Re: PCI DSS & Firewalls

[Brian Loe <knobdy () gmail com>]

On Mon, Apr 6, 2009 at 7:37 AM, Mark <firewalladmin () bellsouth net> wrote:
> Brian Loe wrote:
> " What I would VERY MUCH LIKE is a "checklist" like the first set of
> instructions I got for (well, it's late and I can't remember the
> acronym - and it's since been changed anyway - DoD crap)...."
>
> Oh let me guess! Is it the STIG? Security Technical Implementation Guide? Oh
> and now we have the infamous "DISA Gold" which will hit you with a bunch of
> CAT 1&2 findings if the system is actually supposed to work. I've also
> noticed that between the STIG's, checklists (there are checklists in
> addition to the STIG and they are simply called Windows XP Security
> Checklist or Desktop Applications Security checklist, etc.) and FDCC there
> are conflicting security measures, making it impossible to ever be "fully"
> compliant. I will site a simple example that I recall from the top of my
> not-yet-balding head (paraphrased, not quoted):

I never made it through an audit with those criteria so I don't know
how it would go. But I like that the "standard" I'm supposed to adhere
to is specific and comes with its own checklist. I can either do it or
know that I need to write an exception.

The example finding you quoted would have made for entertaining
exceptions, no doubt.

I'm currently going through my second internal/external SOX audit. I
find them equally useless so far as real security goes but you do have
the benefit of the good cop/bad cop thing where they can at least
advise you on where you need to bring your game up.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards