|Main Archive Page > Month Archives > security-basics archives|
However, one can take a policy/standard/procedure for SOX/HIPPA/etc...and ensure that it effectively covers the PCI requirements as well (take having a security policy). Thus, hopefully having 1 policy/standard/procedure to encompass everything. I think/hope this is what Sheldon was talking about.
Last, I agree with Craig that scope is vital to audits. Who cares what policies one has in place if the scope does not cover the right areas? If you are only taking CC data through a web-based application, are not storing any CC data, does a HR laptop really fall under the PCI scope? Does that web-server fall under HIPPA?
There is no "magic" mapping button. Some things can be utilized across multiple audits, but without a well defined scope, any audit is destined for problems.
I will conclude by stating that I have yet to see any two standards (SOX, PCI, HIPPA, etc...) where there is a direct 1-1 mapping of policies/procedures. There has always something that was applicable *only* to those machines that were defined as being in the scope of the standard.