Re: ISO 27001 mapping to PCI

["W. Lee Schexnaider" <l.schex () gmail com>]

Unsurprisingly, I agree with Sheldon.

The problem companies are having is that the number of regulations and
best practices that they have to conform to is exploding.  Just think
if you are a public company in California that processes health care
information that has customers and partially-owned public subsidiaries
in Europe, Japan and Canada.  So that organization and its
subsidiaries have to comply with SOX, CSOX, JSOX. EuroSOX (in the
future), HIPAA, California AB 1298 (health information data breach),
California SB 1386 (data breach), and European privacy laws.  Then you
choose ITIL for service management and Cobit (or ISO) for your info
security framework.  And that is not counting the new Federal Rules of
Civil Procedures changes for e-discovery, if you happened to be part
of several lawsuits at the same time. If a company had dedicated
internal audit teams and used different standards and processes for
each of these, the cost would be (and frequently is) enormous and
growing.

That is why having common controls mapped to these various items makes
sense for your internal audits to give proof of compliance to your
external auditors.  You can also know if you have a control called
"password length" that one technical check can apply for many
different regulations and best practices so you don't have to tie up
your systems and networks by checking this multiple times for multiple
internal compliance groups.

W. Lee Schexnaider, CISSP
Sr. Engineer – Compliance Content Developer
Symantec Corporation
www.symantec.com
-----------------------------------------------------
Office:  713.561.4111
5151 San Felipe
Houston, Texas 77056
Email: lee_schexnaider () symantec com
-----------------------------------------------------



On Tue, Feb 26, 2008 at 12:35 PM, Sheldon Malm <smalm () ncircle com> wrote:
> I'm not going to get into a debate with you on this - simply stating
>  that the preparation for audits is very different than the execution of
>  audits.  For the record, my working for a vendor in this space has
>  nothing to do with my opinion.  I spent nearly a decade with a Fortune
>  500, and used the same approach very effectively on the customer side.
>
>  There is sufficient overlap in the preparation stages for different
>  standards that it makes sense to tag atomic items (controls) if they are
>  included in multiple standards for reuse.  This is really no different
>  than a platform like .NET making reusable services available to multiple
>  programs.  Where the controls are identical, it makes no sense to do
>  them separately and at multiple times by multiple people simply because
>  they fall into different, higher-order standards.
>
>  Cheers.
>
>
>
>  Sheldon Malm
>  Director
>  Security Research & Development
>  nCircle Network Security
>
>  Check out the VERT daily post
>  http://blog.ncircle.com/vert
>
>
>
>  -----Original Message-----
>
> From: Craig Wright [mailto:Craig.Wright () bdo com au]
>  Sent: Tuesday, February 26, 2008 1:14 PM
>  To: Sheldon Malm; Craig Wright; PCSC Information Services; p1g; Jason P.
>  Rusch
>
> Cc: security-basics () securityfocus com
>
>
> Subject: RE: ISO 27001 mapping to PCI
>
>  Well you are marketing a product So I would expect Such a response.
>
>  The reality is that this approach is BS. Any organisation that I have
>  seen doing this Fails @ least one if not both.
>
>  Different systems have Separate requirements. You Can make an ISO
>  27001/2 ISMS for a PCI system -but it will not apply elsewhere and is
>  more work then Completing  each one at a time.
>
>  Craig (GSE-Compliance,G7799,GPCI...)