Educause Security Discussion mailing list archives
PCI DSS interpretation questions
From: "CTSO (Michael A. Rodriguez)" <MA-Rodriguez2 () WIU EDU>
Date: Wed, 11 Jun 2008 12:31:41 -0500
I would appreciate interpretations on the following PCI items. 8.3. Is two-factor authentication implemented for remote access to the network by employees, administrators, and third parties? Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates. On 8.3, I read it as a requirement for multi-factor authentication and not two instances of the same factor. Some folks around here are taking the word two-factor to refer to the latter. 1.3.9. Include installation of personal firewall software on any mobile and employee-owned computers with direct connectivity to the internet (for example, laptops used by employees), which are used to access the organization’s network? This one is an interpretation of scope. The part about employee-owned concerns me as it would appear to imply installing stuff on personally owned computers. The bigger question is can requirements like this be interpreted to refer only to computers, networks or devices known to hold cardholder data? The same argument can be made for other requirements involving end point security like 6.1 on patching and 5.1 on anti-virus. I know the security answer is they are all in scope but what is the compliance answer? Thanks, -- Michael A. Rodriguez, CISSP Chief Technology Security Officer Western Illinois University ma-rodriguez2 () wiu edu
Current thread:
- PCI DSS interpretation questions CTSO (Michael A. Rodriguez) (Jun 11)
- <Possible follow-ups>
- Re: PCI DSS interpretation questions Pace, Guy (Jun 11)