On Wed, 07 Apr 2010 14:06:41 PDT, Tracy Reed said: > On Wed, Apr 07, 2010 at 12:43:47PM -0400, Valdis.Kletnieks@xxxxxx spake > thusly: > > Whether said checkbox is actually the best solution *for the actual problem* > > is the issue. I've seen cases where checkbox auditors insisted that a > > certain critical system "absolutely positively *HAD* to have a firewall". > > This is where compensating controls come in with PCI. If there is an > even better solution you are free to implement it. Yes, the PCI "compensating controls" are overall a Good Thing. Unfortunately, a lot of regulatory regimes don't see things that way yet. And it still requires a clued PCI auditor who actually understands the real world enough to deal with compensating controls.
Attachment:
pgp8VDKr281yP.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/