On Wed, Apr 30, 2014 at 5:23 PM, Larry Sheldon <larryshel...@cox.net> wrote: > On 4/30/2014 11:30 AM, valdis.kletni...@vt.edu wrote: >> And in that discussion, we ascertained that what the PCI standard actually >> says, and what you need to do in order to get unclued boneheaded auditors >> to sign the piece of paper, are two very different things. > > I am no longer active on the battlefield but as of the last time I was, it > can't be did. > > For years I managed various aspect of a UNIVAC 1100 operation and the audits > thereof. EVERY TIME, we were dinged badly because we didn't look like an > IBM shop (some may be surprised to learn that different hardware and > different operating systems require very different operating procedures (and > it appeared to us that some of the things they wanted us to do would weaken > us badly, others just simply didn't make any sense, and we got dinged for > things we DID do, because they were strange.
I won the argument with PCI auditors about leaving telnet alive on my exterior router (which at the time would have had to be replaced to support ssh). It's not a chore for the timid. You'd better be a heck of a guru before you challenge the auditors expectations and you'd better be prepared for your boss' aggravation that the audit isn't done yet. And I think we pretty well established that PCI auditors arrive expecting to see NAT. Regards, Bill Herrin -- William D. Herrin ................ her...@dirtside.com b...@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004