nanog mailing list archives
Re: We hit half-million: The Cidr Report
From: joel jaeggli <joelja () bogus com>
Date: Wed, 30 Apr 2014 10:25:00 -0700
On 4/30/14, 9:30 AM, Valdis.Kletnieks () vt edu wrote:
On Wed, 30 Apr 2014 15:40:43 -0000, Jamie Bowden said:You're not funny. And if you're not joking, you're wrong. We just went over this on this very list two weeks ago.And in that discussion, we ascertained that what the PCI standard actually says, and what you need to do in order to get unclued boneheaded auditors to sign the piece of paper, are two very different things. Yes, the PCI standard gives a list of 4 options and then continues on to say that other creative solutions are acceptable as well. But if you discover mid-engagement that your auditor *thinks* it says "Thou shalt NAT", you have a problem. Anybody got recommendations on how to make sure the company you engage for the audit ends up sending you critters that actually have a clue? (Not necessarily PCI, but in general)
So, I've been (fomerly) involved in the design/build/operation/refresh of pci environments as part of application services for enterprise with ~ order of .8 billion annually in online sales. The process starts at the beginning e.g. before you build it. If you parachute in a consultant or auditor totally cold, you are going to have to educate them to the nuances of your particular operation, it's is very similar with SOX controls. In any event your documentation should be order. and actual operation should be as documented. Ultimately as was my experience with FIPA/HERPA compliance in the educational environment these should not taken as mysterious externalities foisted on operations by hostile regulators, or industrial cartels, but as part of normal business operations, and internalized as such.
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Re: We hit half-million: The Cidr Report, (continued)
- Re: We hit half-million: The Cidr Report Patrick W. Gilmore (Apr 30)
- Re: We hit half-million: The Cidr Report Jérôme Nicolle (Apr 30)
- Re: We hit half-million: The Cidr Report Owen DeLong (Apr 29)
- Re: We hit half-million: The Cidr Report Jeff Kell (Apr 29)
- Re: We hit half-million: The Cidr Report TheIpv6guy . (Apr 29)
- Re: We hit half-million: The Cidr Report Jeff Kell (Apr 29)
- Re: We hit half-million: The Cidr Report Blake Dunlap (Apr 30)
- Re: We hit half-million: The Cidr Report Sholes, Joshua (Apr 30)
- RE: We hit half-million: The Cidr Report Jamie Bowden (Apr 30)
- Re: We hit half-million: The Cidr Report Valdis . Kletnieks (Apr 30)
- Re: We hit half-million: The Cidr Report joel jaeggli (Apr 30)
- Re: We hit half-million: The Cidr Report Sholes, Joshua (Apr 30)
- Message not available
- Dealing with auditors (was Re: We hit half-million: The Cidr Report) Larry Sheldon (Apr 30)
- Re: Dealing with auditors (was Re: We hit half-million: The Cidr Report) William Herrin (Apr 30)
- Re: We hit half-million: The Cidr Report Owen DeLong (Apr 29)
- Re: We hit half-million: The Cidr Report Rick Astley (Apr 30)
- Re: The Cidr Report Seth Mos (Apr 26)
- RE: The Cidr Report Deepak Jain (Apr 26)
- Re: The Cidr Report Geoff Huston (Apr 27)
- Re: The Cidr Report Fred Baker (fred) (Apr 30)