Educause Security Discussion mailing list archives
Re: PCI DSS Review - 40 Hours?
From: Michael Johnson <MJohnson () COMPLYGUARDNETWORKS COM>
Date: Tue, 24 Apr 2012 21:28:56 +0000
Only a certified entity (QSA) can render expert opinion on satisfying the ROC. There is also recommendation from the Council in various sections about separation of duties. It requires a careful read. Michael Johnson, CISSP, QSA, ASV ComplyGuard Networks. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dan Sarazen Sent: Tuesday, April 24, 2012 5:16 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI DSS Review - 40 Hours? Are you saying that nobody other than a formally certified pci compliance expert (consultant) should review, in anyway, pci controls? On Apr 24, 2012 3:25 PM, "Jon Young" <jon () network-plumbers com<mailto:jon () network-plumbers com>> wrote: If there is a breach at a member institution (I presume the audit is for one of the consortium members), you have to assume that they will be sued and the email you posted to this list will be found in discovery. That email will be a great find for the attorney who will attempt to use it (I don't mean to suggest you aren't qualified, I have no idea if you are and I'm certainly not qualified) as an indication that you were not qualified (and knew it) to perform the PCI DSS review and thus are liable for a portion of the damages. My advice is to bring in someone who has done this before (perhaps a list member has a suggestion of someone local? - we're local but we don't do this) at least for some advice. As others have pointed out, the scale is hugely relevant to the time involved and the scale of your consortium members is widely divergent. Good luck, Jon Young Senior Consultant Vantage Technology Consulting Group On Tue, Apr 24, 2012 at 12:21 PM, Dan Sarazen <dsarazen () brandeis edu<mailto:dsarazen () brandeis edu>> wrote:
Hi All, I've been asked to conduct a PCI DSS review in 40 hours. Anyone think that's responsibly doable? Also, does anyone have a PCI DSS Audit plan? Many Thanks! Dan Sarazen Senior IT Auditor The Boston Consortium for Higher Education Brandeis University, Mailstop 110 Phone: 781-736-8703<tel:781-736-8703> Cell: 781-296-4444<tel:781-296-4444> Fax: 781-736-8706<tel:781-736-8706>
Current thread:
- PCI DSS Review - 40 Hours? Dan Sarazen (Apr 24)
- Re: PCI DSS Review - 40 Hours? Drew Perry (Apr 24)
- Re: PCI DSS Review - 40 Hours? Lorenz, Eva (Apr 24)
- Re: PCI DSS Review - 40 Hours? Radford, Jennifer (Apr 24)
- Re: PCI DSS Review - 40 Hours? Lorenz, Eva (Apr 24)
- Re: PCI DSS Review - 40 Hours? Rich Graves (Apr 24)
- Re: PCI DSS Review - 40 Hours? Jon Young (Apr 24)
- Re: PCI DSS Review - 40 Hours? Dan Sarazen (Apr 24)
- Re: PCI DSS Review - 40 Hours? Michael Johnson (Apr 24)
- Re: PCI DSS Review - 40 Hours? Valdis Kletnieks (Apr 24)
- Re: PCI DSS Review - 40 Hours? Jon Young (Apr 25)
- Re: PCI DSS Review - 40 Hours? Dan Sarazen (Apr 24)
- Re: PCI DSS Review - 40 Hours? Brad Judy (Apr 24)
- Re: PCI DSS Review - 40 Hours? Drew Perry (Apr 24)
- Re: PCI DSS Review - 40 Hours? Marcum, Chad A (Apr 24)
- Re: PCI DSS Review - 40 Hours? Hugh Burley (Apr 26)
- <Possible follow-ups>
- Re: PCI DSS Review - 40 Hours? John Hoffoss (Apr 30)