Penetration Testing mailing list archives
RE: PCI Compliance Scope
From: "Bakshi, Narinder (FIN)" <Narinder.Bakshi () ontario ca>
Date: Fri, 13 Nov 2009 11:54:58 -0500
Danux, Unfortunately the PCI Auditor lacks the authority to skip the review of the log server whether your Cardholder Data network is segmented or not. You may want to download the PCI DSS Requirements and Security Assessment Procedures Version 1.2 from PCI Security Standards Council's website https://www.pcisecuritystandards.org/ May I kindly suggest utilizing your energy in a positive manner by identifying PCI DSS gaps and fixing them prior to the actual audit. All the best. Narinder Kumar Bakshi CGA, CISA, CFE Senior Information Technology Audit Specialist "God grant me the serenity to accept the things I cannot change, the courage to change the things I can, and the wisdom to know the difference. AMEN"
Narinder Kumar Bakshi CGA, CISA, CFE Senior Information Technology Audit Specialist
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Bakshi, Narinder (FIN) Sent: Thursday, November 12, 2009 4:53 PM To: Danux; pen-test () securityfocus com Subject: RE: PCI Compliance Scope Danux, The PCI Auditor would confirm that the audit logging is in place for all access to the segmented network and it is an acceptable form of network segmentation. Furthermore, he/she would validate that the log host is secure as if required it is needed for the forensics and log host is a key hacker's target as they don't want to be caught and want to erase their footprints by dry-cleaning the logs. All the best. Narinder Kumar Bakshi CGA, CISA, CFE Senior Information Technology Audit Specialist -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Danux Sent: Thursday, November 12, 2009 10:27 AM To: pen-test () securityfocus com Subject: PCI Compliance Scope Question for PCI experts: During a PCI Audit the Auditor told us that all the Security Devices protecting Cardholder Data are also part of PCI Scope, which makes sense for IDS/IPS, FW, AD, so on but what about a Log Management tool? This means that my Log Management Centralized Server solution which is getting logs not just for PCI assets but for the whole network ... is gonna be in scope? if so? This means all 300 security devices sending the logs (Servers, WStations, Data Bases, AV) to the Centralized server are in scope Too? if so? Then, obviously I need to find a way to isolate & split the Log Management Server from the whole network to only monitor PCI assets but that entails to buy a new costly license to have another Centralized log server, which is not doable for us. Have you ever had the same problem? so that you can share the way to resolve it WITHOUT adding new software/hardware? I think I need to create a kind of PCI Security Devices Zone isolated from the network but not sure if that works for PCI Auditor. Please share your ideas. -- Danux ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Re: PCI Compliance Scope, (continued)
- Re: PCI Compliance Scope Gary E. Miller (Nov 13)
- Re: PCI Compliance Scope rajat swarup (Nov 13)
- Re: PCI Compliance Scope David M. Zendzian (Nov 13)
- RE: PCI Compliance Scope Jason Hurst (Nov 13)
- Re: PCI Compliance Scope Danux (Nov 16)
- Re: PCI Compliance Scope David Glosser (Nov 12)
- Re: PCI Compliance Scope David M. Zendzian (Nov 13)
- Re: PCI Compliance Scope Dotzero (Nov 16)
- RE: PCI Compliance Scope Bakshi, Narinder (FIN) (Nov 13)