Educause Security Discussion mailing list archives

Re: PCI 3.0 compliance

From: Kevin Reedy <KReedy () EXCELSIOR EDU>
Date: Wed, 25 Feb 2015 10:09:09 -0500

My apologies to the list.  That was intended to be a private email and went
to the group by accident.

Kevin Reedy
Executive Director, Information Security
Excelsior College
(518) 464-8720



From:   Kevin Halgren <kevin.halgren () WASHBURN EDU>
To:     SECURITY () LISTSERV EDUCAUSE EDU,
Date:   02/25/2015 09:44 AM
Subject:        Re: [SECURITY] PCI 3.0 compliance
Sent by:        The EDUCAUSE Security Constituent Group Listserv
            <SECURITY () LISTSERV EDUCAUSE EDU>



I'm not the most knowledgeable on the board on PCI, but I can tell you it's
not uncommon for it look a mess, unfortunately, when you have someone else
come in and review compliance status.  There is often a lot of individual
interpretation, whether you're having a QSA do it or are performing a
self-assessment.  On a practical level you have to marry technical
compliance with actual risk-management and best practices since PCI
compliance alone isn't really enough to ensure you're operating in a secure
manner.

Business processes are often more troublesome than technical issues, in my
experience.  We can manage technology pretty well, but people are another
issue.

PCI always has the provision of "Compensating Controls" in lieu of a
straight PASS based on the particular criteria.  From what I've seen, some
people use them a lot, some people don't seem to ever accept them.  It
depends on the QSA and the organizational personnel.

Personally I'm looking forward to Point-to-Point encryption (P2PE) to be
more broadly supported, it eliminates a tremendous amount of PCI exposure.


In your situation, if you see some obvious "fix it now!" issues, get those
taken care of.  Beyond that, in my opinion your time and energy are best
spent understanding the processes - both technical and business - and
documenting a list of known issues, then coming up with an overall plan to
address them which prioritizes high risk and quick-fix items.  You may find
issues that are broadly common - i.e. a bit of training that hasn't been
done for a broad swath of users.  It will be more efficient to address
these all together in one training program than to tackle them one at a
time - and developing and implementing a plan instead of trying to act as a
firefighter will go down a lot better with the powers that be.  Also
remember that if you don't build executive support, you will never get
anywhere no matter how much you yell and pound the table.

One thing I've learned in my years in IT is that no matter how good (or
otherwise) someone may have been in their job, there's always a period of
"what the hell were they thinking?" when someone new comes on board and
starts to review their predecessors work and get oriented themselves.  If
you look deeper, there may have been a logic to it that's not apparent at
first glance, or the reasons may be lost to time, or you've simply found a
weakness in some else's skillset or priorities that may need to be
addressed.  People do the same when you change positions as well, it's
human nature.  Understand your organization and build a system that works
well with it, identify risks, and establish priorities.  Even the best
system will never eliminate the weaknesses inherent in human nature or in
computer systems, but a good system will help mitigate them and make
progress reducing your organizational risk profile.

Kevin

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin Reedy
Sent: Wednesday, February 25, 2015 7:45 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] PCI 3.0 compliance

Hi Chris,

I'm new here at Excelsior, and I have inherited a bit of a mess when it
comes to PCI.

Specifically I have found that previously we certified as PASS on several
items that we should not have.  If you have any knowledge of how the items
are scored, and if there is a threshold for compliance when everything is
not simply 'PASS' I'd love to pick your brain about it.

-Kevin

Kevin Reedy
Executive Director, Information Security Excelsior College
(518) 464-8720




From:            Chris Green <CGreen () UTTYLER EDU>
To:              SECURITY () LISTSERV EDUCAUSE EDU,
Date:            02/06/2015 12:18 PM
Subject:                 Re: [SECURITY] PCI 3.0 compliance
Sent by:                 The EDUCAUSE Security Constituent Group Listserv
            <SECURITY () LISTSERV EDUCAUSE EDU>



We are in the midst of it as well. If you would like to discuss offline,
please shoot me an email.

Thanks,

-C.


Chris Green
Director of Information Security
University of Texas at Tyler
cgreen () uttyler edu



From: The EDUCAUSE Security Constituent Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Shamblin, Quinn
Sent: Friday, February 06, 2015 11:08 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] PCI 3.0 compliance

We are in the process of that.  Feel free to reach out to me privately.
qrs () bu edu

Best,

Quinn R Shamblin                                                  .
Executive Director of Information Security, Boston University

From: The EDUCAUSE Security Constituent Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Alex Jalso
Sent: Thursday, February 05, 2015 3:02 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] PCI 3.0 compliance

Hello Everyone,

Has anyone started or completed a project regarding PCI 3.0 compliance?  If
so, would you be willing to answer a few questions and / or have a
conversation about it?  Thanks.

Alex

Alex Jalso, PMP, CISM
Director Information Security Services
West Virginia University
p: 304-293-4457



This message and any attachments contain confidential  Excelsior College
information intended for the specific individual and purpose. If you are
not the intended recipient, you should notify the College and delete this
message. Any disclosure, copying, distribution or inappropriate use of this
message is strictly prohibited.



This message and any attachments contain confidential  Excelsior College information intended for the specific 
individual and purpose. If you are not the intended recipient, you should notify the College and delete this message. 
Any disclosure, copying, distribution or inappropriate use of this message is strictly prohibited.

Current thread:

PCI 3.0 compliance Alex Jalso (Feb 05)
- Re: PCI 3.0 compliance David James Anderson (Feb 05)
  - Re: PCI 3.0 compliance David James Anderson (Feb 05)
- Re: PCI 3.0 compliance Shamblin, Quinn (Feb 06)
  - Re: PCI 3.0 compliance Chris Green (Feb 06)
    - Re: PCI 3.0 compliance Kevin Reedy (Feb 25)
    - Re: PCI 3.0 compliance Ben Parker (Feb 25)
    - Re: PCI 3.0 compliance Kevin Halgren (Feb 25)
    - Re: PCI 3.0 compliance Kevin Reedy (Feb 25)
- Re: PCI 3.0 compliance Ben Marsden (Feb 06)
  - Re: PCI 3.0 compliance Chris Green (Feb 09)