Question about PCI audit results and reality....

[joel.folkerts at gmail.com (Joel Folkerts)]

I would explain to management that PCI is simply a least common denominator
and should not be treated as the end-all, be-all to information security.
PCI merely attempts to address a minimum set of criteria that will mitigate
a large portion of the threats that your organization is facing. That being
said, it's unrealistic that any accreditation be able to address every
threat.

-Joel


"The path to hell is paved with good intentions."


On Wed, Aug 12, 2009 at 12:23 PM, Jason Wood <tadaka at gmail.com> wrote:

> So I have a "hypothetical" situation that I'd like some ideas on.
>
> Say you go through a PCI audit and certain things that you know are a
> problem are not marked as such by the auditor.  (we can get into getting a
> new QSA later)  To make up a completely fake scenario, lets say that item
> 15.3 requires all squirrels to wear helmets when running the credit card
> numbers from the web server to the database server.  (squirrelNet anyone?)
> The QSA says that there are no problems and that the squirrels are wearing
> helmets properly.  The issue is that the helmets are made of newspaper and
> don't look like a helmet from anything beyond a passing glance.
>
> As the admin/squirrel handler, I want to justify getting proper helmets on
> the squirrels.  However, here's this audit report which states that there's
> no problem here.  How do you go about justifying "real" squirrel helmets
> when the QSA says everything is good.  Chances are good management is going
> to look at the report and tell you to leave the newspaper hats in place
> because it is good enough for the QSA.
>
> Short of calling up the QSA and asking him WTF (and getting in hot water
> for doing so), how do you deal with this?
>
> Here's some of the ideas that have occurred to me:
>
>    - Explain to management what squirrel helmets really are supposed to be
>    and that not every QSA is going to be so... casual about them.
>    - Explain that PCI is a minimum set of requirements and doesn't insure
>    actual security.
>    - Club a squirrel on the head and demonstrate that newspaper isn't an
>    adequate helmet.
>
> How do you deal with justifying security improvements when an audit report
> says that everything is blue skies and happy days?
>
> Thanks,
> Jason
>
> P.S.  SquirrelNet was inspired by @beaker and no actual squirrels were used
> to run credit card numbers or were clubbed on the head while writing this
> email.
>
> --
>
> irc: Tadaka
> Twitter:  Jason_Wood
> jwnetworkconsulting.com
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090812/5e2ebbc0/attachment.htm