I would explain to management that PCI is simply a least common denominator and should not be treated as the end-all, be-all to information security. PCI merely attempts to address a minimum set of criteria that will mitigate a large portion of the threats that your organization is facing. That being said, it's unrealistic that any accreditation be able to address every threat.
-Joel "The path to hell is paved with good intentions." On Wed, Aug 12, 2009 at 12:23 PM, Jason Wood <[email protected]> wrote: > So I have a "hypothetical" situation that I'd like some ideas on. > > Say you go through a PCI audit and certain things that you know are a > problem are not marked as such by the auditor. (we can get into getting a > new QSA later) To make up a completely fake scenario, lets say that item > 15.3 requires all squirrels to wear helmets when running the credit card > numbers from the web server to the database server. (squirrelNet anyone?) > The QSA says that there are no problems and that the squirrels are wearing > helmets properly. The issue is that the helmets are made of newspaper and > don't look like a helmet from anything beyond a passing glance. > > As the admin/squirrel handler, I want to justify getting proper helmets on > the squirrels. However, here's this audit report which states that there's > no problem here. How do you go about justifying "real" squirrel helmets > when the QSA says everything is good. Chances are good management is going > to look at the report and tell you to leave the newspaper hats in place > because it is good enough for the QSA. > > Short of calling up the QSA and asking him WTF (and getting in hot water > for doing so), how do you deal with this? > > Here's some of the ideas that have occurred to me: > > - Explain to management what squirrel helmets really are supposed to be > and that not every QSA is going to be so... casual about them. > - Explain that PCI is a minimum set of requirements and doesn't insure > actual security. > - Club a squirrel on the head and demonstrate that newspaper isn't an > adequate helmet. > > How do you deal with justifying security improvements when an audit report > says that everything is blue skies and happy days? > > Thanks, > Jason > > P.S. SquirrelNet was inspired by @beaker and no actual squirrels were used > to run credit card numbers or were clubbed on the head while writing this > email. > > -- > > irc: Tadaka > Twitter: Jason_Wood > jwnetworkconsulting.com > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
