Ask HN: Frustrations with PCI-DSS, HIPAA, SOX compliance?

[rpug]

Hi everyone,

I am curious to hear about other people's frustrations with PCI-DSS, HIPAA, or SOX compliance.

From an IT perspective, one of the biggest frustrations I have is with the man-power required to satisfy keeping up with the requirements. A lot of the guidelines are common sense, but the overhead for maintaining change management, documented policies/procedures, approvals, audits, etc are tough. Certainly, in the ideal sense these things are great to have but in reality it is tough to make time for them when you've got other business needs to satisfy.

What are some of your biggest frustrations with compliance and what are some tools you use to 'cope'?

Cheers!

[WestCoastJustin]

Read The Visible Ops Handbook [1], implement what they talk about, it is an easy read too. On the tools site: puppet [2]. Puppet allows you to bake these controls into your infrastructure and monitor if things change.

p.s. I also read "The Phoenix Project" [3] a couple days ago and it give some good ideas on how to stop in insanity.

[1] http://www.amazon.com/Visible-Ops-Handbook-Implementing-Prac...

[2] https://puppetlabs.com/

[3] http://www.amazon.ca/The-Phoenix-Project-Business-ebook/dp/B...

[rpug]

Do you use any particular tools to track approvals to changes, policies etc?

[WestCoastJustin]

We just use RT [1] and TWiki [2]. Changes come in as ticket in RT [1] and we discuses them at change management meetings (document these in the TWiki [2]). We document everthing in the TWiki. If someone comes and asks for our change management policy, we point them at the TWiki, which talks about puppet, and then we can show them the change management minutes, etc. We have a light process and it seems to work.

[1] http://bestpractical.com/rt/

[2] http://twiki.org/

[rpug]

A case management system and a wiki has typically been how I have done this. It can be a little tough though because these tools aren't necessarily built for this type of workflow. Perhaps RT does a better job than some of the other options which really want to be a support ticketing system or a bug tracking system rather than a change management system.

[WestCoastJustin]

Yeah, we only have 4 people in ops and about 20 in development. We have daily standup where the ops guys and 1 person from dev meet (total 5 people). We discuss what is happening Past and Next 24 -- this takes about 10 minutes. The process is super light.

We also use puppet with git. This allows us to version everything that goes into production via a puppet tweak. This is great for rolling back changes or getting an of what was deployed. Like I said, read that visible ops handbook.

[rpug]

What about audits of user accounts and access control?

[Eyes2design]

I wonder myself, I'm trying to find information about PCI-DSS.

I Program the integrations from online stores to payment gateways. None of my programs saves any credit card info, yet I'm not sure if I can state that their PCI compliance?

"Merchant / Services" I can understand, but what about a "piece" of software?

[rpug]

Does cardholder data ever pass through your infrastructure in any form?

[Eyes2design]

In magento, yes... but the full information is held for a small amount time. The module is self hold no card info its a run once and then destroy.

[rpug]

Not that I am an auditor, but if the data ever hits your environment then you have a level of compliance to maintain.