Re: Fwd: [Dataloss] Network Solutions was PCI compliant before breach

[Chris Blask <wobblingmoon () yahoo com>]

--- On Mon, 7/27/09, Michael Graham <jmgraham () gmail com> wrote:

> Obviously, meeting an arbitrary metric shouldn't absolve you of the responsibility to make your own risk decisions as 
> appropriate to your business and your customers, and after having done so it doesn't absolve you of the 
> responsibility to execute those risk decisions properly.  Compound this absurd notion that PCI compliance divests you 
> of core custodian responsibilities with the questionable value of PCI itself and we've got the PCI council helping 
> all of us into an overall worse security situation, not a better one, regardless of intent.
 
All PCI is is something to keep you from being sued by the card brands (and vice versa).  Sooner or later diligence 
will be legally required.

S.773 (the Cybersecurity Act of 2009) is at least a smell of smoke over the horizon.  Anyone who thinks they can stand 
up in front of a judge and jury and always get away with those sorts of lame excuses will have another think coming 
when Critical Infrastructure security is federally mandated (and CI is defined as "whatever the President says it is").

-chris

The Moose is Loose!

http://motleymoose.com




      

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.