Standards and regulations - Authorities - contain requirements which when documented become policies and procedures. That's simple enough. Controls are implemented to ensure policies are followed. Again - straight forward. Controls are then audited on a periodic basis to ensure controls align with policies and required compliance mandates. Make sense?
This is a simple compliance model. There is a different model and view of security of which this becomes a component.
- Authority: PCI-DSS is the authority document created by the PCI-SSC.
- Requirement: (10.6) Review logs for all system components at least daily.
- Policy: Monitoring Policy – States logs will be reviewed at least daily.
- Control: RSA enVision provides real-time monitoring for all system components.
- Audit: Auditor verifies RSA enVision is appropriately monitoring and alerting to actionable events. Audit results and evidence are stored as part of the audit.
|Authorities to Audits|