[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
- To: Michel Messerschmidt <lists@xxxxxxxxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
- From: Shaqe Wan <sha8e@xxxxxxxxx>
- Date: Mon, 26 Apr 2010 22:54:17 -0700 (PDT)
Michel,
Sorry, I didn't understand your first question!
Regarding your 2nd question. You won't get compliant if you update your AV on a
annually basis. You shall fail the quarter check done by an QSA(s). So first
check is not available. For me if the companies staff is well educated and a we
have a good IR team, plus the other goodies you mentioned, then for sure I
shall go with selection #2 :)
I hate these rules, but really they are something enforced on us. And without
them our business can't be done. Or does someone here suggest we close our
shops/companies and go home just because we dislike/disagree/hate the PCI
Compliance requirements?
I think that its not a bad to implement these requirements to get compliant by
these companies, and then do what we think is the best. I.e, develop a more
security policy to work on top of the PCI or vise versa. Get compliant then go
further.
BTW: I hope your able to understand my point, as my English seems to be bad :(
Regards,
________________________________
From: Michel Messerschmidt <lists@xxxxxxxxxxxxxxxxxxxxxxx>
To: full-disclosure@xxxxxxxxxxxxxxxxx
Sent: Tue, April 27, 2010 12:07:14 AM
Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
On Mon, Apr 26, 2010 at 06:02:48AM -0700, Shaqe Wan wrote:
> I am not stating that PCI is good in no way, but I am saying that its a MUST
> for companies dealing with CC. And in a windows environment, an AV is
> important.
Did you consider that an anti-virus may actually be the worst security
solution for certain threats because it allows companies not to think
about security while providing insufficient protection?
What's your choice:
Company A installs an anti-virus and updates it regularly (BTW regularly
includes once a year).
Company B has a recovery concept, incident response team, vulnerability
monitoring, patch management, NIDS, security training but no anti-virus.
> He probably thought that I am with the rules of PCI, or that I don't have any
> idea that the world is not just WINDOWS !!!
No, I don't think so.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/