So, I'm on my way back to Glasgow just now, after attending QSA training in Orlando. Although I found the course a little slow, I met a lot of interesting people. Hopefully by this time next week I'll be a QSA.
I felt the test went well, but going through the course really opens your eyes to the limitations of the DSS. The first one, is that the standard is very subjective and is open to interpretation at almost every level. This is not a Good Thing!
Secondly, where the DSS is less subjective, it often falls short of industry standard, or best practice. Interestingly, during the course there was some discussion about DSS 2.0, although nothing was mentioned that gives me a warm fuzzy feeling that either of these points will be addressed.
I can understand that the council is not there to mandate particular products or services, however there's nothing to stop them approving encryption and hashing algorithms, for instance. The very likely scenario of QSAs contradicting each other also disturbs me. Everyone has their own opinion on what's an acceptable level of risk or their own interpretation of a given standard. Let's put it this way; I wouldn't want to be assessing a client whom my company had already performed a gap analysis for. The chance of coming to a different conclusion from the gap analysis QSA would be too great.
Subscribe to:
Post Comments (Atom)
Posts
No comments:
Post a Comment