[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
- To: Full-disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
- From: Digital X <digitalx00@xxxxxxxxx>
- Date: Wed, 07 Apr 2010 15:52:00 -0600
>>> Whether said checkbox is actually the best solution *for the actual problem*
>>> is the issue. I've seen cases where checkbox auditors insisted that a
>>> certain critical system "absolutely positively *HAD* to have a firewall".
>>
>> This is where compensating controls come in with PCI. If there is an
>> even better solution you are free to implement it.
>
> Yes, the PCI "compensating controls" are overall a Good Thing. Unfortunately,
> a lot of regulatory regimes don't see things that way yet. And it still
> requires a clued PCI auditor who actually understands the real world enough
> to deal with compensating controls.
Having just gone through a PCI audit I can safely say a few things:
A) Approaching compliance from a risk management approach went out the
window
B) Items the auditor didn't understand absolutely went back to a checkmark
mentality
C) Items that were gray areas were treating VERY liberally in their
interpretation
Bleh
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/