Remind the customer that the QSA is insulated from retribution and will be nowhere near when your customer's company makes the evening news, the front pages, the re-tweet express, etc?
Jack On Wed, Aug 12, 2009 at 1:23 PM, Jason Wood<[email protected]> wrote: > So I have a "hypothetical" situation that I'd like some ideas on. > > Say you go through a PCI audit and certain things that you know are a > problem are not marked as such by the auditor. (we can get into getting a > new QSA later) To make up a completely fake scenario, lets say that item > 15.3 requires all squirrels to wear helmets when running the credit card > numbers from the web server to the database server. (squirrelNet anyone?) > The QSA says that there are no problems and that the squirrels are wearing > helmets properly. The issue is that the helmets are made of newspaper and > don't look like a helmet from anything beyond a passing glance. > > As the admin/squirrel handler, I want to justify getting proper helmets on > the squirrels. However, here's this audit report which states that there's > no problem here. How do you go about justifying "real" squirrel helmets > when the QSA says everything is good. Chances are good management is going > to look at the report and tell you to leave the newspaper hats in place > because it is good enough for the QSA. > > Short of calling up the QSA and asking him WTF (and getting in hot water for > doing so), how do you deal with this? > > Here's some of the ideas that have occurred to me: > > Explain to management what squirrel helmets really are supposed to be and > that not every QSA is going to be so... casual about them. > Explain that PCI is a minimum set of requirements and doesn't insure actual > security. > Club a squirrel on the head and demonstrate that newspaper isn't an adequate > helmet. > > How do you deal with justifying security improvements when an audit report > says that everything is blue skies and happy days? > > Thanks, > Jason > > P.S. SquirrelNet was inspired by @beaker and no actual squirrels were used > to run credit card numbers or were clubbed on the head while writing this > email. > > -- > > irc: Tadaka > Twitter: Jason_Wood > jwnetworkconsulting.com > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
