in this discussion.
lyal
_
From: Christian Sciberras [mailto:uuf6...@gmail.com]
Sent: Tuesday, 27 April 2010 11:33 PM
To: Lyal Collins
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Has everyone on this list read the PCI DSS
On Tue, Apr 27, 2010 at 08:58:24AM -0400, Honer, Lance wrote:
What's your choice:
Company A installs an anti-virus and updates it regularly (BTW
regularly
includes once a year).
Company B has a recovery concept, incident response team,
vulnerability
monitoring, patch management, NIDS,
A = Spend money on compliance
'A' is *mandatory* if you choose to do certain operations in-house.
Why is this so hard to understand?
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted
Wan sh...@yahoo.com
*Cc:* full-disclosure@lists.grok.org.uk
*Sent:* Mon, April 26, 2010 4:19:27 PM
*Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
OK.
All those in favour of PCI raises their hands.
Kidding aside, of course it is a must, since the said companies
: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Perhaps you haven't noticed, this is Full-Disclosure, which at least, is
used to discuss security measures.
As such, it is only natural to argue with PCI's possible security flaws.
Besides, in a democratic society (where CC do operate
Sciberras
Sent: Tuesday, 27 April 2010 5:37 PM
To: Shaqe Wan
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Surely being forced to install an anti-virus only brings in a monopoly? How
do I know that PCI Standards writers are getting a nice
:59:59 AM
*Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Perhaps you haven't noticed, this is Full-Disclosure, which at least, is
used to discuss security measures.
As such, it is only natural to argue with PCI's possible security flaws.
Besides, in a democratic
,
--
*From:* Christian Sciberras uuf6...@gmail.com
*To:* Shaqe Wan sh...@yahoo.com
*Cc:* full-disclosure@lists.grok.org.uk
*Sent:* Tue, April 27, 2010 10:37:24 AM
*Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Surely being forced to install
...@yahoo.com
*Cc:* full-disclosure@lists.grok.org.uk
*Sent:* Tue, April 27, 2010 11:22:59 AM
*Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
In short, you just said that PCI compliance _is_ a waste of time and money.
Why else would you protect something which
is useless. money should be spent on
being secure.
take it for what it cost you,
-Jeff
Date: Tue, 27 Apr 2010 10:34:22 +0200
From: uuf6...@gmail.com
To: sh...@yahoo.com
CC: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Where did I say
Your comparison doesn't work.
It's not A versus B, it's A versus C, with C being Company does
nothing because it can't afford a thorough security program.
On Mon, Apr 26, 2010 at 2:07 PM, Michel Messerschmidt
li...@michel-messerschmidt.de wrote:
On Mon, Apr 26, 2010 at 06:02:48AM -0700, Shaqe
Has everyone on this list read the PCI DSS requirements?
They are freely available, at www.pcisecuritystandards.org.
AV is about 4 requirements out of over 230 requirements, covering secure
coding/development, patching, network security, hardening systems, least
privilege, robust authenticaiton,
] Compliance Is Wasted Money, Study Finds
Shaqe Wan wrote:
I am not stating that PCI is good in no way, but I am saying that its a
MUST for companies dealing with CC. And in a windows environment, an AV
is important.
He probably thought that I am with the rules of PCI, or that I don't
have
than this argue ?
Regards,
From: Christian Sciberras uuf6...@gmail.com
To: Shaqe Wan sh...@yahoo.com
Cc: full-disclosure@lists.grok.org.uk
Sent: Mon, April 26, 2010 4:19:27 PM
Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
OK.
All those
] Compliance Is Wasted Money, Study Finds
Shaqe Wan wrote:
I am not stating that PCI is good in no way, but I am saying that its a
MUST for companies dealing with CC. And in a windows environment, an AV
is important.
He probably thought that I am with the rules of PCI, or that I don't
have any
] Compliance Is Wasted Money, Study Finds
On Mon, Apr 26, 2010 at 06:02:48AM -0700, Shaqe Wan wrote:
I am not stating that PCI is good in no way, but I am saying that its a MUST
for companies dealing with CC. And in a windows environment, an AV is
important.
