Educause Security Discussion mailing list archives
Re: PCI DSS Review - 40 Hours?
From: John Hoffoss <John.Hoffoss () SO MNSCU EDU>
Date: Mon, 30 Apr 2012 16:43:22 +0000
And if you ask more than one QSA, you'll get a variety of expert opinions to choose from! If you're doing a PCI DSS review of an existing effort, and in one or two relatively constrained scopes, you can certainly get something put together that gets close. After all, a review for internal auditing purposes does not need the detail a QSA's attestation does. And as I'm hinting at above, QSAs all differ, because unfortunately PCI is still pretty much up to the individual interpreting the requirements. What satisfies one will not satisfy another. Focus instead on your PCI remediation efforts that realistically reduce the risk of breach, then go from there. Or rather, audit with that approach in mind--seek compliance to reduce risk, not to achieve compliance. If you're trying to review *all* payment areas at an institution, you might want to either politely decline that request or suggest the time estimate be multiplied by 10 (to start) and put that on your next annual work plan. Either way, it sounds like Jen's work plans may be useful for you, at least as a start. -jth On 24 Apr 2012, at 16:28 , Michael Johnson wrote: Only a certified entity (QSA) can render expert opinion on satisfying the ROC. There is also recommendation from the Council in various sections about separation of duties. It requires a careful read. Michael Johnson, CISSP, QSA, ASV ComplyGuard Networks. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dan Sarazen Sent: Tuesday, April 24, 2012 5:16 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] PCI DSS Review - 40 Hours? Are you saying that nobody other than a formally certified pci compliance expert (consultant) should review, in anyway, pci controls? On Apr 24, 2012 3:25 PM, "Jon Young" <jon () network-plumbers com<mailto:jon () network-plumbers com>> wrote: If there is a breach at a member institution (I presume the audit is for one of the consortium members), you have to assume that they will be sued and the email you posted to this list will be found in discovery. That email will be a great find for the attorney who will attempt to use it (I don't mean to suggest you aren't qualified, I have no idea if you are and I'm certainly not qualified) as an indication that you were not qualified (and knew it) to perform the PCI DSS review and thus are liable for a portion of the damages. My advice is to bring in someone who has done this before (perhaps a list member has a suggestion of someone local? - we're local but we don't do this) at least for some advice. As others have pointed out, the scale is hugely relevant to the time involved and the scale of your consortium members is widely divergent. Good luck, Jon Young Senior Consultant Vantage Technology Consulting Group On Tue, Apr 24, 2012 at 12:21 PM, Dan Sarazen <dsarazen () brandeis edu<mailto:dsarazen () brandeis edu>> wrote:
Hi All, I’ve been asked to conduct a PCI DSS review in 40 hours. Anyone think that’s responsibly doable? Also, does anyone have a PCI DSS Audit plan?
Current thread:
- Re: PCI DSS Review - 40 Hours?, (continued)
- Re: PCI DSS Review - 40 Hours? Radford, Jennifer (Apr 24)
- Re: PCI DSS Review - 40 Hours? Rich Graves (Apr 24)
- Re: PCI DSS Review - 40 Hours? Jon Young (Apr 24)
- Re: PCI DSS Review - 40 Hours? Dan Sarazen (Apr 24)
- Re: PCI DSS Review - 40 Hours? Michael Johnson (Apr 24)
- Re: PCI DSS Review - 40 Hours? Valdis Kletnieks (Apr 24)
- Re: PCI DSS Review - 40 Hours? Jon Young (Apr 25)
- Re: PCI DSS Review - 40 Hours? Dan Sarazen (Apr 24)
- Re: PCI DSS Review - 40 Hours? Brad Judy (Apr 24)
- Re: PCI DSS Review - 40 Hours? Marcum, Chad A (Apr 24)
- Re: PCI DSS Review - 40 Hours? Hugh Burley (Apr 26)
- Re: PCI DSS Review - 40 Hours? John Hoffoss (Apr 30)