel
From Everand
Sing, Unburied, Sing: A Novel
Jesmyn Ward
4/5 (1267)
Bad Feminist: Essays
From Everand
Bad Feminist: Essays
Roxane Gay
4/5 (1090)
Steve Jobs
From Everand
Steve Jobs
Walter Isaacson
4.5/5 (1139)
Wolf Hall: A Novel
From Everand
Wolf Hall: A Novel
Hilary Mantel
4/5 (4135)
The Light Between Oceans: A Novel
From Everand
The Light Between Oceans: A Novel
M.L. Stedman
4.5/5 (815)
Angela's Ashes: A Memoir
From Everand
Angela's Ashes: A Memoir
Frank McCourt
4.5/5 (943)
Brooklyn: A Novel
From Everand
Brooklyn: A Novel
Colm Toibin
3.5/5 (2133)
The Woman in Cabin 10
From Everand
The Woman in Cabin 10
Ruth Ware
3.5/5 (2814)
The Art of Racing in the Rain: A Novel
From Everand
The Art of Racing in the Rain: A Novel
Garth Stein
4/5 (4372)
The Outsider: A Novel
From Everand
The Outsider: A Novel
Stephen King
4/5 (2885)
The Perks of Being a Wallflower
From Everand
The Perks of Being a Wallflower
Stephen Chbosky
4.5/5 (4103)
A Tree Grows in Brooklyn
From Everand
A Tree Grows in Brooklyn
Betty Smith
4.5/5 (2033)
Little Women
From Everand
Little Women
Louisa May Alcott
4.5/5 (2369)

Compensating Controls Worksheet

Uploaded by

Compensating Controls Worksheet

Uploaded by

Appendix C: Compensating Controls Worksheet

Requirement Number and Definition:

Information Required Explanation

Information Required Explanation

You might also like