Did you consider that an anti
Sent: Mon, April 26, 2010 3:48:05 PM
Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
PCI only requires antivirus for systems commonly affected by
viruses. This means Windows. PCI security council has said that UN*X
OSs etc. are not required to have antivirus
-disclosure@lists.grok.org.uk
Sent: Tue, April 27, 2010 9:59:59 AM
Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Perhaps you haven't noticed, this is Full-Disclosure, which at least, is used
to discuss security measures.
As such, it is only natural to argue with PCI's
will :p
Regards,
From: Christian Sciberras uuf6...@gmail.com
To: Shaqe Wan sh...@yahoo.com
Cc: full-disclosure@lists.grok.org.uk
Sent: Tue, April 27, 2010 10:37:24 AM
Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Surely being forced
11:34:22 AM
Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Where did I say that its a waste of time and money?
Here you go:
I 100% agree with you
about most of the companies seek the paper work and get PCI certified
and don't really bother about true security measures
What's your choice:
Company A installs an anti-virus and updates it regularly (BTW
regularly
includes once a year).
Company B has a recovery concept, incident response team,
vulnerability
monitoring, patch management, NIDS, security training but no
anti-virus.
You do realize that PCI says
To: Shaqe Wan sh...@yahoo.com
Cc: full-disclosure@lists.grok.org.uk
Sent: Tue, April 27, 2010 11:22:59 AM
Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
In short, you just said that PCI compliance _is_ a waste of time and money.
Why else would you protect something which
...@yahoo.com
Cc: full-disclosure@lists.grok.org.uk
Sent: Tue, April 27, 2010 11:34:22 AM
Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Where did I say that its a waste of time and money?
Here you go:
I 100% agree with you
about most of the companies seek the paper work
Has everyone on this list read the PCI DSS requirements?
They are freely available, at www.pcisecuritystandards.org.
Were you even following the thread? There's been at least 4 times were
different people cited different parts of the standard.
But I would suppose that there's always the
@lists.grok.org.uk
*Sent:* Tue, April 27, 2010 10:37:24 AM
*Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Surely being forced to install an anti-virus only brings in a monopoly?
How do I know that PCI Standards writers are getting a nice commission off
me installing the anti-virus
will :p
Regards,
--
*From:* Christian Sciberras uuf6...@gmail.com
*To:* Shaqe Wan sh...@yahoo.com
*Cc:* full-disclosure@lists.grok.org.uk
*Sent:* Tue, April 27, 2010 10:37:24 AM
*Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study
Finds
Surely being
:* Tue, April 27, 2010 9:59:59 AM
*Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study
Finds
Perhaps you haven't noticed, this is Full-Disclosure, which at
least, is used to discuss security measures.
As such, it is only natural to argue with PCI's possible security
flaws.
Besides
Sciberras uuf6...@gmail.com
*To:* Shaqe Wan sh...@yahoo.com
*Cc:* full-disclosure@lists.grok.org.uk
*Sent:* Tue, April 27, 2010 10:37:24 AM
*Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Surely being forced to install an anti-virus only brings in a monopoly?
How do I
*Sent:* Tue, April 27, 2010 9:59:59 AM
*Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study
Finds
Perhaps you haven't noticed, this is Full-Disclosure, which at least,
is used to discuss security measures.
As such, it is only natural to argue with PCI's possible security
flaws
Wan sh...@yahoo.com
*Cc:* full-disclosure@lists.grok.org.uk
*Sent:* Tue, April 27, 2010 10:37:24 AM
*Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study
Finds
Surely being forced to install an anti-virus only brings in a
monopoly? How do I know that PCI Standards writers
...@yahoo.com
*Cc:* full-disclosure@lists.grok.org.uk
*Sent:* Tue, April 27, 2010 10:37:24 AM
*Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study
Finds
Surely being forced to install an anti-virus only brings in a
monopoly? How do I know that PCI Standards writers are getting a nice
-disclosure@lists.grok.org.uk
*Sent:* Tue, April 27, 2010 9:59:59 AM
*Subject:* Re: [Full-disclosure] Compliance Is Wasted Money,
Study Finds
Perhaps you haven't noticed, this is Full-Disclosure, which at
least, is used to discuss security measures.
