Being a Security Professional
Being a security professional can be a curse when logically thinking your way through compliance initiatives. No compliance initiative should be a substitute for a sound information security program, but we as security professionals often get caught in the compliance trap. We’ve been beating the security drum for years, yet our musical stylings have gone unappreciated. Enter a compliance initiative and all of the sudden someone is forcing the business to do what we’ve been telling them to do all along! We tend to take advantage of this new security spending windfall and add all kinds of stuff to purchase orders in the name of compliance.
E se fossero i Social Media ad usare Voi?, by Simone Lovati
QSAs are guilty of this as well. Often times a QSA knows there is a security issue that needs correcting, and tells a merchant to do something to satisfy it in the name of PCI DSS. For example, the process of scanning a location quarterly for rogue wireless devices is a badly constructed joke whereby the punchline is met with crickets from the crowd. If you are serious about detecting rogue wireless devices, you need to have something constantly searching and cataloging, and you need personnel to walk the floors to look for things physically out of place ((Also, would the WIDS vendors please stop cheering after reading this. We get it, and we heard you. Every year since this thing got started. And at every community meeting. Go sell your product on VALUE and don’t fall into the compliance trap.)).
So if you approach PCI DSS from a security professional’s point of view, you might make up a requirement for Wireless Intrusion Detection Systems (WIDS) to be installed as a means to meet PCI Requirement 11.1. In fact, I was guilty of doing this for merchants using WiFi point-of-sale (POS) devices. I recommended this to one of my customers even though there is nowhere in the PCI DSS that supports this notion. It’s darn good sense, but not a requirement.
Possibly Related Posts:
- PCI DSS 4.0 Released plus BOOK DETAILS!
- PCI Council Loses $600K in Revenue, PO Population on the Decline
- Why PCI DSS 4.0 Needs to be a Complete Rewrite
- Orfei Steps Down
- Should you be a PCI Participating Organization?