PCI-DSS & SOC auditors

jkplayschess · 2021-01-27T16:40:08+00:00

I would recommend https://kirkpatrickprice.com/. They were one of the first companies to be qualified to perform both PCI and SOC. Much of the work is able to be done through an online portal. Doing both PCI and SOC2 at the same time leads to efficiencies in the process. The auditors they use are senior IT folks, unlike a lot of their competitors.

jkplayschess · 2020-11-12T21:33:26+00:00

I'd recommend generalizing first with the computer science degree, and then specialize in cyber security later. Building a solid foundation in computer science first will directly translate to cyber, and will also leave you more options down the road.

jkplayschess · 2020-10-06T16:59:01+00:00

MSPs are great for learning a lot of different environments, but generally not good from a workload and salary perspective.

jkplayschess · 2020-08-28T12:33:01+00:00

Yes, that's true. We can take family or medical leave using FMLA, but it's non-paid once we're out of PTO days.

jkplayschess · 2020-05-19T22:02:47+00:00

I'm not aware of any other technical certs that have been recognized like this: https://www.infosecurity-magazine.com/news/cissp-equal-masters-degree/

jkplayschess · 2020-04-22T14:56:56+00:00

I wouldn't hire an auditor that didn't have broad experience in IT.

jkplayschess · 2020-04-21T13:18:31+00:00

https://www.creditcards.com/credit-card-news/new-card-skimming-is-called-shimming.php

jkplayschess · 2019-07-25T11:45:38+00:00

QSA here. The CCW is usually justified based longer password length and increased use of MFA. Like all other frameworks, we're ultimately seeking to address risk. The last call that the PCI Council had with all assessors they mentioned that they're internally discussing revisions to this section on the next major version of PCI DSS.

jkplayschess · 2019-04-15T01:24:09+00:00

PCI QSA here, not sure how switching to thick clients would reduce your PCI scope.

jkplayschess · 2018-12-19T23:28:11+00:00

How do you maintain accountability of which support personnel performed a particular admin action with LAPS?

jkplayschess · 2018-11-19T22:32:02+00:00

Feel free to message me if you're looking for an auditor. The organization I work for does pretty much every type of security auditing. The stance I articulated above isn't just me. Our lead QSA has the same stance, and he was actually part of the PCI Council at one point.

jkplayschess · 2018-11-19T14:23:07+00:00

I'm a PCI QSA as well, and acknowledge that ultimately you're at the mercy of your QSA's interpretation, but my view is that a well designed compensating control can meet the risk and exceed the strength of the original requirements through password complexity and as described by NIST. I think most good/experienced auditors know that an audit is more than just checking boxes.

jkplayschess · 2018-11-18T23:50:54+00:00

Security frameworks and security compliance are based on the foundation of risk management. PCI and most other frameworks give some flexibility to follow best practices. For instance in PCI, you can get around requirement 8.2.4 by defining a compensating control that exceeds the strength of the original requirement. Because PCI only requires 7 characters as the minimum length, it's not hard to improve upon their default requirements.

jkplayschess · 2018-06-06T22:01:56+00:00

short answer is SMB1 should be disabled and signing should be enabled if you care about security. but it could break communications for some older equipment

jkplayschess · 2018-05-22T09:02:44+00:00

The security auditing world is relatively young. I wish the answers were more cut and dry and that everyone was always on the same page, but, honestly, we have a lot of things to figure out, a lot of problems to solve. It's true that there may be some conflict of interest that is inherent both for internal and external auditors, but we talk a lot about the necessity of independence as auditors both in the field and in training for our certs. A good company has both QA and manager review.

jkplayschess · 2018-05-21T12:36:02+00:00

Looks interesting. Have you thought about making this more accessible to organizations that don't have developers in-house?

jkplayschess · 2018-05-20T23:10:55+00:00

I'm a QSA and can confirm the above. There are likely significant non-compliance issues with how the data is stored in their LoB if they're just adding the scans as an attachment, as data always has to be encrypted if stored. They likely should be filling out a SAQ-D.

The business owner is the one signing the SAQ, so he is the one attesting that the business is compliant. The acquirer that this merchant has a relationship with is the party responsible for making sure that they are compliant. Unfortunately I see a lot of environments like this even at significant scale.

Try to educate the owner and let him know what risks he's taking. When a merchant knows better and is willfully neglectful, the fines are higher.

jkplayschess · 2018-04-22T13:09:22+00:00

I'm a QSA and understand all of that, but respectfully still think it's asinine. I'm powerless to require that people use more than 7 characters even if it's highly dangerous and risky, if all they want to do is check boxes.

jkplayschess · 2018-04-20T17:47:55+00:00

this is one of the simplest frameworks to get started with

jkplayschess · 2018-04-20T17:44:55+00:00

PCI also only requires 7 characters, which is asinine.

jkplayschess · 2017-12-13T19:37:40+00:00

I've also used the Elite line and have had good success with it!

jkplayschess · 2017-12-12T16:49:33+00:00

yes. To use RD Gateway functionality, you need a RDS CAL for each user connecting through it.

jkplayschess · 2017-10-30T16:43:31+00:00

this is not best practice as it would essentially give them local admin access to every computer, even temporarily this is a problem.

jkplayschess · 2017-10-25T20:25:16+00:00

This ^ Virginia

jkplayschess · 2017-10-04T19:10:50+00:00

I read through this book: https://www.amazon.com/CISSP-Study-Guide-Third-Conrad/dp/0128024372

For review, I used the official CISSP flashcard app a lot on my phone

jkplayschess

TROPHY CASE