Re: [fw-wiz] PCI DSS & Firewalls

On Thu, 2009-04-02 at 09:31 -0500, Paul D. Robertson wrote:
But they fail at that level in so fars as they don't help small and
mid-sized companies know what they really need to do- does a small compay
with 5 servers *really* need to seperate every single function onto its
own system?

*They* is not the PCI council. *They* is the Qualified Security
Assessors. It's to them to help companies to become PCI compliant. They
use the checklist, and they report back about compliance status. If your
QSA doesn't help small and mid-sized companies know what they really
need to, then the QSA is at fault. In that case, provide feedback to the
PCI council. They love to hear about the performance of QSA. Crappy ones
can loose their certification quickly :)

But the buy in is to check the boxes so they don't get fined- and the
boxes are checkable by interpretation. Outside of a few basic
requirements, things are vague, ambiguous and not helpful at all- frankly,
it's the worst "standard" I've seen in ~25 years of computer security- and
I've rarely seen good ones.

I disagree. I'm happy that it's "vague or ambiguous" as you call it.
That allows me as a QSA to properly secure the client. I wouldn't want
to be forced to implement a crappy checklist to the letter. Every
company is unique (you might call it ambiguous), so implementing
security controls requires flexibility.

I also agree with Marcus that it's the Pen Tester's Employment Security

Wouldn't you want to test your security controls periodically?


It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

Attachment: signature.asc
Description: This is a digitally signed message part

firewall-wizards mailing list