About Gene Kim

I've been researching high-performing technology organizations since 1999. I'm the multiple award-winning CTO, Tripwire founder, co-author of The DevOps Handbook, The Phoenix Project, and Visible Ops. I'm an DevOps Researcher, Theory of Constraints Jonah, a certified IS auditor and a rabid UX fan.

I am passionate about IT operations, security and compliance, and how IT organizations successfully transform from "good to great."

SEARCH BLOG
« An Exciting Day! Leaving Tripwire To Begin My Next Chapter In Life | Main | Mobilizing The PCI Resistance, Part VI: The Politics Of SOX-404 And GAIT (And Exploring PCI As Well) »
Tuesday
Jul272010

Are You As Good At Scoping PCI As You Think? (Mobilizing The PCI Resistance, Part VII)

I'm getting ready for my BSides talk on Wednesday on "Mobilizing the PCI Resistance." And I made a slide that was designed to hint that defining the scope of PCI assessment may not always be as easy one might think.

In today's blog post, I pose some (possibly trick) questions.  But before I do that, to refresh your memory, here's what are the previous postings:

PCI Scoping Quiz: Please Show Your Work

NewImage.jpg

At one time, I believed that the Cardholder Data Environment being defined by where cardholder data "enters, is transmitted, processed, stored, displayed or printed" is sufficient to inform most scoping decisions.

Gosh, was I wrong.

Don't worry if the answers don't seem immediately obvious. I'd wager I would have gotten most of these wrong last year.

Question 1:  Is the Cardholder Data Environment (CDE) equivalent to the PCI Scope of Assessment?

Question 2: Is a domain controller (e.g., Windows Active Directory server) that is being relied upon by CDE applications for authentication and security services in the PCI Scope Of Assessment?

Question 3: How about a domain controller (e.g., Windows Active Directory server) that is not relied upon by any CDE applications?

Question 4: Is a network attached stapler that happens to be on the same network segment as a CDE system component always also in the CDE?

Question 5: Does it matter if a workstation that a customer service representative uses a thin- or thick-client?

Question 6: When should it be acceptable that if a virtualization hypervisor hosting  a production application in the CDE be also able to host another VM without it being part of the CDE, as well?

Question 7: If you have a domain controller that is not in the CDE, but in the scope of PCI assessment, is a print server on the same network segment as that domain controller also in the scope of PCI assessment?

Bonus Exercise: For each of the questions where you answered "in scope of the PCI assessment," describe a strategy to contain the scope, such that systems connected to that system are not in scope.  (See Michelle Klinger's great post on the "PCI Contagion Dilemma.")

(Image courtesy: Flickr: Zeligfilm)

The Answers And My Goal

The answers for all of the questions is actually, "It depends."  But just as problematic is the fact that people could arbitrarily disagree with your answer, with little ability to defend its validity.  The trick is being able to state, "Yes, it depends, but on what does it depend upon?"

Also, generating a consensus on scoping conclusions takes a lot of time. Prior to creating a structured method with agreed upon definitions, the Scoping SIG required over 40 hours to come to a scoping conclusion for one scenario.

With the proposed guidance under development, our team was able to generate a consensus on 15 scoping conclusions in less than 2 hours.

We believe there are three things needed to aid the scoping effort, and be able to defend your answers, so that another person can follow your reasoning.  Even if they don't agree with your scoping conclusion, at least they can scrutinize your assumptions.

My goal is to have the PCI Scoping SIG deliver;

  • Define and deliver the following, in a manner that clarifies and supports the spirit and intent of protecting cardholder data:
    • Scoping principles and definitions (should be 200 words or less)
    • A structured scoping methodology (should be a decision tree, with fewer than 30 boxes)
    • A library of scoping scenarios demonstrating its usage for educational and clarification purposes (should be about 30 pages)
  • Create useful tools and guidance that will assist in the scoping effort for both merchants and QSAs.

Interested?

