[171454] in North American Network Operators' Group
Re: We hit half-million: The Cidr Report
daemon@ATHENA.MIT.EDU (joel jaeggli)
Wed Apr 30 13:25:11 2014
X-Original-To: nanog@nanog.org
Date: Wed, 30 Apr 2014 10:25:00 -0700
From: joel jaeggli <joelja@bogus.com>
To: Valdis.Kletnieks@vt.edu, Jamie Bowden <jamie@photon.com>
In-Reply-To: <12495.1398875451@turing-police.cc.vt.edu>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--vIM6No9Hb3DCkmCuMbSHcCpsvgoR5JBXe
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
On 4/30/14, 9:30 AM, Valdis.Kletnieks@vt.edu wrote:
> On Wed, 30 Apr 2014 15:40:43 -0000, Jamie Bowden said:
>=20
>> You're not funny. And if you're not joking, you're wrong. We just we=
nt over
>> this on this very list two weeks ago.
>=20
> And in that discussion, we ascertained that what the PCI standard actua=
lly
> says, and what you need to do in order to get unclued boneheaded audito=
rs to
> sign the piece of paper, are two very different things.
>=20
> Yes, the PCI standard gives a list of 4 options and then continues on t=
o
> say that other creative solutions are acceptable as well. But if you
> discover mid-engagement that your auditor *thinks* it says "Thou shalt =
NAT",
> you have a problem.
>=20
> Anybody got recommendations on how to make sure the company you engage
> for the audit ends up sending you critters that actually have a clue? (=
Not
> necessarily PCI, but in general)
So, I've been (fomerly) involved in the design/build/operation/refresh
of pci environments as part of application services for enterprise with
~ order of .8 billion annually in online sales. The process starts at
the beginning e.g. before you build it.
If you parachute in a consultant or auditor totally cold, you are going
to have to educate them to the nuances of your particular operation,
it's is very similar with SOX controls.
In any event your documentation should be order. and actual operation
should be as documented.
Ultimately as was my experience with FIPA/HERPA compliance in the
educational environment these should not taken as mysterious
externalities foisted on operations by hostile regulators, or industrial
cartels, but as part of normal business operations, and internalized as
such.
--vIM6No9Hb3DCkmCuMbSHcCpsvgoR5JBXe
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlNhMewACgkQ8AA1q7Z/VrKmFACghFvQkkDWqKy5VpvgZEYb7KWV
nw4An2+QWWignB1jYoCz0Zf8DNKSoeLF
=KLpw
-----END PGP SIGNATURE-----
--vIM6No9Hb3DCkmCuMbSHcCpsvgoR5JBXe--
