[Owasp-pci-project] More clarification on separation

McGovern, James F (HTSC, IT) James.McGovern at thehartford.com
Tue Jun 2 10:26:08 EDT 2009 

 Part of the question can be vary depending on ethics, integrity,
corporate power structure, etc. Putting some metrics around this will be
important not just for PCI but can have an additional side effect of
creation of more folks who make application security their full-time
job.

-----Original Message-----
From: Trey Ford [mailto:ford.trey at gmail.com] 
Sent: Monday, June 01, 2009 2:11 PM
To: McGovern, James F (HTSC, IT)
Cc: Owasp-pci-project at lists.owasp.org
Subject: Re: [Owasp-pci-project] More clarification on separation

I guess the good news is that PCI is prescriptive enough to give us
something specific to look at.  I guess the good/bad news is that PCI
isn't overly prescriptive enough to allow us to adapt it to larger and
smaller companies.

Someone really wise once told me that 'compliance isn't an absolute
line'.  He painted this mental picture for me:  If you picture two sides
of a scale, if one side is heavier you're compliant, and the other
you're not.  If you start moving a couple grains of sand from side to
the other, just enough so achieve compliance, you've probably lost
focus.  (I am attempting to plagiarizing and probably grossly misquoting
M. Dahn here)

Compliance in this context, at its finest, is a measurement of the
performance of a security program.

The core of the question is, are the resources performing the testing
are sufficiently independent to be purely objective? Could their
findings be pressured or manipulated due to who they report to?

Does that help?
************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************

More information about the Owasp-pci-project mailing list