Agreed. -----Original Message----- From: Paul Beltrani [mailto:[email protected]] Sent: Friday, January 29, 2010 1:58 PM To: seph Cc: Tal Cohen; [email protected] Subject: Re: PCI compliance and Linux AV, was Re: Desktop policies and UNIX-ish operating systems
Requirement : 5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers). Testing Procedure : For a sample of system components including all operating system types commonly affected by malicious software, verify that anti-virus software is deployed if applicable anti-virus technology exists. Our auditor interpreted that to mean "ANY server". e.g. systems unlikely to be "affected by malicious software" were appliances or things like routers and switches. As you said, it's whatever your auditor/consultant decides. IMO, one of the downsides to the PCI compliance process is it's common to have your consultant also be your auditor. - Paul Beltrani On Fri, Jan 29, 2010 at 1:04 PM, seph <[email protected]> wrote: > Tal Cohen <[email protected]> writes: > >> Re-read the PCI DSS 1.2 standard, it only requires the virus scans for >> systems that are commonly prone to vulnerabilities. > > This is requirement 5.1. In version 1.1 this had a note saying: > > Systems commonly affected by viruses typically do not include > UNIX-based operating systems or mainframes. > > That note was removed for version 1.2. > > How you interpret that is up to you and your auditors. Mine have a > different conclusion than you. > > seph > _______________________________________________ bblisa mailing list [email protected] http://www.bblisa.org/mailman/listinfo/bblisa
