[BBLISA] PCI compliance and Linux AV, was Re: Desktop policies and UNIX-ish operating systems
Paul Beltrani
spamgrinder at gmail.com
Fri Jan 29 13:58:17 EST 2010
Requirement : 5.1 Deploy anti-virus software on all systems
commonly affected by malicious software (particularly personal
computers and servers).
Testing Procedure : For a sample of system components including all
operating system types commonly affected by malicious software, verify
that anti-virus software is deployed if applicable anti-virus
technology exists.
Our auditor interpreted that to mean "ANY server". e.g. systems
unlikely to be "affected by malicious software" were appliances or
things like routers and switches.
As you said, it's whatever your auditor/consultant decides. IMO, one
of the downsides to the PCI compliance process is it's common to have
your consultant also be your auditor.
- Paul Beltrani
On Fri, Jan 29, 2010 at 1:04 PM, seph <seph at directionless.org> wrote:
> Tal Cohen <tcohen at sitespect.com> writes:
>
>> Re-read the PCI DSS 1.2 standard, it only requires the virus scans for
>> systems that are commonly prone to vulnerabilities.
>
> This is requirement 5.1. In version 1.1 this had a note saying:
>
> Systems commonly affected by viruses typically do not include
> UNIX-based operating systems or mainframes.
>
> That note was removed for version 1.2.
>
> How you interpret that is up to you and your auditors. Mine have a
> different conclusion than you.
>
> seph
>
More information about the bblisa
mailing list