in this economy good luck. its hard to justify spending money if the
helmets are "good enough to pass". i have found in the past that if a
brick fell down and hit a squirrel in the head, and the squirrel died,
something was done at a quick pace. OR if the squirrel helmets
experienced a catastrophic failure they would need to be replaced.
On Aug 12, 2009, at 10:23 AM, Jason Wood wrote:
So I have a "hypothetical" situation that I'd like some ideas on.
Say you go through a PCI audit and certain things that you know are
a problem are not marked as such by the auditor. (we can get into
getting a new QSA later) To make up a completely fake scenario,
lets say that item 15.3 requires all squirrels to wear helmets when
running the credit card numbers from the web server to the database
server. (squirrelNet anyone?) The QSA says that there are no
problems and that the squirrels are wearing helmets properly. The
issue is that the helmets are made of newspaper and don't look like
a helmet from anything beyond a passing glance.
As the admin/squirrel handler, I want to justify getting proper
helmets on the squirrels. However, here's this audit report which
states that there's no problem here. How do you go about justifying
"real" squirrel helmets when the QSA says everything is good.
Chances are good management is going to look at the report and tell
you to leave the newspaper hats in place because it is good enough
for the QSA.
Short of calling up the QSA and asking him WTF (and getting in hot
water for doing so), how do you deal with this?
Here's some of the ideas that have occurred to me:
Explain to management what squirrel helmets really are supposed to
be and that not every QSA is going to be so... casual about them.
Explain that PCI is a minimum set of requirements and doesn't insure
actual security.
Club a squirrel on the head and demonstrate that newspaper isn't an
adequate helmet.
How do you deal with justifying security improvements when an audit
report says that everything is blue skies and happy days?
Thanks,
Jason
P.S. SquirrelNet was inspired by @beaker and no actual squirrels
were used to run credit card numbers or were clubbed on the head
while writing this email.
--
irc: Tadaka
Twitter: Jason_Wood
jwnetworkconsulting.com
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