As such, it is only natural to argue with PCI's
Besides, in a democratic society (where CC do operate as well), you can't
force someone to install an anti-virus just because _you_ think it is
secure.
This isn't a democracy .. it's a business.
You want to process credit cards in-house, you need to comply with the
PCI standards. It
My point isn't about a particular section, nor whether the amount of
experience I have in PCI DSS compliance (which is next to novice).
So we can agree that you're arguing about something with which you have
no experience?
The point is, what s PCI aiming at?
It's on the first
On Tue, 27 Apr 2010 13:48:11 EDT, Michael Holstein said:
You've already stated in a prior email that you have no involvement with
PCI implementation on either side of the fence (hell no, was your
answer, I believe) .. so I don't see where you're really qualified to
make a categorical
If a business wants to accept credit cards as a means of payment (based on
volume) then part of their agreement is that they must undergo compliance to
a standard implemented by the industry
PCI (Payment Card Industry) compliances is what people HAVE to do, as in
FORCED to do whether they
If a business wants to accept credit cards as a means of payment (based on
volume) then part of their agreement is that they must undergo compliance to
a standard implemented by the industry
PCI (Payment Card Industry) compliances is what people HAVE to do, as in
FORCED to do whether they
--On Tuesday, April 27, 2010 13:37:39 -0700 J Roger securityho...@gmail.com
wrote:
Is PCI Compliance a giant bluff from VISA? Have any large companies ever been
forced to stop processing CCs because they failed to be PCI compliant?
They don't force you to stop processing. They fine you.
I would have hoped cross-platform virii were nothing new to you guys?
Or am I wrong?
On Mon, Apr 26, 2010 at 6:16 AM, Tracy Reed tr...@ultraviolet.org wrote:
On Mon, Apr 26, 2010 at 12:07:05AM -0400, valdis.kletni...@vt.edu spake
thusly:
On Sun, 25 Apr 2010 20:25:47 PDT, Tracy Reed said:
Is Wasted Money, Study Finds
To: full-disclosure@lists.grok.org.uk
Date: Sunday, April 25, 2010, 1:57 PM
Shaqe Wan wrote:
snip
Because it shall be nonsense to deal with CC, and not have an Anti-virus for
example !!
Well, you see, _that_ is abject nonsense on its face.
Do you have any
Then, as I said, the PCI requirements are total nonsense...
You say this based on absolutely zero understanding of what the
requirements are, by your own admission?
On Sun, Apr 25, 2010 at 8:40 PM, Nick FitzGerald
n...@virus-l.demon.co.uk wrote:
Tracy Reed to me:
Anyone authoritatively
with you, in case you need some
clarification regarding it.
Regards,
Shaqe
--- On Sun, 4/25/10, Nick FitzGerald n...@virus-l.demon.co.uk wrote:
From: Nick FitzGerald n...@virus-l.demon.co.uk
Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
To: full-disclosure
with you, in case you need
some clarification regarding it.
Regards,
Shaqe
--- On *Sun, 4/25/10, Nick FitzGerald n...@virus-l.demon.co.uk* wrote:
From: Nick FitzGerald n...@virus-l.demon.co.uk
Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
To: full-disclosure
PCI only requires antivirus for systems commonly affected by
viruses. This means Windows. PCI security council has said that UN*X
OSs etc. are not required to have antivirus.
--
Tracy Reed
http://tracyreed.org
Just an FYI...if your nix devices are in scope, my last audit (4 weeks ago)
...@gmail.com
*To:* Shaqe Wan sh...@yahoo.com
*Cc:* full-disclosure@lists.grok.org.uk
*Sent:* Mon, April 26, 2010 3:54:20 PM
*Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Why exactly are you complying with Nick's statements? I would have thought
you guys were arguing
is not just WINDOWS !!!
Regards,
From: Christian Sciberras uuf6...@gmail.com
To: Shaqe Wan sh...@yahoo.com
Cc: full-disclosure@lists.grok.org.uk
Sent: Mon, April 26, 2010 3:54:20 PM
Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Why exactly
Shaqe Wan wrote:
I am not stating that PCI is good in no way, but I am saying that its a
MUST for companies dealing with CC. And in a windows environment, an AV
is important.
