Firewall Wizards mailing list archives
Re: PCI DSS & Firewalls
From: Frank Knobbe <frank () knobbe us>
Date: Thu, 02 Apr 2009 12:06:17 -0500
On Thu, 2009-04-02 at 09:31 -0500, Paul D. Robertson wrote:
But they fail at that level in so fars as they don't help small and mid-sized companies know what they really need to do- does a small compay with 5 servers *really* need to seperate every single function onto its own system?
*They* is not the PCI council. *They* is the Qualified Security Assessors. It's to them to help companies to become PCI compliant. They use the checklist, and they report back about compliance status. If your QSA doesn't help small and mid-sized companies know what they really need to, then the QSA is at fault. In that case, provide feedback to the PCI council. They love to hear about the performance of QSA. Crappy ones can loose their certification quickly :)
But the buy in is to check the boxes so they don't get fined- and the boxes are checkable by interpretation. Outside of a few basic requirements, things are vague, ambiguous and not helpful at all- frankly, it's the worst "standard" I've seen in ~25 years of computer security- and I've rarely seen good ones.
I disagree. I'm happy that it's "vague or ambiguous" as you call it. That allows me as a QSA to properly secure the client. I wouldn't want to be forced to implement a crappy checklist to the letter. Every company is unique (you might call it ambiguous), so implementing security controls requires flexibility.
I also agree with Marcus that it's the Pen Tester's Employment Security Act..
Wouldn't you want to test your security controls periodically? Cheers, Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports.
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: PCI DSS & Firewalls, (continued)
- Re: PCI DSS & Firewalls Jim Seymour (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls Paul Melson (Apr 03)
- Re: PCI DSS & Firewalls Brian Loe (Apr 05)
- Re: PCI DSS & Firewalls miedaner (Apr 05)
- Re: PCI DSS & Firewalls Mark (Apr 06)
- Re: PCI DSS & Firewalls Brian Loe (Apr 06)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls Chris Blask (Apr 02)
- Re: PCI DSS & Firewalls ArkanoiD (Apr 10)
- Re: PCI DSS & Firewalls Frank Knobbe (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls AMuse (Apr 02)
- Re: PCI DSS & Firewalls Darden, Patrick S. (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls Chris Myers (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls R. DuFresne (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)