nanog mailing list archives

Re: Dealing with auditors (was Re: We hit half-million: The Cidr Report)

From: Ulf Zimmermann <ulf () alameda net>
Date: Wed, 30 Apr 2014 17:35:38 -0700

The auditors VMware sent to us were just as bad. To ensure we weren't
running "rogue" ESX(i) servers or WorkStation, they made us provide full
arp/cam tables. Then a list of the virtual machines. "Oh look, this MAC
isn't listed as one of your virtual machines". It isn't because it was
running on virtual box or something like that. Auditor didn't know you
could export a virtual machine from VMware and load it into another
visualization software and it would keep the VMware MAC ....



On Wed, Apr 30, 2014 at 2:31 PM, William Herrin <bill () herrin us> wrote:

On Wed, Apr 30, 2014 at 5:23 PM, Larry Sheldon <LarrySheldon () cox net>
wrote:

On 4/30/2014 11:30 AM, Valdis.Kletnieks () vt edu wrote:

And in that discussion, we ascertained that what the PCI standard

actually

says, and what you need to do in order to get unclued boneheaded

auditors

to sign the piece of paper, are two very different things.


I am no longer active on the battlefield but as of the last time I was,

it

can't be did.

For years I managed various aspect of a UNIVAC 1100 operation and the

audits

thereof.  EVERY TIME, we were dinged badly because we didn't look like an
IBM shop (some may be surprised to learn that different hardware and
different operating systems require very different operating procedures

(and

it appeared to us that some of the things they wanted us to do would

weaken

us badly, others just simply didn't make any sense, and we got dinged for
things we DID do, because they were strange.


I won the argument with PCI auditors about leaving telnet alive on my
exterior router (which at the time would have had to be replaced to
support ssh). It's not a chore for the timid. You'd better be a heck
of a guru before you challenge the auditors expectations and you'd
better be prepared for your boss' aggravation that the audit isn't
done yet.

And I think we pretty well established that PCI auditors arrive
expecting to see NAT.

Regards,
Bill Herrin


--
William D. Herrin ................ herrin () dirtside com  bill () herrin us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004




-- 

Ulf Zimmermann, 1525 Pacific Ave., Alameda, CA-94501, #: 510-396-1764
You can find my resume at: http://www.Alameda.net/~ulf/resume.html

Current thread:

Re: Dealing with auditors (was Re: We hit half-million: The Cidr Report) Ulf Zimmermann (Apr 30)
- RE: Dealing with auditors (was Re: We hit half-million: The Cidr Report) David Hubbard (Apr 30)
  - Re: Dealing with auditors (was Re: We hit half-million: The Cidr Report) Alain Hebert (May 01)
    - Re: Dealing with auditors (was Re: We hit half-million: The Cidr Report) William Herrin (May 01)
    - Re: Dealing with auditors (was Re: We hit half-million: The Cidr Report) TGLASSEY (May 01)