He probably thought that I am with the rules of PCI, or that I don't
have any idea that the world is not just
On Mon, 26 Apr 2010 16:20:01 +0200, Pieter de Boer said:
Nick's point was (at least, this is how I understood it ;) that AV is
not necessarily the best approach to protect your systems against
malware. If you have implemented a better way to protect your systems
against malware, but the
On Mon, Apr 26, 2010 at 06:02:48AM -0700, Shaqe Wan wrote:
I am not stating that PCI is good in no way, but I am saying that its a MUST
for companies dealing with CC. And in a windows environment, an AV is
important.
Did you consider that an anti-virus may actually be the worst security
IMO, PCI is not that big security policy, but without it your not able to use
the credit card companies gateway. I think its just the basics that any company
dealing with CC must implement.
Because it shall be nonsense to deal with CC, and not have an Anti-virus for
example !!
Shaqe Wan wrote:
snip
Because it shall be nonsense to deal with CC, and not have an Anti-virus for
example !!
Well, you see, _that_ is abject nonsense on its face.
Do you have any understanding of one of the most basic of security
issues -- default allow vs. default deny?
There are many
On Mon, Apr 26, 2010 at 08:57:18AM +1200, Nick FitzGerald spake thusly:
Anyone authoritatively stating that antivirus software is a necessary
component of a reasonably secure system is a fool.
No, they just think all the world is Windows.
So _if_, as you and another recent poster strongly
Tracy Reed to me:
Anyone authoritatively stating that antivirus software is a necessary
component of a reasonably secure system is a fool.
No, they just think all the world is Windows.
My comments were, and still are, OS agnostic.
It matters not what the OS -- anyone authoritatively
On Sun, 25 Apr 2010 20:25:47 PDT, Tracy Reed said:
On Mon, Apr 26, 2010 at 08:57:18AM +1200, Nick FitzGerald spake thusly:
Anyone authoritatively stating that antivirus software is a necessary
component of a reasonably secure system is a fool.
No, they just think all the world is Windows.
On Mon, Apr 26, 2010 at 12:07:05AM -0400, valdis.kletni...@vt.edu spake thusly:
On Sun, 25 Apr 2010 20:25:47 PDT, Tracy Reed said:
On Mon, Apr 26, 2010 at 08:57:18AM +1200, Nick FitzGerald spake thusly:
Anyone authoritatively stating that antivirus software is a necessary
component of a
Uhm.. No
Uhm, yes?
It's a 'hassle' if:
You don't have a firewall.
You use default passwords.
You don't protect stored data.
You don't encrypt that data in transit.
You don't use antivirus.
You don't restrict data access.
You don't use unique logins.
You don't log stuff.
You don't test your
2010 4:32 AM
To: Stephen Mullins
Cc: full-disclosure; security-bas...@securityfocus.com
Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Three things:
1) I am one of those people, as many of us are.
2) I disagree - compliance with the standard, as put forth by the body
The paper concludes that companies are underinvesting in--or improperly
prioritizing--the protection of their secrets. Nowhere does it state that
the money spent on compliance is money wasted.
On Wed, Apr 21, 2010 at 5:44 PM, Mike Hale eyeronic.des...@gmail.comwrote:
I find the findings
Their conclusions are based, IMO, on a flawed methodology.
With some conservative assumptions, the paper indicates that companies
actually spend 50% of their budget protecting secrets versus 20% on
complying with external regulations.
I wrote up a more thorough response which I'll post in a few
.
t
From: full-disclosure-boun...@lists.grok.org.uk
[mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Christopher
Gilbert
Sent: Thursday, April 22, 2010 4:48 PM
To: Mike Hale
Cc: full-disclosure; security-bas...@securityfocus.com
Subject: Re: [Full-disclosure] Compliance Is Wasted
...@securityfocus.com
*Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
The paper concludes that companies are underinvesting in--or improperly
prioritizing--the protection of their secrets. Nowhere does it state that
the money spent on compliance is money wasted.
