Dealing with auditors (was Re: We hit half-million: The Cidr Report)
William Herrin
bill at herrin.us
Wed Apr 30 21:31:53 UTC 2014
On Wed, Apr 30, 2014 at 5:23 PM, Larry Sheldon <LarrySheldon at cox.net> wrote:
> On 4/30/2014 11:30 AM, Valdis.Kletnieks at vt.edu wrote:
>> And in that discussion, we ascertained that what the PCI standard actually
>> says, and what you need to do in order to get unclued boneheaded auditors
>> to sign the piece of paper, are two very different things.
>
> I am no longer active on the battlefield but as of the last time I was, it
> can't be did.
>
> For years I managed various aspect of a UNIVAC 1100 operation and the audits
> thereof. EVERY TIME, we were dinged badly because we didn't look like an
> IBM shop (some may be surprised to learn that different hardware and
> different operating systems require very different operating procedures (and
> it appeared to us that some of the things they wanted us to do would weaken
> us badly, others just simply didn't make any sense, and we got dinged for
> things we DID do, because they were strange.
I won the argument with PCI auditors about leaving telnet alive on my
exterior router (which at the time would have had to be replaced to
support ssh). It's not a chore for the timid. You'd better be a heck
of a guru before you challenge the auditors expectations and you'd
better be prepared for your boss' aggravation that the audit isn't
done yet.
And I think we pretty well established that PCI auditors arrive
expecting to see NAT.
Regards,
Bill Herrin
--
William D. Herrin ................ herrin at dirtside.com bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
More information about the NANOG
mailing list