Educause Security Discussion mailing list archives
Re: PCI DSS Review - 40 Hours?
From: Jon Young <jon () NETWORK-PLUMBERS COM>
Date: Wed, 25 Apr 2012 17:10:04 -0400
Dan, Of course not. And I'm not saying you should only (or that you need at all) use external paid consultants. What I am saying is that if this is your first time doing this (as many of us inferred from your original post) it would be wise to get help from someone who has done this before. That can be a consultant, someone else from your organization or a peer organization or elsewhere. This is true for many things but has particular value in something with a high likelihood of being litigated should something 'bad' happen. Jon On Tue, Apr 24, 2012 at 5:16 PM, Dan Sarazen <dsarazen () brandeis edu> wrote:
Are you saying that nobody other than a formally certified pci compliance expert (consultant) should review, in anyway, pci controls? On Apr 24, 2012 3:25 PM, "Jon Young" <jon () network-plumbers com> wrote:If there is a breach at a member institution (I presume the audit is for one of the consortium members), you have to assume that they will be sued and the email you posted to this list will be found in discovery. That email will be a great find for the attorney who will attempt to use it (I don't mean to suggest you aren't qualified, I have no idea if you are and I'm certainly not qualified) as an indication that you were not qualified (and knew it) to perform the PCI DSS review and thus are liable for a portion of the damages. My advice is to bring in someone who has done this before (perhaps a list member has a suggestion of someone local? - we're local but we don't do this) at least for some advice. As others have pointed out, the scale is hugely relevant to the time involved and the scale of your consortium members is widely divergent. Good luck, Jon Young Senior Consultant Vantage Technology Consulting Group On Tue, Apr 24, 2012 at 12:21 PM, Dan Sarazen <dsarazen () brandeis edu> wrote:Hi All, I’ve been asked to conduct a PCI DSS review in 40 hours. Anyone think that’s responsibly doable? Also, does anyone have a PCI DSS Audit plan? Many Thanks! Dan Sarazen Senior IT Auditor The Boston Consortium for Higher Education Brandeis University, Mailstop 110 Phone: 781-736-8703 Cell: 781-296-4444 Fax: 781-736-8706
Current thread:
- PCI DSS Review - 40 Hours? Dan Sarazen (Apr 24)
- Re: PCI DSS Review - 40 Hours? Drew Perry (Apr 24)
- Re: PCI DSS Review - 40 Hours? Lorenz, Eva (Apr 24)
- Re: PCI DSS Review - 40 Hours? Radford, Jennifer (Apr 24)
- Re: PCI DSS Review - 40 Hours? Lorenz, Eva (Apr 24)
- Re: PCI DSS Review - 40 Hours? Rich Graves (Apr 24)
- Re: PCI DSS Review - 40 Hours? Jon Young (Apr 24)
- Re: PCI DSS Review - 40 Hours? Dan Sarazen (Apr 24)
- Re: PCI DSS Review - 40 Hours? Michael Johnson (Apr 24)
- Re: PCI DSS Review - 40 Hours? Valdis Kletnieks (Apr 24)
- Re: PCI DSS Review - 40 Hours? Jon Young (Apr 25)
- Re: PCI DSS Review - 40 Hours? Dan Sarazen (Apr 24)
- Re: PCI DSS Review - 40 Hours? Brad Judy (Apr 24)
- Re: PCI DSS Review - 40 Hours? Drew Perry (Apr 24)
- Re: PCI DSS Review - 40 Hours? Marcum, Chad A (Apr 24)
- Re: PCI DSS Review - 40 Hours? Hugh Burley (Apr 26)
- <Possible follow-ups>
- Re: PCI DSS Review - 40 Hours? John Hoffoss (Apr 30)