On Wed, Apr 21
Of Christopher Gilbert
Sent: Thursday, April 22, 2010 4:48 PM
To: Mike Hale
Cc: full-disclosure;
security-bas...@securityfocus.commailto:security-bas...@securityfocus.com
Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
The paper concludes that companies are underinvesting
-disclosure; security-bas...@securityfocus.com
Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
The paper concludes that companies are underinvesting in--or improperly
prioritizing--the protection of their secrets. Nowhere does it state that
the money spent on compliance
Some people in the information security industry actually care about
securing systems and the information they contain rather than filling
in check boxes.
So what's the problem? .. if you have done it according to (or
exceeding) the spec .. check the box, buy a box of donuts for the
auditor
Sciberras; security-bas...@securityfocus.com; full-disclosure
Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
I don't see what the hubbub is
Some people in the information security industry actually care about securing
systems and the information they contain rather than
Hale
Cc: full-disclosure; security-bas...@securityfocus.com
Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
The paper concludes that companies are underinvesting in--or improperly
prioritizing--the protection of their secrets. Nowhere does it state that
the money spent
You don't think in-house payment gateways can be as stable as third
party gateways?
Probably not .. it goes back to the how many '9s' can you afford to pay
for question.
But in-house has the advantage of knowing who to yell at when it breaks.
Management generally prefers to yell locally
...@securityfocus.com
Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
it is simply part of the cost of doing business in that market.
A.k.a. wasted money. Truth be told, I'm no fan of PCI.
Other companies get the same functionality (accept the storage of credit
Gilbert; Mike Hale; full-disclosure;
security-bas...@securityfocus.commailto:security-bas...@securityfocus.com
Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
it is simply part of the cost of doing business in that market.
A.k.a. wasted money. Truth be told, I'm no fan
)
*Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
If you strive for security, and weave that into your network,
complying with PCI should be cake.
Uhm.. No. NO. PCI is an unnecessary hassle. What makes signing a document
any more secure then having server facing
:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
If you strive for security, and weave that into your network,
complying with PCI should be cake.
Uhm.. No. NO. PCI is an unnecessary hassle. What makes signing a document
any more secure then having server facing the wild
;
security-bas...@securityfocus.com
Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
No problem with that.
1) No.
2) Planning to, but no.
3) Heavens no.
4) I've looked into whether it was into our best interest to use PCI. (it was
decided that it wasn't worth the trouble
On Fri, Apr 23, 2010 at 3:33 PM, Christian Sciberras uuf6...@gmail.com wrote:
4) I've looked into whether it was into our best interest to use PCI. (it
was decided that it wasn't worth the trouble)
At that time, I knew about PCI but not its details, at which point we got
someone to explain in
, 2010 3:34 PM
*To:* Thor (Hammer of God)
*Cc:* Mike Hale; Stephen Mullins; full-disclosure;
security-bas...@securityfocus.com
*Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
No problem with that.
1) No.
2) Planning to, but no.
3) Heavens no.
4) I've looked
Payment Gateways are a nice alternative to processing credit cards yourself.
Well, as nice as it gets...
Other then that, it's not me that is being absolutist, but rather seeing
this from a company perspective.
Nobody has ever claimed that PCI makes you secure.
Interesting statement. Why's the
Hale; Stephen Mullins; full-disclosure;
security-bas...@securityfocus.com
Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
I just want to emphasize on a point you mentioned right now:
It means companies illustrate a base of practices required to handle consumer
credit card
]
*Sent:* Friday, April 23, 2010 3:34 PM
*To:* Thor (Hammer of God)
*Cc:* Mike Hale; Stephen Mullins; full-disclosure;
security-bas...@securityfocus.com
*Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
No problem with that.
1) No.
2) Planning to, but no.
3
I actually disagree with the conclusions presented by this paper. I'm
in the process of writing up a more thorough explanation, but my main
issue lies with their key finding on compliance spending.
According to the paper, roughly 40% is spend on directly securing
secrets, and another 40% is
On Wed, 21 Apr 2010 14:44:35 PDT, Mike Hale said:
According to the paper, roughly 40% is spend on directly securing
secrets, and another 40% is spent on compliance of some type. They
further suggest that half of this compliance spending is spent on
internal compliance, and half on
Tracy Reed to Digital X:
Having just gone through a PCI audit I can safely say a few things:
Not the fault of PCI. Perhaps you should consider a better auditor.
