[same as mail sent on sage list, copied here for everyone's benefit] On Mon, Aug 08, 2011 at 02:45:04PM +0200, Aleksandar Ivanisevic spake thusly: > Are you PCI certified and have employee owned computers connecting > to your network? How do you handle the requirement 1.4 of the PCI > SAQ?
Scope is important here. Are employee owned computers connecting to an in-scope part of the network? I would strongly recommend against that. Definitely make sure employee owned computers are out of scope. Then none of the requirements you quoted apply. If they are on a separate segment firewalled off and you only allow through the ports necessary for things to work they are generally out of scope. > How does one enforce that an employee on a computer which is owned > by him does not change the firewall rules other than banning > employee owned computers? You don't. You ban employee owned computers from being on the in scope network. You firewall them off and only allow through that which is really necessary. If remote access software is involved make them VPN into a DMZ (not in scope) and have some form of two-factor auth and let them remote access into the in scope network from there. -- Tracy Reed Digital signature attached for your safety. Copilotco Professionally Managed PCI Compliant Secure Hosting 866-MY-COPILOT x101 http://copilotco.com
pgpM3S6tpgVUB.pgp
Description: PGP signature
_______________________________________________ Discuss mailing list Discuss@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
