Educause Security Discussion mailing list archives
Re: PCI DSS Review - 40 Hours?
From: Hugh Burley <Hburley () TRU CA>
Date: Thu, 26 Apr 2012 10:17:06 -0700
Hi Dan, I think I would take the approach of doing what you can in 40 hours. Some of my initial work involved identifying transaction levels, which SAQ is most likely to apply, and running through the SAQ to identify where the University is or is not compliant. I used the CoBit 4.1 CMM as a tool for assigning a level of maturity for the specific PCI line items rather than a simple yes/no response. The goal of this exercise is to begin raising awareness for your executives about the risks and expected costs/effort of reaching compliance. This will also provide an initial tool for measuring and prioritizing ongoing activity in meeting compliance requirements. The first response from your executive will be that you cannot possibly be correct in your assessment. They will also be overwhelmed by the amount of detail and projected cost involved. In my experience, if you are persistent in presenting the best facts you can within your limited capability, the executive will recommend an external PCI assessment. This assessment will likely validate what you will have been reporting and may provide some options for reducing scope that you did not consider. In the intervening time you will hopefully be able to address some basic compliance requirements and mature the University's information security program. Regards, Hugh Burley Thompson Rivers University ITS - Senior Technology Coordinator Information Security Officer CISSP, CIPP/C, CISA Security, Privacy, Audit BCCOL - 222D 250-852-6351
Dan Sarazen <dsarazen () BRANDEIS EDU> 4/24/12 9:21 am >>>
Hi All, I’ve been asked to conduct a PCI DSS review in 40 hours. Anyone think that’s responsibly doable? Also, does anyone have a PCI DSS Audit plan? Many Thanks! Dan Sarazen Senior IT Auditor The Boston Consortium for Higher Education Brandeis University, Mailstop 110 Phone: 781-736-8703 Cell: 781-296-4444 Fax: 781-736-8706
Current thread:
- Re: PCI DSS Review - 40 Hours?, (continued)
- Re: PCI DSS Review - 40 Hours? Lorenz, Eva (Apr 24)
- Re: PCI DSS Review - 40 Hours? Radford, Jennifer (Apr 24)
- Re: PCI DSS Review - 40 Hours? Lorenz, Eva (Apr 24)
- Re: PCI DSS Review - 40 Hours? Rich Graves (Apr 24)
- Re: PCI DSS Review - 40 Hours? Jon Young (Apr 24)
- Re: PCI DSS Review - 40 Hours? Dan Sarazen (Apr 24)
- Re: PCI DSS Review - 40 Hours? Michael Johnson (Apr 24)
- Re: PCI DSS Review - 40 Hours? Valdis Kletnieks (Apr 24)
- Re: PCI DSS Review - 40 Hours? Jon Young (Apr 25)
- Re: PCI DSS Review - 40 Hours? Dan Sarazen (Apr 24)
- Re: PCI DSS Review - 40 Hours? Brad Judy (Apr 24)
- Re: PCI DSS Review - 40 Hours? Marcum, Chad A (Apr 24)
- Re: PCI DSS Review - 40 Hours? Hugh Burley (Apr 26)
- Re: PCI DSS Review - 40 Hours? John Hoffoss (Apr 30)