Michel, Sorry, I didn't understand your first question!
Regarding your 2nd question. You won't get compliant if you update your AV on a annually basis. You shall fail the quarter check done by an QSA(s). So first check is not available. For me if the companies staff is well educated and a we have a good IR team, plus the other goodies you mentioned, then for sure I shall go with selection #2 :) I hate these rules, but really they are something enforced on us. And without them our business can't be done. Or does someone here suggest we close our shops/companies and go home just because we dislike/disagree/hate the PCI Compliance requirements? I think that its not a bad to implement these requirements to get compliant by these companies, and then do what we think is the best. I.e, develop a more security policy to work on top of the PCI or vise versa. Get compliant then go further. BTW: I hope your able to understand my point, as my English seems to be bad :( Regards, ________________________________ From: Michel Messerschmidt <li...@michel-messerschmidt.de> To: full-disclosure@lists.grok.org.uk Sent: Tue, April 27, 2010 12:07:14 AM Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds On Mon, Apr 26, 2010 at 06:02:48AM -0700, Shaqe Wan wrote: > I am not stating that PCI is good in no way, but I am saying that its a MUST > for companies dealing with CC. And in a windows environment, an AV is > important. Did you consider that an anti-virus may actually be the worst security solution for certain threats because it allows companies not to think about security while providing insufficient protection? What's your choice: Company A installs an anti-virus and updates it regularly (BTW regularly includes once a year). Company B has a recovery concept, incident response team, vulnerability monitoring, patch management, NIDS, security training but no anti-virus. > He probably thought that I am with the rules of PCI, or that I don't have any > idea that the world is not just WINDOWS !!! No, I don't think so. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/