Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: RE: ISO 27001 mapping to PCI

from [evilwon12] Network Security [Permanent Link]
Subject: Re: RE: ISO 27001 mapping to PCI
Date: 27 Feb 2008 16:45:20 -0000 
Hopefully there is just some miscommunication here.  I agree with Craig that 
you just cannot map a control in SOX/HIPPA/ISO 27001 to a control in PCI and be 
done with it.  If it was that simple, I'd have a lot more free time to do 
things that I consider more interesting.

However, one can take a policy/standard/procedure for SOX/HIPPA/etc...and 
ensure that it effectively covers the PCI requirements as well (take having a 
security policy).  Thus, hopefully having 1 policy/standard/procedure to 
encompass everything.   I think/hope this is what Sheldon was talking about. 

Last, I agree with Craig that scope is vital to audits.  Who cares what 
policies one has in place if the scope does not cover the right areas?  If you 
are only taking CC data through a web-based application, are not storing any CC 
data, does a HR laptop really fall under the PCI scope?  Does that web-server 
fall under HIPPA?  

There is no "magic" mapping button.  Some things can be utilized across 
multiple audits, but without a well defined scope, any audit is destined for 
problems.  

I will conclude by stating that I have yet to see any two standards (SOX, PCI, 
HIPPA, etc...) where there is a direct 1-1 mapping of policies/procedures.  
There has always something that was applicable *only* to those machines that 
were defined as being in the scope of the standard.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: jitter testing, zied
Next by Date:  Re: ISO 27001 mapping to PCI, exzactly
Previous by Thread:  Re: Re: ISO 27001 mapping to PCI, cyberbng
Next by Thread:  RE: RE: ISO 27001 mapping to PCI, Sheldon Malm
Indexes:  [Date] [Thread] [Top] [All Lists]