Educause Security Discussion mailing list archives
Re: PCI DSS Review - 40 Hours?
From: Brad Judy <win-hied () BRADJUDY COM>
Date: Tue, 24 Apr 2012 16:42:27 -0600
The original poster made no statements that this audit was the *only* effort they are making to ensure PCI compliance. It seems like quite an assumption to make from the information provided. Internal audits are done across industries for any number of regulations or compliance issues (HIPAA, SOX, etc) independent of the formal process of compliance management. Brad Judy -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jon Young Sent: Tuesday, April 24, 2012 1:16 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI DSS Review - 40 Hours? If there is a breach at a member institution (I presume the audit is for one of the consortium members), you have to assume that they will be sued and the email you posted to this list will be found in discovery. That email will be a great find for the attorney who will attempt to use it (I don't mean to suggest you aren't qualified, I have no idea if you are and I'm certainly not qualified) as an indication that you were not qualified (and knew it) to perform the PCI DSS review and thus are liable for a portion of the damages. My advice is to bring in someone who has done this before (perhaps a list member has a suggestion of someone local? - we're local but we don't do this) at least for some advice. As others have pointed out, the scale is hugely relevant to the time involved and the scale of your consortium members is widely divergent. Good luck, Jon Young Senior Consultant Vantage Technology Consulting Group On Tue, Apr 24, 2012 at 12:21 PM, Dan Sarazen <dsarazen () brandeis edu> wrote:
Hi All, Ive been asked to conduct a PCI DSS review in 40 hours. Anyone think thats responsibly doable? Also, does anyone have a PCI DSS Audit plan? Many Thanks! Dan Sarazen Senior IT Auditor The Boston Consortium for Higher Education Brandeis University, Mailstop 110 Phone: 781-736-8703 Cell: 781-296-4444 Fax: 781-736-8706
Current thread:
- PCI DSS Review - 40 Hours? Dan Sarazen (Apr 24)
- Re: PCI DSS Review - 40 Hours? Drew Perry (Apr 24)
- Re: PCI DSS Review - 40 Hours? Lorenz, Eva (Apr 24)
- Re: PCI DSS Review - 40 Hours? Radford, Jennifer (Apr 24)
- Re: PCI DSS Review - 40 Hours? Lorenz, Eva (Apr 24)
- Re: PCI DSS Review - 40 Hours? Rich Graves (Apr 24)
- Re: PCI DSS Review - 40 Hours? Jon Young (Apr 24)
- Re: PCI DSS Review - 40 Hours? Dan Sarazen (Apr 24)
- Re: PCI DSS Review - 40 Hours? Michael Johnson (Apr 24)
- Re: PCI DSS Review - 40 Hours? Valdis Kletnieks (Apr 24)
- Re: PCI DSS Review - 40 Hours? Jon Young (Apr 25)
- Re: PCI DSS Review - 40 Hours? Dan Sarazen (Apr 24)
- Re: PCI DSS Review - 40 Hours? Brad Judy (Apr 24)
- Re: PCI DSS Review - 40 Hours? Drew Perry (Apr 24)
- Re: PCI DSS Review - 40 Hours? Marcum, Chad A (Apr 24)
- Re: PCI DSS Review - 40 Hours? Hugh Burley (Apr 26)
- <Possible follow-ups>
- Re: PCI DSS Review - 40 Hours? John Hoffoss (Apr 30)