tag:blogger.com,1999:blog-5704248368030212351.post25954120720558170..comments2023-07-06T08:03:57.025-04:00Comments on PCI DSS News and Information for Higher Education: Self-Assess Like a QSA?Genehttp://www.blogger.com/profile/13307650260688914470noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-5704248368030212351.post-57296958318871937272011-11-16T19:12:11.720-05:002011-11-16T19:12:11.720-05:00While it will depend on the QSA, I would imagine t...While it will depend on the QSA, I would imagine they would use the same, QSA standard (as in a ROC) for evidence of compliance. If a pen test is required, the QSA would review the credentials of the tester as well as the findings and remediation. Same for all the requirements. My points are (1) that the QSA is likely to require a higher standard of proof of compliance than internal staff (business and IT) might require, and (2) shouldn't you use the same standard? <br /><br />Great comments. Thanks.Walt Conwayhttps://www.blogger.com/profile/14987165669812090325noreply@blogger.comtag:blogger.com,1999:blog-5704248368030212351.post-87085982494622985612011-11-15T04:16:38.292-05:002011-11-15T04:16:38.292-05:00So, all the QSA have to do is reviewing the docume...So, all the QSA have to do is reviewing the documentation/configuration and interviewing staff to make sure it was done.<br />But, is it enough? In requirement 11 for example, the QSA just have to review the results of the scans? There's no penetration tests?<br /><br />Thanks!Snoreply@blogger.comtag:blogger.com,1999:blog-5704248368030212351.post-56419793750338766022011-11-14T16:51:33.182-05:002011-11-14T16:51:33.182-05:00Good Question. In the case where the QSA is doing...Good Question. In the case where the QSA is doing an assessment, they need to verify that what is documented actually exists. That can be by examining configurations, interviewing staff, and observing administrator actions and results. When you complete your SAQ, the idea is that you might want to use the same guidelines for what counts as "in place." It is a higher standard than many schools might be using today, but it will give you more peace of mind re your security and actual compliance.Walt Conwayhttps://www.blogger.com/profile/14987165669812090325noreply@blogger.comtag:blogger.com,1999:blog-5704248368030212351.post-28986496642711990472011-11-14T05:08:20.102-05:002011-11-14T05:08:20.102-05:00Good morning,
I hava a question.
Would you please...Good morning,<br /><br />I hava a question.<br />Would you please tell me if the QSA just verifies the documentation, configuration and stuff or does some tests like penetration tests to verify that what the documentation says is true, and like in requirement 10.2.2, the QSA tries to log with root privilege to verify that it is logged.<br /><br /><br />Thanks.Snoreply@blogger.com