The PCI DSS Wireless Guidance document is filling out a very important need. As I said in the previous parts, I, II, III and IV. Today I will continue analyzing this Wireless Guidance document. I will number them and ask that you refer to that number in your comments on my suggestions. Remember – the goal is to help improve the document.
How to Improve on the PCI DSS Wireless Guidelines Document – Part V
Even More Processes
Continuing to analyze the flow chart on page 8, we get to a bit of a hairier situation. Let me show you:
My suggestion is here to (18) visit again the issue of HOW to Physically secure wireless devices. Let me add another example: what if you are auditing a large enterprise that uses microwave antennae to communicate on campus? How can you, the Auditor, assure that the devices are indeed protected?
The crux of my concern, however, rests with the PCI Council’s repeated insitatnce that the policies be developed AFTER the fact. Look at box I numbered (19). Wouldn’t these belong at the BEGINING of this entire chart? Shouldn’t they??? Please move this to the beginning.
As for my final comment on this chart (20) – What does this box mean? Just print screenshot of configuration? How do you prove a negative? Could we re-word this?
My intent is to continue analyzing this document on Wednesday and Friday of this week, unless something major happens. Wednesday’s post will be rather late in the day, as I am speaking at the Technology Association of Georgia (TAG) event on Enterprise Security for Web 2.0.
- Where PCI DSS Falls Short (and How to Make it Better)
- PCI DSS Wireless Analysis and Recommendations
- PCI DSS Wireless Analysis and Recommendations, Part 2
- PCI DSS Wireless Analysis and Recommendations, Part 3
- PCI DSS Wireless Analysis and Recommendations, Part 4
- PCI DSS Wireless Analysis and Recommendations, Part 5