PCI DSS Wireless Analysis and Recommendations, Part 5

Welcome! Please comment and leave me a note telling me what you like and what you'd like to see more of. Sign up to my RSS Feed!

 

The PCI DSS Wireless Guidance document is filling out a very important need.  As I said in the previous parts, I, II, III and IV.   Today I will continue analyzing this Wireless Guidance document.  I will number them and ask that you refer to that number in your comments on my suggestions.  Remember – the goal is to help improve the document.

 

How to Improve on the PCI DSS Wireless Guidelines Document – Part V

Even More Processes

Continuing to analyze the flow chart on page 8, we get to a bit of a hairier situation.   Let me show you:

 

PCI DSS WirelessMy suggestion is here to (18) visit again the issue of HOW to Physically secure wireless devices.  Let me add another example:  what if you are auditing a large enterprise that uses microwave antennae to communicate on campus?  How can you, the Auditor, assure that the devices are indeed protected?

 

 

 

 

 

 

 

 

 

The crux of my concern, however, rests with the PCI Council’s repeated insitatnce that the policies be developed AFTER the fact.  Look at box I numbered (19).  Wouldn’t these belong at the BEGINING of this entire chart?  Shouldn’t they???  Please move this to the beginning.

PCI DSS Wireless

As for my final comment on this chart (20) – What does this box mean?  Just print screenshot of configuration?  How do you prove a negative?  Could we re-word this?

 


 

My intent is to continue analyzing this document on Wednesday and Friday of this week, unless something major happens.   Wednesday’s post will be rather late in the day, as I am speaking at the Technology Association of Georgia (TAG) event on Enterprise Security for Web 2.0.

 

 

 

Permalink

PCI DSS Wireless Analysis and Recommendations, Part 4

 

The PCI DSS Wireless Guidance document is filling out a very important need.  As I said in Part I, Part II, and Part III.   Today I will continue analyzing this Wireless Guidance document.  I will number them and ask that you refer to that number in your comments on my suggestions.  Remember – the goal is to help improve the document.

 

How to Improve on the PCI DSS Wireless Guidelines Document – Part IV

More processes

Continuing in the review of the "Complying with PCI DSS" flow chart, I found some other areas I would change.

 

 

(14)  I remove the arrow form "Change defaults" and draw one instead from "Generate audit report" – to "Enable 802.11i".   This may seem as a small fix, but in fact it means "Enable 802.11i AFTER you generate an audit report".   I also (15) would consider changing the verbiage of "Generate audit report"….  How can you generate an audit report to prove that the defaults have been changed?  Do you simply compare it to an earlier report that said that those were the vulnerabilities?  Do you just submit it as "this weakness not found" type report?  Either way, lets change the way it is phrased.

Similarly to (14) above, I would recommend item (16) to route the arrow from "Enable 802.11" to "Physically Secure" to originate at "Generate a wireless audit".  The difference being that taking the steps of "A centralized management system" and "Generate a wireless Audit report that proves…"  are very important to enablement of Audit.  The way the chart is drawn now, these can be seen as optional processes, and should not.

Finally here (17) I would like to note that in some situations it is not feasible, while certainly being desirable, to physically secure wireless devices.  They can be our of reach (as in on a very high ceiling) or maintained by a third-party organization.   I would suggest that the term be defined so an organization would not fail on their audit just for that reason alone.

 

More to come next Monday…

 

Tomorrow we will have Chris’ final article in the "How to talk to Senior Management about Security".  On Friday, as I promised, a discussion of Confidentiality, Integrity and Availability, and the next article in the PCI DSS Wireless series will be Monday.

 

Permalink