tag:blogger.com,1999:blog-519657500829397637.post7736246943073294458..comments2024-03-28T02:37:14.675+00:00Comments on cyberici: Compliance does NOT Equal SecurityLuke Hebbeshttp://www.blogger.com/profile/15100190691403603777noreply@blogger.comBlogger1125tag:blogger.com,1999:blog-519657500829397637.post-1592615667434565642009-09-10T15:20:55.689+01:002009-09-10T15:20:55.689+01:00In a word I think we are talking 'overconfiden...In a word I think we are talking 'overconfidence', a tendency that dogs the promotion of most security efforts as they cross from the technical realm to the non-technical. Nobody ever sold a product or promoted a standard to management saying it will make thing a bit less risky. The auditors would probably say compliance means they were just auditing the operations to see the company was doing what it claimed. I don't think they would see it as being within their remit to offer a comment on the adequacy of the PCI standard. PCI is peculiarly concrete in its specification of what must be achieved, reflecting its quite pragmatic origins, but it really only a minimum statement of some good practice – necessary but not sufficient as the mathematicians would say.Andrew Lenaghannoreply@blogger.com