Re: Dealing with auditors (was Re: We hit half-million: The Cidr Report)

[William Herrin <bill () herrin us>]

On Wed, Apr 30, 2014 at 5:23 PM, Larry Sheldon <LarrySheldon () cox net> wrote:
> On 4/30/2014 11:30 AM, Valdis.Kletnieks () vt edu wrote:
> > And in that discussion, we ascertained that what the PCI standard actually
> > says, and what you need to do in order to get unclued boneheaded auditors
> > to sign the piece of paper, are two very different things.
>
> I am no longer active on the battlefield but as of the last time I was, it
> can't be did.
>
> For years I managed various aspect of a UNIVAC 1100 operation and the audits
> thereof.  EVERY TIME, we were dinged badly because we didn't look like an
> IBM shop (some may be surprised to learn that different hardware and
> different operating systems require very different operating procedures (and
> it appeared to us that some of the things they wanted us to do would weaken
> us badly, others just simply didn't make any sense, and we got dinged for
> things we DID do, because they were strange.

I won the argument with PCI auditors about leaving telnet alive on my
exterior router (which at the time would have had to be replaced to
support ssh). It's not a chore for the timid. You'd better be a heck
of a guru before you challenge the auditors expectations and you'd
better be prepared for your boss' aggravation that the audit isn't
done yet.

And I think we pretty well established that PCI auditors arrive
expecting to see NAT.

Regards,
Bill Herrin


-- 
William D. Herrin ................ herrin () dirtside com  bill () herrin us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004