Re: Compliance Is Wasted Money, Study Finds

[Michael Holstein <michael.holstein () csuohio edu>]

> My point isn't about a particular section, nor whether the amount of
> experience I have in PCI DSS compliance (which is next to novice).
>   

So we can agree that you're arguing about something with which you have
no experience?

> The point is, what s PCI aiming at?
>   

It's on the first substantive page of the document .. to wit :

 "The Payment Card Industry (PCI) Data Security Standard (DSS) was
developed to encourage and enhance cardholder data security and
facilitate the broad adoption of consistent data security measures
globally."

> Real security

Again, I ask "what is 'real security'?".

> or just a way companies can excuse their incompetence by citing full PCI compliance?
>   

If you "self-audit" and just check the boxes because you have a box that
says "firewall" on it and another that says "IDS" and so forth, then yes
.. it's just excusing incompetence .. but any "real" auditor would be
asking you about change management for those assets, who has access to
them and why, how logs are reviewed and by whom, etc.

There's 12 basic points in the 1.2 spec, none of which contradict
current best-practice for network design.

Cheers,

Michael Holstein
Cleveland State University

PS: This is starting to sound like the discussion many of us have with
Mac end-users .. the one that goes "but Mac's don't get viruses".

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/