--- On Mon, 7/27/09, Michael Graham <[email protected]> wrote: > Obviously, meeting an arbitrary metric shouldn't absolve you of the > responsibility to make your own risk decisions as appropriate to your > business and your customers, and after having done so it doesn't absolve you > of the responsibility to execute those risk decisions properly. Compound > this absurd notion that PCI compliance divests you of core custodian > responsibilities with the questionable value of PCI itself and we've got the > PCI council helping all of us into an overall worse security situation, not a > better one, regardless of intent. All PCI is is something to keep you from being sued by the card brands (and vice versa). Sooner or later diligence will be legally required.
S.773 (the Cybersecurity Act of 2009) is at least a smell of smoke over the horizon. Anyone who thinks they can stand up in front of a judge and jury and always get away with those sorts of lame excuses will have another think coming when Critical Infrastructure security is federally mandated (and CI is defined as "whatever the President says it is"). -chris The Moose is Loose! http://motleymoose.com _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
