> Some people in the information security industry actually care about > securing systems and the information they contain rather than filling > in check boxes.
So what's the problem? .. if you have done it according to (or exceeding) the spec .. check the box, buy a box of donuts for the auditor .. let them look it over, and be done with it. > Compliance may ensure a minimum standard is met, but > it does not ensure or imply that real security is being maintained at > an organization. > > If VISA (et.al.) could define "real security" and write it down, they would. What is "real security" exactly? .. I'd argue the only "secure" computer is one that's still sealed in the factory carton. Break the seal, game over .. just like it says on a box of Band-Aids "Sterility guaranteed until opened". > As you say, PCI has become a cost of doing business whereas having a > secure network is apparently not a cost of doing business. This is a > problem. > The thinking goes .. that if you implement the PCI standards and aim to actually do as it suggests (meaning doing what the documents suggests *correctly* .. not just having a blinkinlight in place so you can check a box) .. you're already down the right path. Even so .. the problem with securing networks/systems is there's millions of "them" and only a few of "you". Also .. you have to be right 100% of the time, and "they" only have to get lucky once. My $10.02 ($10 minimum purchase on all credit cards). ** Cheers, Michael Holstein Cleveland State University ** : yes, I know this goes against the merchant agreement .. sarcasm. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