Um -- isn't the point that PCI is set up such that lowest (common
denominator amongst) auditors are actually the ones that
On Sat, 10 Apr 2010 18:00:23 -, Thor (Hammer of God) said:
According to the 2009 Verizon Business Breach Report, 81% of the attack
victims were not PCI compliant:
http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf
Verizon Business has gotten a good
On Wed, Apr 07, 2010 at 03:52:00PM -0600, Digital X spake thusly:
Having just gone through a PCI audit I can safely say a few things:
Not the fault of PCI. Perhaps you should consider a better auditor.
--
Tracy Reed
http://tracyreed.org
pgp0MpTXa0ifv.pgp
Description: PGP signature
Whether said checkbox is actually the best solution *for the actual problem*
is the issue. I've seen cases where checkbox auditors insisted that a
certain critical system absolutely positively *HAD* to have a firewall.
This is where compensating controls come in with PCI. If there is an
On 4/6/10 1:23 AM, Ivan . ivan...@gmail.com wrote:
For those who don't frequent slashdot...
Enterprises are spending huge amounts of money on compliance programs
related to PCI-DSS, HIPAA and other regulations, but those funds may
be misdirected in light of the priorities of most
That is not really surprising. Regulations are (fairly) clearly
defined 'tick box' exercises. They avoid three difficult requirements:
identifying what is important and should be protected; identifying
what is an acceptable response; and persuading the executive it is
worthwhile.
If you have a
You say:
...Enterprises are spending huge amounts of money on compliance
programs related to PCI-DSS, HIPAA and other regulations, but those
funds may be misdirected in light of the priorities of most
information security programs, a new study has found...
BALONEY
As an Information Systems
The entire compliance industry has design flaws which cause results to be
skewed such that the intended value is lost.
CompanyA hires a PCI auditor for their annual PCI audit. It is in the
auditors best interest to make sure CompanyA has a pleasant enough
experience with them through the audit up
On Wed, 07 Apr 2010 10:24:00 EDT, Keith Tomler said:
BALONEY
As an Information Systems Auditor, it seems that if you have a valid
finding and a reasonable recommendation, management usually doesn't
act on it.
However, if you have the same finding and recommendation and then cite
a
That's not entirely the case. Auditors aren't robots. It's their job to make
determinations about your organizations capabilities and how they map
against somewhat loosely defined compliance standards that have lots of
wiggle room and lots of gray areas. All the gray areas are extremely useful
to
On Wed, 07 Apr 2010 11:31:28 PDT, J Roger said:
That's not entirely the case. Auditors aren't robots.
Unfortunately, that's far too often not true. Internal audit departments
in particular seem to accumulate people with no real clue, because they
*don't* rely on passing the client in order to
You're right, they aren't robots, they're overpaid tech writers that
memorized just enough industry jargon and buzzwords to talk the talk
without being able to walk the walk.
http://www.computerweekly.com/Articles/2010/03/25/240719/Sans-founder-slams-39terribly-damaging39-US-cyber-security.htm
On Wed, 07 Apr 2010 14:06:41 PDT, Tracy Reed said:
On Wed, Apr 07, 2010 at 12:43:47PM -0400, valdis.kletni...@vt.edu spake
thusly:
Whether said checkbox is actually the best solution *for the actual problem*
is the issue. I've seen cases where checkbox auditors insisted that a
certain
On Wed, Apr 07, 2010 at 12:43:47PM -0400, valdis.kletni...@vt.edu spake thusly:
I think the issue is a bit deeper than that - the way most regulations are
drafted, they do *not* force entities to do what they should have done in
the first place.
What they *do* force is implementing a
For those who don't frequent slashdot...
Enterprises are spending huge amounts of money on compliance programs
related to PCI-DSS, HIPAA and other regulations, but those funds may
be misdirected in light of the priorities of most information security
programs, a new study has found. A paper
94 matches
Mail list logo