July 13th, 2006, 01:42 PM
Yes, the tools are good for the client. As a QDSP who works for a large QDSC, we don't use any specific programs. I mean, we use nessus when we scan, and things like that, but we have our own Office documents that we use to take notes and track items checked, and generate a ROC...but there is no automated plug-in solution that spits out a big green checkmark or big red X to indicate pass or fail.
Originally posted here by SysLog
You are right, no single vendor can go the distance and claim complete support for all the requirements that the compliance regulators pose.
There was this whitepaper from Symantec on PCIDSS
(free registration is required to view the doc.) where he has mentioned that sections 1, 3 & 9 are not covered by Syamtec solutions.
Also i can across many vendors like NetForensics , EventLog Analyzer , SenSage who provide compliance reports.
But i guess, no software tool can entirely model all the nitty-gritties of the compliance requirements, but ofcourse they can only assist us to some extent, which makes the above tools useful for sysadmins / management during audits.
Check out the PCI assessors forum. They call it the "Auditor Community Site", but Visa^UPCI makes a big deal about using the term ASSESSMENT and ASSESSOR, not AUDIT, due to the liability and legal ramifications of those 2 different words...
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore