I"ve had to live with these requirements

IWETHEY v. 0.3.0 | TODO

1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User

Welcome to IWETHEY!

Post #291,129

8/19/07 7:59:06 AM

I"ve had to live with these requirements

for the past three months. My initial project was to merge DSS with the corporate security standards, keeping the stricter of the two (Yes, some of the internal requirements are much stricter than PCI). The questions get quite interesting when you start to apply them to a mixed environment of mainframe, Unix, Linux, and Windows.

The questions about residual data on these drives is something that had been given only cursory investigation. PCI has force us to re-examine this issue.

The cost of destroying the drives exceeds the penalty for non-compliance. The cost to brand would be huge if there was a privacy leak.

Should we be destroying the drives? Maybe. As with every security issue it comes down to cost vs risk. My job is to report on risks and possible solutions. I do like Crazy's suggestion about setting up a workstation to scrub the disks before EMC takes them - if we are contractually allowed to remove the drives. I will also recommend that the EMC contract be reviewed to see if they are required to scrub the drives prior to reuse, and if they are not, see if we have the necessary language added.

And fwiw, we have other data storage vendors also. I just happened to start the discussion with the EMC group. It will only get uglier!

A positive attitude may not solve all your problems, but it will annoy enough people to make it worth the effort. (Herm Albright)

Post #291,136

8/19/07 11:49:44 AM

There is a certain point... that enough non-compliance...

will cause de-certification.

That would be BAD.

--
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ i_wethey
PGP key: 1024D/B524687C 2003-08-05 Fingerprint: E1D3 E3D7 5850 957E FED0 2B3A ED66 6971 B524 687C Alternate Fingerprint: 09F9 1102 9D74 E35B D841 56C5 6356 88C0 Alternate Fingerprint: 455F E104 22CA 29C4 933F 9505 2B79 2AB2

Data recovery on Striped drives - (jbrabeck) - (19) - Aug. 17, 2007, 01:54:01 PM EDT

Any recovery would be pretty unlikely - (Andrew Grygus) - Aug. 17, 2007, 02:13:24 PM EDT

You may be Ok, but not guaranteed safe. - (Another Scott) - Aug. 17, 2007, 02:15:44 PM EDT

can useful information be pulled and re-assembled by block? - (boxley) - Aug. 17, 2007, 02:22:23 PM EDT

Depends on chunk size and what you are hiding - (crazy) - Aug. 17, 2007, 04:31:10 PM EDT

Thanks for all the replys, let's add clarification - (jbrabeck) - (14) - Aug. 18, 2007, 06:19:28 AM EDT

Move the risk? - (pwhysall) - (10) - Aug. 18, 2007, 06:22:01 AM EDT

That will be one of my suggestions. -NT - (jbrabeck) - Aug. 18, 2007, 06:38:46 AM EDT

Bulk Erase Tape Demanetizer. - (folkert) - (8) - Aug. 18, 2007, 08:44:46 PM EDT

Can't use it if they expect to reuse the hard disk - (crazy) - (7) - Aug. 18, 2007, 08:53:28 PM EDT

That doesn't matter, if the disk has sensitive info. - (folkert) - (6) - Aug. 18, 2007, 11:57:48 PM EDT

Sigh - (crazy) - (5) - Aug. 19, 2007, 12:35:52 AM EDT

If its PCI, its gotta be done. - (folkert) - (4) - Aug. 19, 2007, 02:03:36 AM EDT

I"ve had to live with these requirements - (jbrabeck) - (1) - Aug. 19, 2007, 07:59:06 AM EDT

There is a certain point... that enough non-compliance... - (folkert) - Aug. 19, 2007, 11:49:44 AM EDT

I've done PCI before - (crazy) - (1) - Aug. 19, 2007, 11:57:40 AM EDT

Well, we're definitely not a small merchant - (jbrabeck) - Aug. 19, 2007, 12:23:58 PM EDT

that SHOULD be covered in your contract with EMC -NT - (boxley) - Aug. 18, 2007, 07:30:28 AM EDT

What Peter and Box said. - (static) - Aug. 18, 2007, 08:52:59 AM EDT

Like others said, but, that's pure political - (crazy) - Aug. 18, 2007, 03:15:49 PM EDT

Powered by static electricity.
50 ms