Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PCI Compliance Scope

From: David Glosser <david.glosser () gmail com>
Date: Thu, 12 Nov 2009 16:32:16 -0500
just finished a "gap analysis" and our auditor stated that the log
server was in scope as the logs needed to be protected. There's a
dedicated logserver for our in-scope systems.

The auditor was very interested in examining the logs to ensure that
they NOT contain PII/cardholder data. If they did, then we would have
been a BadThing as many other PCI 8and general security) requirements
would have been violated, such as not sending the cardholder data over
the clear, storing of the cardholder data in plain text, etc...




On Thu, Nov 12, 2009 at 2:13 PM, Erin Carroll <amoeba () amoebazone com> wrote:

It's been a bit since I was forced to do PCI on a daily basis so someone
will come along and correct me if I'm wrong....

If the logs contain no PII/cardholder data and the logs are pushed to the
central log storage device (not pulled from device) then the log server is
not in scope. If the logs do contain PII/cardholder data then the log device
is in scope but does not make the 300+ other devices which log to the device
in scope.



--
Erin Carroll
Moderator, SecurityFocus pen-test mailing list
"Do Not Taunt Happy-Fun Ball"


-----Original Message-----
From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com] On Behalf Of Danux
Sent: Thursday, November 12, 2009 7:27 AM
To: pen-test () securityfocus com
Subject: PCI Compliance Scope

Question for PCI experts:

During a PCI Audit the Auditor told us that all the Security Devices
protecting Cardholder Data are also part of PCI Scope, which makes
sense for IDS/IPS, FW, AD, so on but what about a Log Management tool?

This means that my Log Management Centralized Server solution which is
getting logs not just for PCI assets but for the whole network ... is
gonna be in scope?
if so? This means all 300 security devices sending the logs (Servers,
WStations, Data Bases, AV) to the Centralized server are in scope Too?

if so?

Then, obviously I need to find a way to isolate & split the Log
Management Server from the whole network to only monitor PCI assets
but that entails to buy a new costly license to have another
Centralized log server, which is not doable for us.

Have you ever had the same problem? so that you can share the way to
resolve it WITHOUT adding new software/hardware?

I think I need to create a kind of PCI Security Devices Zone isolated
from the network but not sure if that works for PCI Auditor.

Please share your ideas.
--
Danux

-----------------------------------------------------------------------
-
This list is sponsored by: Information Assurance Certification Review
Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require
a full practical examination in order to become certified.

http://www.iacertification.org
-----------------------------------------------------------------------
-



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------




------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: