As is well known for the last time major changes that occurred in the PCI DSS referred clarifying wording, as certain phrases in the standard allows too broad an interpretation (eh. .. we have documents Protection PDN who would be so reconciled ... but now is not about that ...). current version of the standard, PCI DSS 2.0, was adopted in October 2010 and now just recently with a small interval 2 transfers out of the standard Russian language.
One translation was made Informzaschita and available at this link .
second translation was prepared by PCIDSS.ru community and is available here .
I have read these documents, and here are some things that caught my eye:
1) 1.1.1 in the original sounds so:
A formal process for approving and testing all network connections and changes to the firewall and router configurations
Translated from Informzaschita:
formalized process for approving and testing all network connections, as well as changes to the configuration of firewall and routers.
here everything seems ok.
Translation PCIDSS.ru:
formal process for approving and testing all external compounds and changes in configuration of firewalls and routers.
but there is already some reason, appeared "external links"
2) p.2.2.1 in the original sounds like this:
Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (For example, web servers, database servers, and DNS should be implemented on separate servers.)
Translated from Informzaschita:
Each server must be implemented by only one main function, to prevent simultaneous operation of functions that require different levels of security on the same server. (In particular, Web servers, database servers, DNS-servers must run on different physical servers.).
here for some reason, appeared on different physical servers, "though in the original the word "physical" no.
Translated from PCIDSS.ru:
for each server should be implemented in a main function to avoid being on the same server functions that require different levels of protection (eg, web servers, database and DNS-servers should be located on different computers).
And here is used the word "computers" are not accurately reflect the original claim.
3) p.3.5.2 the original sounds like:
Store cryptographic keys securely in the fewest possible locations and forms.
Translated from Informzaschita:
Keys must be a minimum set of protected storage.
Nothing is said about the shape of keys as the original.
Translated from PCIDSS.ru:
Keys shall be stored only in strictly defined lockbox and a strictly defined form.
And it speaks of a certain amount of storage, rather than the minimum possible (as in original).
4) paragraph 6.1 of the original sounds like this:
Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Install critical security patches within one month of release.
Translated from Informzaschita:
for all system components and software must be installed the latest security updates provided by manufacturers. Critical security updates must be installed within 1 month from the date of their issuance.
used the term "security updates". What kind of security system? in the original meaning of a
Translated from PCIDSS.ru:
all system components and software must be installed the most recent security updates released by the manufacturer. Critical security updates must be installed within one month from the date of their release by the manufacturer.
Now that's similar to the original.
5) Section 6.4.1 in the original sounds like:
Separate development / test and production environments
Translated from Informzaschita:
should be divided into development and test environments and operating
similar to the original
Translated from PCIDSS.ru:
development environment, testing and production functioning of the software must be separated from each other.
But this transfer can be solved, that all three media must be separated from each other, that the original is not implied.
6) paragraph 6.6 in the original sounds like:
... \u0026lt;text omitted> .. Installing a web-application firewall in front of public-facing web applications
Translated from Informzaschita:
Install a firewall to protect public Web applications
probably can long discussion, but all the same Web Application Firewall and a firewall is different things, and this interpretation can lead to errors.
Translated from PCIDSS.ru:
install a firewall application layer to the web-based applications.
Now that's more like the truth
7) 9.4 in the original sounds like:
Use a visitor log to maintain a physical audit trail of visitor activity. Document the visitor's name, the firm represented, and the onsite personnel authorizing physical access on the log. Retain this log for a minimum of three months, unless otherwise restricted by law.
Translated from Informzaschita:
shall be a log of visitors to keep track of them. It is necessary to record the visitor's name, company name, which it represents, and the employee's name, authorizing physical access. Surveillance data should be stored for at least 3 months, if not inconsistent with law.
And what have the 'CCTV'? Apparently it's just wrong copy and paste
Translated from PCIDSS.ru:
should keep a log book visitors and use it to analyze visits. The log should record the visitor's name, the organization which he represents, and staff organization, has allowed access to the visitor. This log should be kept at least three months, unless otherwise prescribed by law.
here like okay
8) 10.4 in the original sounds like:
Using time-synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time.
Translated from Informzaschita:
must be synchronized clock and timer for all critical systems. Make sure that the following measures in place for the acquisition, distribution and storage of data on time.
Translated from PCIDSS.ru:
must use technology to synchronize the time. All the system clock and system time on mission-critical systems must be synchronized Necessary to ensure performance of the requirements for obtaining, disseminating and storing data on time.
amused translate Informzaschita in terms of the acquisition of data on time, did not know what time you can buy:).
This note is certainly not exhaustive analysis, these things - it the first thing that caught my eye, I think the text is still very much similar things. In general, summing up, I can say that if you are fluent in English, then I strongly I advise to check with the original, unnecessarily inaccuracies in the translation there, but the devil is known in detail!
Also, despite my criticism, I believe that Informzaschita and community PCIDSS.ru done important work releasing translations of the standard Russian language, for which they certainly should thank!
0 comments:
Post a Comment