[171459] in North American Network Operators' Group
Re: Dealing with auditors (was Re: We hit half-million: The Cidr
daemon@ATHENA.MIT.EDU (William Herrin)
Wed Apr 30 17:32:21 2014
X-Original-To: nanog@nanog.org
In-Reply-To: <536169C5.6060607@cox.net>
From: William Herrin <bill@herrin.us>
Date: Wed, 30 Apr 2014 17:31:53 -0400
To: Larry Sheldon <LarrySheldon@cox.net>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Wed, Apr 30, 2014 at 5:23 PM, Larry Sheldon <LarrySheldon@cox.net> wrote:
> On 4/30/2014 11:30 AM, Valdis.Kletnieks@vt.edu wrote:
>> And in that discussion, we ascertained that what the PCI standard actually
>> says, and what you need to do in order to get unclued boneheaded auditors
>> to sign the piece of paper, are two very different things.
>
> I am no longer active on the battlefield but as of the last time I was, it
> can't be did.
>
> For years I managed various aspect of a UNIVAC 1100 operation and the audits
> thereof. EVERY TIME, we were dinged badly because we didn't look like an
> IBM shop (some may be surprised to learn that different hardware and
> different operating systems require very different operating procedures (and
> it appeared to us that some of the things they wanted us to do would weaken
> us badly, others just simply didn't make any sense, and we got dinged for
> things we DID do, because they were strange.
I won the argument with PCI auditors about leaving telnet alive on my
exterior router (which at the time would have had to be replaced to
support ssh). It's not a chore for the timid. You'd better be a heck
of a guru before you challenge the auditors expectations and you'd
better be prepared for your boss' aggravation that the audit isn't
done yet.
And I think we pretty well established that PCI auditors arrive
expecting to see NAT.
Regards,
Bill Herrin
--
William D. Herrin ................ herrin@dirtside.com bill@herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
