|
Penetration Testing
PCI Compliance Scope Nov 12 2009 03:27PM Danux (danuxx gmail com) (4 replies) RE: PCI Compliance Scope Nov 12 2009 09:52PM Bakshi, Narinder (FIN) (Narinder Bakshi ontario ca) (1 replies) RE: PCI Compliance Scope Nov 12 2009 07:13PM Erin Carroll (amoeba amoebazone com) (2 replies) Re: PCI Compliance Scope Nov 12 2009 09:32PM David Glosser (david glosser gmail com) (1 replies) Re: PCI Compliance Scope Nov 12 2009 08:42PM Eric Milam (emilam coretechsg com) (1 replies) Re: PCI Compliance Scope Nov 12 2009 09:30PM Tracy Reed (treed ultraviolet org) (1 replies) Re: PCI Compliance Scope Nov 12 2009 09:34PM Eric Milam (emilam coretechsg com) (1 replies) Re: PCI Compliance Scope Nov 12 2009 10:18PM Danux (danuxx gmail com) (5 replies) |
|
|
Privacy Statement |
Is your log server transmitting or storing sensitive credit card data?
Is the log server strictly a "receiver" - does it have write access
to any of the devices which could be transmitting or storing card
data?
If there's no credit card info on the logs, and all of the devices
which are storing or transmitting card data are segmented away from
inbound access via the log server, then you should be able to keep it
outside of scope.
The goal is to look at vectors of attack. If you cannot get to any
sensitive data using the log server as a launching point (thanks to
firewalls, ACLs, etc) then it's segmented and not in scope.
JJ
On Thu, Nov 12, 2009 at 9:27 AM, Danux <danuxx (at) gmail (dot) com [email concealed]> wrote:
> Question for PCI experts:
>
> During a PCI Audit the Auditor told us that all the Security Devices
> protecting Cardholder Data are also part of PCI Scope, which makes
> sense for IDS/IPS, FW, AD, so on but what about a Log Management tool?
>
> This means that my Log Management Centralized Server solution which is
> getting logs not just for PCI assets but for the whole network ... is
> gonna be in scope?
> if so? This means all 300 security devices sending the logs (Servers,
> WStations, Data Bases, AV) to the Centralized server are in scope Too?
>
> if so?
>
> Then, obviously I need to find a way to isolate & split the Log
> Management Server from the whole network to only monitor PCI assets
> but that entails to buy a new costly license to have another
> Centralized log server, which is not doable for us.
>
> Have you ever had the same problem? so that you can share the way to
> resolve it WITHOUT adding new software/hardware?
>
> I think I need to create a kind of PCI Security Devices Zone isolated
> from the network but not sure if that works for PCI Auditor.
>
> Please share your ideas.
> --
> Danux
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------
>
>
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------
[ reply ]