Re: PCI DSS & Firewalls

[Brian Loe <knobdy () gmail com>]

On Fri, Apr 3, 2009 at 3:36 PM, Paul Melson <pmelson () gmail com> wrote:


> At the end of the day, offensive security (scanning, pen-testing, auditing,
> etc.) is testing.  And some testing is ALWAYS better than no testing.  Show
> me a company that doesn't require testing before moving a system into
> production and I'll show you a company that can afford lots of downtime.

And I'll show you every company I've ever worked for - including the
one that's handling your prescriptions and likely the one handling
your 401k.

Then again, I guess it depends on what you call testing. If it means
"it turns on, given expected input it returns expected output" then
never mind - you're "safe". Otherwise you're living as big of a make
believe world as Marcus. And as everyone knows I'm quite the realist!

Then again I'm also the manager who, while trying to get an updated
security program approved by the "IT Steering Committee", removed the
part about certification and accreditation for new systems because,
frankly, if you're our size it's stupid and overly costly. What I
would VERY MUCH LIKE is a "checklist" like the first set of
instructions I got for (well, it's late and I can't remember the
acronym - and it's since been changed anyway - DoD crap)....

I prefer a standard tell me EXACTLY what it want as a minimum and then
my midldle management idiot self can busy myself doing BETTER than
that standard...
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards