|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Clint P. Garrison (garrison.clint
gmail.com)
Date: Fri Mar 13 2009 - 11:23:34 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hey Jamie,
There's a lot more required of QSA's than just writing a check. Straight
from the PCI Council website:
The high-level qualification requirements are as follows. Prospective QSA
companies must:
* Apply as a firm for qualification in the program;
* Provide documentation adhering to the Validation Requirements for
Qualified Security Assessors (QSA) v. 1.1
* *Qualify individual employees, through training and testing, to perform
the assessments;* and
* Execute an agreement with the PCI Security Standards Council governing
performance.
Also, PCI is based on an agreement between card brands, acquirers and
merchants. The examples you gave are related to dealing with government
entities, which are completely different. I've been dealing with PCI for a
while now and can say that the issues with QSA's compentence are no
different than other auditing firms. Arthur Anderson used to be a leading
auditing firm and was regulated...Stuff happens.
I hope you see my point. PCI is a whole lot better than nothing at all. If
you have issues with the process, then I encourage you to get active with
the PCI Council and try to help us improve it rather than demonizing it
outright.
Clint
On Fri, Mar 13, 2009 at 9:03 AM, DAIL, WILLARD A <ADAILsunocoinc.com>
wrote:
>
> I've met some very sharp QSA's, and some who could use a lot of training
> or experience. I'd say pretty much at the same rate as other security
> professionals.
>
> The notion that PCI companies are somehow worse off than the general
> business community is, I think, inaccurate. Security has to be
> functional at some point and yes, PCI leaves room for improvement as a
> program, but it sure as heck is better than nothing, and nothing is
> exactly what most merchants were doing before PCI was forced on them by
> the card brands.
>
> A comparison would be to look at the rate of breaches among PCI-scoped
> Acquiring Banks, and non PCI-scoped issuing banks. The issuing banks
> have top security people, operate under GLBA and other tight federal
> requirements, and they still get breached.
>
> I've also observed that IT Security is still very much an art, rather
> than a science (meaning it is not always repeatable and verifiable given
> the same set of circumstances). As an art, it requires an artist.
> Artists do seem to think they have "the correct interpretation" and
> their way is the right way. I've also been amazed at the egos present
> in this field, by people who really shouldn't indulge the luxury of
> having one.
>
> It's very easy for inexperience IT Security staffers to get caught up in
> the technology of the job. The real truth is that the technology is
> merely a set of tools to help observe, and to some degree regulate,
> human behaviors.
>
>
> -----Original Message-----
> From: dataloss-bouncesdatalossdb.org
> [mailto:dataloss-bouncesdatalossdb.org] On Behalf Of Jamie C. Pole
> Sent: Friday, March 13, 2009 8:18 AM
> To: datalossdatalossdb.org
> Subject: Re: [Dataloss] Visa Puts Heartland on Probation Over Breach
>
>
> Oh wow! That's going to make a HUGE difference!
>
> Let's not forget that they WERE PCI "compliant" when they got breached.
> How is hiring another clueless QSA going to change the basic facts here?
>
> The whole PCI "standard" is a joke. The PCI Standards Body needs to go
> the way of the dodo, and the whole QSA concept needs to be eliminated.
> The only way there will ever be any reasonable level of assurance that
> credit card transactions are safe is for a body made up of COMPETENT
> security professionals to come together to define meaningful controls
> that will actually make a difference. And the whole "pay to play" QSA
> game needs to be replaced with a process whereby COMPETENT security
> professionals are able to demonstrate proficiency by actions, NOT by
> virtue of the fact that their application fee check cleared.
>
> Actually, I wonder if they take credit cards for the QSA fees? :-^
> Maybe the QSA criteria should be "show us that you have breached a
> payment processor, and we'll let you test other payment processors..."
> If that happened, the list of approved QSA providers would be VERY small
> - and I'd bet that VERY few, if any of the people on the current list
> would be on the new list.
>
> This same thing is going to keep occurring over and over and over until
> the PCI program itself is overhauled. With the current "controls" in
> the PCI DSS, I'm not sure how any of these people sleep at night.
> Especially when you consider that the QSA providers seem to all be
> relying on automated scanning tools when they do their assessments. Two
> words come to mind - unlimited liability.
>
> I love the part about "more stringent conditions"... What? They have
> to run Nessus or Qualys ONCE a month instead of quarterly? That's
> definitely going to make a difference! Twice nothing is still nothing.
> I suck at math, but even I can work that one out. (By the way, no
> offense meant to Nessus - it's a great product that I use myself - I
> just don't believe in basing C&A decisions on automated
> tools.)
>
> Gotta love this world we live in - the PCI people have mortgaged the
> future of their industry in order to sell QSA "subscriptions"...
>
> Jamie
>
>
> This message and any files transmitted with it is intended solely for the
designated recipient and may contain privileged, proprietary or otherwise
private information. Unauthorized use, copying or distribution of this
e-mail, in whole or in part, is strictly prohibited. If you have received it
in error, please notify the sender immediately and delete the original and
any attachments.
> _______________________________________________
> Dataloss Mailing List (datalossdatalossdb.org)
>
> CREDANT Technologies, a leader in data security, offers advanced data
encryption solutions.
> Protect sensitive data on desktops, laptops, smartphones and USB sticks
transparently
> across your enterprise to ensure regulatory compliance.
> http://www.credant.com/stopdataloss
>
_______________________________________________
Dataloss Mailing List (datalossdatalossdb.org)
CREDANT Technologies, a leader in data security, offers advanced data encryption solutions.
Protect sensitive data on desktops, laptops, smartphones and USB sticks transparently
across your enterprise to ensure regulatory compliance.
http://www.credant.com/stopdataloss
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]