 

References (37)

References allow you to track sources for this article, as well as articles that were written in response to this article.
  • Response
    Response: this content
    Terrific Web site, Preserve the wonderful job. Thanks a lot!
  • Response
    Response: nfl jerseys cheap
    999 A vital component of each lady wardrobe are her sneakers.
  • Response
    Response: Hosting Server
  • Response
    Response: Francis
    I think you have a very good blog and your concept is so easy and nice.
  • Response
    Response: klik hier
    Are You As Good At Scoping PCI As You Think? (Mobilizing The PCI Resistance, Part VII) - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    Are You As Good At Scoping PCI As You Think? (Mobilizing The PCI Resistance, Part VII) - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    Response: hcg miami
    Are You As Good At Scoping PCI As You Think? (Mobilizing The PCI Resistance, Part VII) - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    Are You As Good At Scoping PCI As You Think? (Mobilizing The PCI Resistance, Part VII) - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    Are You As Good At Scoping PCI As You Think? (Mobilizing The PCI Resistance, Part VII) - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    Are You As Good At Scoping PCI As You Think? (Mobilizing The PCI Resistance, Part VII) - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    Response: home rentals
    Are You As Good At Scoping PCI As You Think? (Mobilizing The PCI Resistance, Part VII) - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    Are You As Good At Scoping PCI As You Think? (Mobilizing The PCI Resistance, Part VII) - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    Are You As Good At Scoping PCI As You Think? (Mobilizing The PCI Resistance, Part VII) - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    Response: Taxi Orlando
    Are You As Good At Scoping PCI As You Think? (Mobilizing The PCI Resistance, Part VII) - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    Are You As Good At Scoping PCI As You Think? (Mobilizing The PCI Resistance, Part VII) - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    Response: Katy Landscaping
    Are You As Good At Scoping PCI As You Think? (Mobilizing The PCI Resistance, Part VII) - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    Response: marketing
    Are You As Good At Scoping PCI As You Think? (Mobilizing The PCI Resistance, Part VII) - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    Are You As Good At Scoping PCI As You Think? (Mobilizing The PCI Resistance, Part VII) - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    Response: Seo HOuston
    Are You As Good At Scoping PCI As You Think? (Mobilizing The PCI Resistance, Part VII) - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    Response: Seo HOuston
    Are You As Good At Scoping PCI As You Think? (Mobilizing The PCI Resistance, Part VII) - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    Response: medical hcg diet
    Are You As Good At Scoping PCI As You Think? (Mobilizing The PCI Resistance, Part VII) - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    Are You As Good At Scoping PCI As You Think? (Mobilizing The PCI Resistance, Part VII) - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
  • Response
  • Response
    Are You As Good At Scoping PCI As You Think? (Mobilizing The PCI Resistance, Part VII) - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    Are You As Good At Scoping PCI As You Think? (Mobilizing The PCI Resistance, Part VII) - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    Memorial day quotes, Messages, Sayings and poems
  • Response
    Response: purchase herpeset
    Are You As Good At Scoping PCI As You Think? (Mobilizing The PCI Resistance, Part VII) - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    Are You As Good At Scoping PCI As You Think? (Mobilizing The PCI Resistance, Part VII) - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    Response: us Mortgage rates
    Are You As Good At Scoping PCI As You Think? (Mobilizing The PCI Resistance, Part VII) - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    Are You As Good At Scoping PCI As You Think? (Mobilizing The PCI Resistance, Part VII) - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    Are You As Good At Scoping PCI As You Think? (Mobilizing The PCI Resistance, Part VII) - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    Response: Seo HOuston
    Are You As Good At Scoping PCI As You Think? (Mobilizing The PCI Resistance, Part VII) - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    Are You As Good At Scoping PCI As You Think? (Mobilizing The PCI Resistance, Part VII) - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
  • Response
    Are You As Good At Scoping PCI As You Think? (Mobilizing The PCI Resistance, Part VII) - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    Are You As Good At Scoping PCI As You Think? (Mobilizing The PCI Resistance, Part VII) - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...