|
|
Penetration Testing
PCI Compliance Scope Nov 12 2009 03:27PM Danux (danuxx gmail com) (4 replies) RE: PCI Compliance Scope Nov 12 2009 09:52PM Bakshi, Narinder (FIN) (Narinder Bakshi ontario ca) (1 replies) RE: PCI Compliance Scope Nov 12 2009 07:13PM Erin Carroll (amoeba amoebazone com) (2 replies) Re: PCI Compliance Scope Nov 12 2009 08:42PM Eric Milam (emilam coretechsg com) (1 replies) Re: PCI Compliance Scope Nov 12 2009 09:30PM Tracy Reed (treed ultraviolet org) (1 replies) Re: PCI Compliance Scope Nov 12 2009 09:34PM Eric Milam (emilam coretechsg com) (1 replies) Re: PCI Compliance Scope Nov 12 2009 10:18PM Danux (danuxx gmail com) (5 replies) |
|
Privacy Statement |
>
> 2) The log server is a "connected" system and by PCI definitions it is
> in-scope. Now other things that are outside of the cardholder
> environment that connect to the log server are still outside of scope
> because connected systems of connected systems are not in-scope :)
>
The log server may be a connected server or it may be within the CDE.
Either way you are going to have to show that you are maintaining the
integrity of the system and have an appropriate audit trail. This is
much easier to maintain when handling logs that are from outside the
CDE by using pull rather than push for those logs.
Ultimately, this discussion and many of the comments within it help
emphasize the difference between security and compliance.
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------
[ reply ]