Comments on: PCI and SOX, HIPAA, GLBA, et.al.

By: PCIGuru

PCIGuru — Tue, 26 Apr 2011 01:28:43 +0000

A QSA should confirm that the access control system was being used across the cardholder data environment (CDE) and the processes followed to manage and maintain the access control system were also consistently used across the CDE. If no CDE users were tested as part of the SOX testing, then I would also expect to test some of them as well to ensure that all forms and the like were also consistently implemented. As long as this work all comes out without any findings, I would accept the SOX results for the remainder of testing.

By: John

John — Mon, 25 Apr 2011 22:13:53 +0000

Question – if a company has the same process for user access control across a number of systems (in scope PCI systems included) and during SOx or some other audit/assessment, the access control process is tested and validated, but somehow no PCI in scope system was in the sample, would you still accept the validation because access control for all systems follow the same process, or would you perform some level of testing for in scope systems?

By: Eli

Eli — Thu, 17 Mar 2011 10:17:20 +0000

Hey,
Its effective for SOX purposes,
One accounting firm can relies on the work of another accounting firm (they “Speak the same language”)
If we look at cost / benefit for PCI DSS purposes – Its to risky.

By: PCI and SOX, HIPAA, GLBA, et.al.

PCI and SOX, HIPAA, GLBA, et.al. — Wed, 16 Mar 2011 05:30:06 +0000

[...] it happen. So you need to keep in mind that such efforts may be for naught.Cross-posted from PCI Guru Share This! | var addthis_config = [...]