PCI Auditors selling stuff?!
In a really good blog entry, Mike Rothman talks about how PCI assessors (auditors) are pitching products and other solutions once the audit is done. He goes on further to talk about separation of duty and how the client should make it clear from the beginning that there will be no further business to be made after the audit.
I agree with Mike but I don't think he took it far enough. In an earlier blog entry of mine I discuss this very issue. Once the auditor has been too visit, it is too late. Have a good strategy and see it through long before you call in auditors. Then once they have arrived and start to sell you products and solutions that you don't need - you'll know that you don't need them.
Never use auditors to tell you what should be done.. use your security experts... use auditors to do the checking.
In a really good blog entry, Mike Rothman talks about how PCI assessors (auditors) are pitching products and other solutions once the audit is done. He goes on further to talk about separation of duty and how the client should make it clear from the beginning that there will be no further business to be made after the audit.
I agree with Mike but I don't think he took it far enough. In an earlier blog entry of mine I discuss this very issue. Once the auditor has been too visit, it is too late. Have a good strategy and see it through long before you call in auditors. Then once they have arrived and start to sell you products and solutions that you don't need - you'll know that you don't need them.
Never use auditors to tell you what should be done.. use your security experts... use auditors to do the checking.