As we all were working hard, with holiday vacations and a new year in our reach, the PCI SSC released a guidance document that has been long awaited. The Guidance on Scoping and Segmentation was released to all December 2016.
The guidance includes a lot of great clarifications on scope. For instance, they finally ended the age-old argument of whether a jump server, or anything else for that matter, could descope the administrator workstation/laptop. By the way the answer to that question appears definitively to be NO.
As with most guidance, it has also created a lot of unanswered questions. In my opinion, the best thing so far the guidance has accomplished is that it has provoked a lot of great conversations on scoping and has companies thinking about security. I highly suggest giving it a read and sharing it with your teams.
About the Author
Kate Donofrio is a Senior Associate with Schellman. Prior to joining Schellman in 2016, Ms. Donofrio has worked as a Senior Security Assessor specializing in PCI DSS compliance audits and information security consulting engagements. Ms. Donofrio also led and supported various other projects, including HIPAA, social engineering exercises, information security training, and technical risk assessments which included vulnerability scanning and penetration testing. She has nearly 15 years combined experience within the information technology and information security fields, comprised of serving clients in various industries, including call centers, financial institutions, healthcare, hospitality, and e-commerce. Further, she has experience with performing both systems and network engineering. Ms. Donofrio is now mainly dedicated to performing PCI DSS assessments.More Content by Kate Donofrio