I am writing this sitting on Caltrain from San Jose to San Francisco, heading to RSA, armed with my "hitlist" of people to meet and companies to check. Also wielding my Mogul (and Mike R)-induced pessimism and my evil sense of humor.
While I am here on a train, I also wanted to highlight something interesting about PCI and log management (and log management systems). Rebecca Herold correctly takes me to task (here and here) for missing the difference between "PCI-compliant log management" (which is a concept - and it obviously does exist) and "PCI-compliant log management system" (which is an actual physical box or a set of boxes with software - and it doesn't exit since PCI DSS doesn't "rate" the compliance of logging systems).
So:
If you decided to deploy a log management technologies and tools in order to satisfy PCI DSS requirements, you are doing "PCI log management" and there is no issue with that. If you happen to be in possession of a "PCI compliant log management system", I would like to see that :-)
Rebecca also correctly cringed at my loose usage of the word "certify." I have to disclose that I used it not in the formal "C&A" sense, but just to mean "rate" or "indicate the level of" compliance. Given that I am often the one to fight for the correct usages of terms in our area, I think I need to be more careful in the future. For example, I like to use the word "evidence" only in the context of forensics and legal process, not just as "evidence for making a conclusion." And don't even get me started on "threat" and "vulnerability" :-)
1 comment:
Dr. Anton, thank you for your post; I appreciate your diplomacy. :) My hat is off to you, sir!
Have a great time at RSA!
Rebecca
Post a Comment