[Owasp-pci-project] How Worthwhile is the Effort?

Daniel Herrera daherrera101 at yahoo.com
Wed Jun 3 12:43:04 EDT 2009


So I think this can turn into a long discussion Brad :).

My general counter stance would be that in void of a reoccurring yearly measurement that PCI DSS provides the average organization would be doing a lot less, some outliers would of course have the resources to do more and others would have no resources at all, its a bell curve.

@James, I agree that the organization is pretty much left out to dry. However, I still dont believe this is the fault of PCI, there is no verbage that states the PCI DSS is the playbook to protect any organization, mitigation != prevention. I firmly belive that it is up the organization itself to decide if security is an initiative they can afford to persue beyond the credit industry's, and really the financial industry's, minimum requirements.

To state plainly now, I am not a QSA so I am sure there are others with more educated opinions, but I am sharing my thoughts and perspective as a security professional.

Thanks,


Daniel

--- On Wed, 6/3/09, McGovern, James F (HTSC, IT) <James.McGovern at thehartford.com> wrote:

From: McGovern, James F (HTSC, IT) <James.McGovern at thehartford.com>
Subject: Re: [Owasp-pci-project] How Worthwhile is the Effort?
To: 
Cc: owasp-pci-project at lists.owasp.org
Date: Wednesday, June 3, 2009, 9:10 AM

 I like the quote and agree that PCI is about protecting the credit card
industry more than it is just about securing an organization but reality
also says that it is the organization that makes the headlines whenever
they faulter...

-----Original Message-----
From: owasp-pci-project-bounces at lists.owasp.org
[mailto:owasp-pci-project-bounces at lists.owasp.org] On Behalf Of Brad
Andrews
Sent: Wednesday, June 03, 2009 11:52 AM
To: Daniel Herrera
Cc: owasp-pci-project at lists.owasp.org
Subject: [Owasp-pci-project] How Worthwhile is the Effort?


I agree with this asessment of PCI, but it does raise a serious question
about what we are trying to accomplish.

Many business people will continue to just want the check-off.  How much
value are we adding with our effort here?  I personally don't want to
totally waste my time.  I know some of it will only be marginally
useful, but I don't want it to be totally wasted.

How useful is what we are doing?

--
Brad Andrews
RBA Communications
SANS/GIAC GSEC, GCFW, GCIH, GPCI


Quoting Daniel Herrera <daherrera101 at yahoo.com>:

> A wise acquaintance of mine once told me the purpose of PCI DSS was   
> not to secure an organization, but to mitigate potential risk to the  
>  credit industry.
_______________________________________________
Owasp-pci-project mailing list
Owasp-pci-project at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-pci-project
************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************

_______________________________________________
Owasp-pci-project mailing list
Owasp-pci-project at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-pci-project



      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-pci-project/attachments/20090603/ebaacff1/attachment.html 


More information about the Owasp-pci-project mailing list