July 13th, 2006, 01:42 PM
Yes, the tools are good for the client. As a QDSP who works for a large QDSC, we don't use any specific programs. I mean, we use nessus when we scan, and things like that, but we have our own Office documents that we use to take notes and track items checked, and generate a ROC...but there is no automated plug-in solution that spits out a big green checkmark or big red X to indicate pass or fail.
Originally posted here by SysLog
You are right, no single vendor can go the distance and claim complete support for all the requirements that the compliance regulators pose.
There was this whitepaper from Symantec on PCIDSS
(free registration is required to view the doc.) where he has mentioned that sections 1, 3 & 9 are not covered by Syamtec solutions.
Also i can across many vendors like NetForensics , EventLog Analyzer , SenSage who provide compliance reports.
But i guess, no software tool can entirely model all the nitty-gritties of the compliance requirements, but ofcourse they can only assist us to some extent, which makes the above tools useful for sysadmins / management during audits.
Check out the PCI assessors forum. They call it the "Auditor Community Site", but Visa^UPCI makes a big deal about using the term ASSESSMENT and ASSESSOR, not AUDIT, due to the liability and legal ramifications of those 2 different words...
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
July 14th, 2006, 08:01 AM
From the required software tools perspective what i could articulate from some of the discussions in the pcifile forums is that we must have some basic tools like vulnerability scanner (like nessus, eEye, scanfi, etc...), log forensics tools (like netforensics, fwanalyzer, loglogic, ...), remediation tools (like patchquest, shavlik..) etc. with good reporting would go a long way in assisting us during our audits...oops..assessment . But of course, as mentioned there is no "single size fits all" solution to PCI
Guess i will recommend some of the thoughts from the discussions at these forums to my organization!
July 16th, 2006, 04:31 PM
They have to be high level in order to blanket everyone. Each entity has specifics that will fall within the general requirements. If they were to say something like, "Passwords must be 10 chars long..." This may pose operational issues, etc. for specific industries and further more, their business processes.
how can we do audits when the requirements are so generalized, this is really tough on the merchants and sys admin guys
Most people stick to the NIST 800 series guides to security. Same goes for me.
Tenable, makers of Nessus, also do PCI and other reg compliance reporting now in their security console product. Thus far, I'm pleased with the results.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden