Aug 13 2009
This morning when I collected a bunch of PCI articles I thought people might be interested in, I thought that was going to be end of it. Not much could have been farther from the truth. The PCI furor caused by the comments of Robert Carr has grown, with some serious outrage and some even more serious thought about who’s responsible for securing the enterprise. I think it’s very good, we need to have this sort of debate for people to realize that it’s not the responsibility of a compliance program, an auditor or an assessor to secure a network. People like me are there to validate the protections that are in place, but it’s the people who manage the network to secure it. And the ultimate manager of the network is always the CEO.
- PCI, QSAs, Hackers and Slacker: Will the real enemy please stand up? – Bill Brenner tries to take a moderate approach to the original article. Which I personally find inappropriate, but he’s allowed his opinion.
- Heartland CEO and Outrage – I think Adam’s defending Mr. Carr. Either that or he’s saying that the outrage is just as wrong as the original statement, but that would be insanity.
- Incomplete Thought: Compliance, Governance, Audit and Risk aka GRC We’re doing it wrong – “It’s all about risk, even when you don’t think it is.” Very true words.
- Bob Carr: “QSA’s let us down.” And things never heard by a QSA – “Please, penetrate my network deeper” That just sounds wrong. And I know I’ll never hear that from a client.
- The Auditor’s Prerogative – No network is so squeeky clean a decent assessor can’t find at least one mistake. But that doesn’t mean the assesor is the enemy.
- Standards aren’t security: PCI compliance and Heartland’s data breach – A secure network often means a compliant network. But a compliant network only sometimes means a secure network. Therefore COMPLIANCE DOES NOT EQUAL SECURITY!