Has everyone on this list read the PCI DSS requirements? They are freely available, at www.pcisecuritystandards.org.
Were you even following the thread? There's been at least 4 times were different people cited different parts of the standard. But I would suppose that there's always the possibility of someone imagining the standard, who knows! AV is about 4 requirements out of over 230 requirements Actually, it's the 5th out of 12... https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml Many views in this thread sound like drowning people who reject a lifeboat because it doesn't match their eye colour. And I take it the lifeboat matched your eye-colour? By your comparison, it doesn't match my eye colour and neither the amount of holes in the lifeboat as I would deem "safe". Sure, some people would evacuate on a handkerchief if it means less money more compliance. I don't think you grasped the point either, so I won't argue with the rest of your message. On Tue, Apr 27, 2010 at 12:34 AM, Lyal Collins <ly...@swiftdsl.com.au>wrote: > Has everyone on this list read the PCI DSS requirements? > They are freely available, at www.pcisecuritystandards.org. > > AV is about 4 requirements out of over 230 requirements, covering secure > coding/development, patching, network security, hardening systems, least > privilege, robust authenticaiton, staff probity, physical security, > obligations on third parties, annual risk assessments and improvements, > pluss annually re validating all of these security control areas. > > Many views in this thread sound like drowning people who reject a lifeboat > because it doesn't match their eye colour. > > PCI DSS isn't perfect, but it is fairly comprehensive about > confidentiality. > In terms of all organisational information security threats, PCI DSS lacks > a > focus on DR/BCP and integrity of data and system (other than that subset of > threats affecting protection of card data). I posit that DR and data > integrity are as much a commercial decision as a information security > goals, > for which simple, repeatable processes are already available and resonably > well known amongst IT professionals. > > Anti-virus and anti-malware products are not perfect either, but they are > better than the alternative of 'doing nothing until a perfect solution is > found", an undertone I see so often in this list and among many > well-intentioned but unsuccessful security professionals at sites I visit. > > Implementing any halfway decent solution is almost always better than doing > nothing, when it comes to reducing risk and increasing assurance. > Implementing ongoing improvements is cost effective spend of scarce > security/IT dollars. > Building the "perfect' security solution is too expensive and takes too > long > - by the time it's delviered, security threats have moved on, and you > remain > vulnerable. > > There are some dreadful compliance programs out there. There are some > excellent compliance standards. > The > > > lyal > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/