Dealing with auditors (was Re: We hit half-million: The Cidr Report)

William Herrin bill at
Wed Apr 30 21:31:53 UTC 2014

On Wed, Apr 30, 2014 at 5:23 PM, Larry Sheldon <LarrySheldon at> wrote:
> On 4/30/2014 11:30 AM, Valdis.Kletnieks at wrote:
>> And in that discussion, we ascertained that what the PCI standard actually
>> says, and what you need to do in order to get unclued boneheaded auditors
>> to sign the piece of paper, are two very different things.
> I am no longer active on the battlefield but as of the last time I was, it
> can't be did.
> For years I managed various aspect of a UNIVAC 1100 operation and the audits
> thereof.  EVERY TIME, we were dinged badly because we didn't look like an
> IBM shop (some may be surprised to learn that different hardware and
> different operating systems require very different operating procedures (and
> it appeared to us that some of the things they wanted us to do would weaken
> us badly, others just simply didn't make any sense, and we got dinged for
> things we DID do, because they were strange.

I won the argument with PCI auditors about leaving telnet alive on my
exterior router (which at the time would have had to be replaced to
support ssh). It's not a chore for the timid. You'd better be a heck
of a guru before you challenge the auditors expectations and you'd
better be prepared for your boss' aggravation that the audit isn't
done yet.

And I think we pretty well established that PCI auditors arrive
expecting to see NAT.

Bill Herrin

William D. Herrin ................ herrin at  bill at
3005 Crane Dr. ...................... Web: <>
Falls Church, VA 22042-3004

More information about the NANOG mailing list