Home page logo

pen-test logo Penetration Testing mailing list archives

Re: PCI Compliance Scope
From: Dotzero <dotzero () gmail com>
Date: Fri, 13 Nov 2009 13:23:52 -0500

On Thu, Nov 12, 2009 at 10:02 PM, David M. Zendzian <dmz () dmzs com> wrote:

2) The log server is a "connected" system and by PCI definitions it is
in-scope.  Now other things that are outside of the cardholder
environment that connect to the log server are still outside of scope
because connected systems of connected systems are not in-scope :)

The log server may be a connected server or it may be within the CDE.
Either way you are going to have to show that you are maintaining the
integrity of the system and have an appropriate audit trail. This is
much easier to maintain when handling logs that are from outside the
CDE by using pull rather than push for those logs.

Ultimately, this discussion and many of the comments within it help
emphasize the difference between security and compliance.

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]