Educause Security Discussion mailing list archives
Re: PCI compliance on a university network
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Thu, 24 Dec 2009 22:40:26 -0500
On Tue, 22 Dec 2009 11:58:01 EST, Scott Sweren said:
PCI had always instructed that the auditor needed to be comfortable that segmentation was really in place. While it may be, if the company could not adequately demonstrate that, then the auditor could state so in the report. Demonstration is through providing the ACL lists, showing reviews and approvals were done as required, etc.
What a wimpy demonstration. :) Maybe I watch too much Mythbusters, but where I come from, if somebody says some glass is bulletproof, it's time to haul a few samples to the range and point various calibers at it. Seems if somebody claims segmentation is there, it's time to break out some high-caliber packet generators and verify the ACLs the dastardly way. ;) (Oh no, the firewall would *never* accept a forged packet on the exterior side with source and dest addresses both inside, right? Right? ;) On Dec 22, 2009, at 10:37 AM, Joel Rosenblatt wrote:
Again, this is the difference between real security and checklist security :-)
Hmm.. is that why the checklist people always claim I don't play nice with others? :) Happy Holidays, everybody!
Attachment:
_bin
Description:
Current thread:
- Re: PCI compliance on a university network, (continued)
- Re: PCI compliance on a university network Crary, Greg (Dec 22)
- Re: PCI compliance on a university network Robert Ellison (Dec 22)
- Re: PCI compliance on a university network Scott Sweren (Dec 22)
- Re: PCI compliance on a university network Paul Kendall (Dec 22)
- Re: PCI compliance on a university network Matthew Wollenweber (Dec 22)
- Re: PCI compliance on a university network John Ladwig (Dec 22)
- Re: PCI compliance on a university network Ellen Smout (Dec 22)
- Re: PCI compliance on a university network Plesco, Todd (Dec 22)
- Re: PCI compliance on a university network Ken Connelly (Dec 22)
- Re: PCI compliance on a university network Blake Penn (Dec 23)
- Re: PCI compliance on a university network Valdis Kletnieks (Dec 24)
- Re: PCI compliance on a university network Valdis Kletnieks (Dec 24)