[prev in list] [next in list] [prev in thread] [next in thread]
List: security-basics
Subject: Re: RE: ISO 27001 mapping to PCI
From: "W. Lee Schexnaider" <l.schex () gmail ! com>
Date: 2008-02-27 22:24:19
Message-ID: b8f0957a0802271424r90a8a09t8f414877eb2852e3 () mail ! gmail ! com
[Download RAW message or body]
evilwon12 said:
> I will conclude by stating that I have yet to see any two standards (SOX, PCI, \
> HIPPA, etc...) where there is a direct 1-1 mapping of policies/procedures. There \
> has always something that was applicable *only* to those machines that were defined \
> as being in the scope of the standard.
Yes, this is correct. One part of the work I do is attach a text
"extension' to a link between the section of a standard and the common
control statement. The control statements tend to be written at a
high level. The extension is where we put details about the control in
the standard. But the linking to a common control set helps to produce
a cross-standard view of compliance for an organization.
Lee
On 27 Feb 2008 16:45:20 -0000, <evilwon12@yahoo.com> wrote:
> Hopefully there is just some miscommunication here. I agree with Craig that you \
> just cannot map a control in SOX/HIPPA/ISO 27001 to a control in PCI and be done \
> with it. If it was that simple, I'd have a lot more free time to do things that I \
> consider more interesting.
>
> However, one can take a policy/standard/procedure for SOX/HIPPA/etc...and ensure \
> that it effectively covers the PCI requirements as well (take having a security \
> policy). Thus, hopefully having 1 policy/standard/procedure to encompass \
> everything. I think/hope this is what Sheldon was talking about.
>
> Last, I agree with Craig that scope is vital to audits. Who cares what policies \
> one has in place if the scope does not cover the right areas? If you are only \
> taking CC data through a web-based application, are not storing any CC data, does a \
> HR laptop really fall under the PCI scope? Does that web-server fall under HIPPA?
>
> There is no "magic" mapping button. Some things can be utilized across multiple \
> audits, but without a well defined scope, any audit is destined for problems.
>
> I will conclude by stating that I have yet to see any two standards (SOX, PCI, \
> HIPPA, etc...) where there is a direct 1-1 mapping of policies/procedures. There \
> has always something that was applicable *only* to those machines that were defined \
> as being in the scope of the standard.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic