Friday, April 04, 2008

Rebecca Herold on PCI and Logging

Rebecca Herold is doing some fun - if a bit lightweight - writing on PCI and logging. She also touches on using logs to deal with insiders. My ego is telling me to be upset since she doesn't mention either a "PCI Compliance" book (free chapter on logging for PCI is here) or any of my other related writing, but I will survive it :-)

However, she makes one snafu that makes me cringe (and also think negative thoughts :-) about this whole thing): she mentioned a "PCI-compliant log management system." This is clearly an absurd concept: PCI DSS does not certify log management system as "PCI -compliant." She also quotes others a bit too much to my taste...

In any case, check it out here.

1 comment:

Anonymous said...

Dr. Anton, I'm delighted to see that you read one of my papers, and I welcome your constructive criticism!

However, there is an important misstatement you made that I want to address, and I did so in my most recent blog posting at

It is important to note that the passage you supposedly quoted from my article does not appear in this, or the other two, papers in my PCI DSS logging series; it made me cringe to see the misquote and your misstatements.

It is also important to note that I do not state anywhere in the papers that creating risk-based programs that also meet compliance with any of numerous laws, regulations or standards in any way provides a type of certification. These are both interesting and important topics that I cover in my blog posting.

With regard to being "lightweight," you are certainly correct that, when it comes to log management technology and knowing all about the bits and bytes involved, you are indeed the Super Heavyweight Log Management Champion! I know that with regard to log management specifics and deep technology expertise I am not only a lightweight, but in comparison with you I am barely a light flyweight. :) However, I am very comfortable with my many years of experience in information security, privacy, compliance and auditing.

When it comes to communicating with business leaders and helping them to not only create a risk-based information protection compliance program, it is also important to point out to them how the activities involved will also benefit the business. I know from many years of working and communicating with business leaders, managers and CxOs that they also always want to know multiple viewpoints.

If we're at the same conference sometime (perhaps Interop/CSI SX or Secure360?) I'd enjoy a face-to-face discussion with you about this, and other, topics!

Best regards,


Dr Anton Chuvakin