Re: Compliance Is Wasted Money, Study Finds

[Christian Sciberras <uuf6429 () gmail com>]

Has everyone on this list read the PCI DSS requirements?
They are freely available, at www.pcisecuritystandards.org.

Were you even following the thread? There's been at least 4 times were
different people cited different parts of the standard.
But I would suppose that there's always the possibility of someone imagining
the standard, who knows!

AV is about 4 requirements out of over 230 requirements

Actually, it's the 5th out of 12...
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

Many views in this thread sound like drowning people who reject a lifeboat
because it doesn't match their eye colour.

And I take it the lifeboat matched your eye-colour?
By your comparison, it doesn't match my eye colour and neither the amount of
holes in the lifeboat as I would deem "safe".
Sure, some people would evacuate on a handkerchief if it means less money
more compliance.

I don't think you grasped the point either, so I won't argue with the rest
of your message.


On Tue, Apr 27, 2010 at 12:34 AM, Lyal Collins <lyalc () swiftdsl com au>wrote:

> Has everyone on this list read the PCI DSS requirements?
> They are freely available, at www.pcisecuritystandards.org.
>
> AV is about 4 requirements out of over 230 requirements, covering secure
> coding/development, patching, network security, hardening systems, least
> privilege, robust authenticaiton, staff probity, physical security,
> obligations on third parties, annual risk assessments and improvements,
> pluss annually re validating all of these security control areas.
>
> Many views in this thread sound like drowning people who reject a lifeboat
> because it doesn't match their eye colour.
>
> PCI DSS isn't perfect, but it is fairly comprehensive about
> confidentiality.
> In terms of all organisational information security threats, PCI DSS lacks
> a
> focus on DR/BCP and integrity of data and system (other than that subset of
> threats affecting protection of card data).  I posit that DR and data
> integrity are as much a commercial decision as a information security
> goals,
> for which simple, repeatable processes are already available and resonably
> well known amongst IT professionals.
>
> Anti-virus and anti-malware products are not perfect either, but they are
> better than the alternative of 'doing nothing until a perfect solution is
> found", an undertone I see so often in this list and among many
> well-intentioned but unsuccessful security professionals at sites I visit.
>
> Implementing any halfway decent solution is almost always better than doing
> nothing, when it comes to reducing risk and increasing assurance.
> Implementing ongoing improvements is cost effective spend of scarce
> security/IT dollars.
> Building the "perfect' security solution is too expensive and takes too
> long
> - by the time it's delviered, security threats have moved on, and you
> remain
> vulnerable.
>
> There are some dreadful compliance programs out there.  There are some
> excellent compliance standards.
> The
>
>
> lyal
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/