Penetration Testing mailing list archives
Re: PCI Compliance Scope
From: Dotzero <dotzero () gmail com>
Date: Fri, 13 Nov 2009 13:23:52 -0500
On Thu, Nov 12, 2009 at 10:02 PM, David M. Zendzian <dmz () dmzs com> wrote:
2) The log server is a "connected" system and by PCI definitions it is in-scope. Now other things that are outside of the cardholder environment that connect to the log server are still outside of scope because connected systems of connected systems are not in-scope :)
The log server may be a connected server or it may be within the CDE. Either way you are going to have to show that you are maintaining the integrity of the system and have an appropriate audit trail. This is much easier to maintain when handling logs that are from outside the CDE by using pull rather than push for those logs. Ultimately, this discussion and many of the comments within it help emphasize the difference between security and compliance. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Re: PCI Compliance Scope, (continued)
- Re: PCI Compliance Scope Danux (Nov 12)
- Message not available
- re: PCI Compliance Scope Timothy Shea (Nov 13)
- Re: PCI Compliance Scope Mohamed Farid (Nov 13)
- Re: PCI Compliance Scope Gary E. Miller (Nov 13)
- Re: PCI Compliance Scope rajat swarup (Nov 13)
- Re: PCI Compliance Scope David M. Zendzian (Nov 13)
- RE: PCI Compliance Scope Jason Hurst (Nov 13)
- Re: PCI Compliance Scope Danux (Nov 16)
- Re: PCI Compliance Scope David M. Zendzian (Nov 13)
- Re: PCI Compliance Scope Dotzero (Nov 16)
- RE: PCI Compliance Scope Bakshi, Narinder (FIN) (Nov 13)