| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 27 Apr 2010 15:32:54 +0200
From: Christian Sciberras <uuf6429@...il.com>
To: Lyal Collins <lyalc@...ftdsl.com.au>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Compliance Is Wasted Money, Study Finds
Has everyone on this list read the PCI DSS requirements?
They are freely available, at www.pcisecuritystandards.org.
Were you even following the thread? There's been at least 4 times were
different people cited different parts of the standard.
But I would suppose that there's always the possibility of someone imagining
the standard, who knows!
AV is about 4 requirements out of over 230 requirements
Actually, it's the 5th out of 12...
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
Many views in this thread sound like drowning people who reject a lifeboat
because it doesn't match their eye colour.
And I take it the lifeboat matched your eye-colour?
By your comparison, it doesn't match my eye colour and neither the amount of
holes in the lifeboat as I would deem "safe".
Sure, some people would evacuate on a handkerchief if it means less money
more compliance.
I don't think you grasped the point either, so I won't argue with the rest
of your message.
On Tue, Apr 27, 2010 at 12:34 AM, Lyal Collins <lyalc@...ftdsl.com.au>wrote:
> Has everyone on this list read the PCI DSS requirements?
> They are freely available, at www.pcisecuritystandards.org.
>
> AV is about 4 requirements out of over 230 requirements, covering secure
> coding/development, patching, network security, hardening systems, least
> privilege, robust authenticaiton, staff probity, physical security,
> obligations on third parties, annual risk assessments and improvements,
> pluss annually re validating all of these security control areas.
>
> Many views in this thread sound like drowning people who reject a lifeboat
> because it doesn't match their eye colour.
>
> PCI DSS isn't perfect, but it is fairly comprehensive about
> confidentiality.
> In terms of all organisational information security threats, PCI DSS lacks
> a
> focus on DR/BCP and integrity of data and system (other than that subset of
> threats affecting protection of card data). I posit that DR and data
> integrity are as much a commercial decision as a information security
> goals,
> for which simple, repeatable processes are already available and resonably
> well known amongst IT professionals.
>
> Anti-virus and anti-malware products are not perfect either, but they are
> better than the alternative of 'doing nothing until a perfect solution is
> found", an undertone I see so often in this list and among many
> well-intentioned but unsuccessful security professionals at sites I visit.
>
> Implementing any halfway decent solution is almost always better than doing
> nothing, when it comes to reducing risk and increasing assurance.
> Implementing ongoing improvements is cost effective spend of scarce
> security/IT dollars.
> Building the "perfect' security solution is too expensive and takes too
> long
> - by the time it's delviered, security threats have moved on, and you
> remain
> vulnerable.
>
> There are some dreadful compliance programs out there. There are some
> excellent compliance standards.
> The
>
>
> lyal
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists