They have to be high level in order to blanket everyone. Each entity has specifics that will fall within the general requirements. If they were to say something like, "Passwords must be 10 chars long..." This may pose operational issues, etc. for specific industries and further more, their business processes.how can we do audits when the requirements are so generalized, this is really tough on the merchants and sys admin guys
Most people stick to the NIST 800 series guides to security. Same goes for me.
Tenable, makers of Nessus, also do PCI and other reg compliance reporting now in their security console product. Thus far, I'm pleased with the results.
--TH13
Reply With Quote