

Ask HN: Frustrations with PCI-DSS, HIPAA, SOX compliance? - rpug

Hi everyone,<p>I am curious to hear about other people's frustrations with PCI-DSS, HIPAA, or SOX compliance.<p>From an IT perspective, one of the biggest frustrations I have is with the man-power required to satisfy keeping up with the requirements.  A lot of the guidelines are common sense, but the overhead for maintaining change management, documented policies/procedures, approvals, audits, etc are tough.  Certainly, in the ideal sense these things are great to have but in reality it is tough to make time for them when you've got other business needs to satisfy.<p>What are some of your biggest frustrations with compliance and what are some tools you use to 'cope'?<p>Cheers!
======
WestCoastJustin
Read The Visible Ops Handbook [1], implement what they talk about, it is an
easy read too. On the tools site: puppet [2]. Puppet allows you to bake these
controls into your infrastructure and monitor if things change.

p.s. I also read "The Phoenix Project" [3] a couple days ago and it give some
good ideas on how to stop in insanity.

[1] [http://www.amazon.com/Visible-Ops-Handbook-Implementing-
Prac...](http://www.amazon.com/Visible-Ops-Handbook-Implementing-
Practical/dp/0975568612)

[2] <https://puppetlabs.com/>

[3] [http://www.amazon.ca/The-Phoenix-Project-Business-
ebook/dp/B...](http://www.amazon.ca/The-Phoenix-Project-Business-
ebook/dp/B00AZRBLHO)

~~~
rpug
Do you use any particular tools to track approvals to changes, policies etc?

~~~
WestCoastJustin
We just use RT [1] and TWiki [2]. Changes come in as ticket in RT [1] and we
discuses them at change management meetings (document these in the TWiki [2]).
We document everthing in the TWiki. If someone comes and asks for our change
management policy, we point them at the TWiki, which talks about puppet, and
then we can show them the change management minutes, etc. We have a light
process and it seems to work.

[1] <http://bestpractical.com/rt/>

[2] <http://twiki.org/>

~~~
rpug
A case management system and a wiki has typically been how I have done this.
It can be a little tough though because these tools aren't necessarily built
for this type of workflow. Perhaps RT does a better job than some of the other
options which really want to be a support ticketing system or a bug tracking
system rather than a change management system.

~~~
WestCoastJustin
Yeah, we only have 4 people in ops and about 20 in development. We have daily
standup where the ops guys and 1 person from dev meet (total 5 people). We
discuss what is happening Past and Next 24 -- this takes about 10 minutes. The
process is super light.

We also use puppet with git. This allows us to version everything that goes
into production via a puppet tweak. This is great for rolling back changes or
getting an of what was deployed. Like I said, read that visible ops handbook.

~~~
rpug
What about audits of user accounts and access control?

------
Eyes2design
I wonder myself, I'm trying to find information about PCI-DSS.

I Program the integrations from online stores to payment gateways. None of my
programs saves any credit card info, yet I'm not sure if I can state that
their PCI compliance?

"Merchant / Services" I can understand, but what about a "piece" of software?

~~~
rpug
Does cardholder data ever pass through your infrastructure in any form?

~~~
Eyes2design
In magento, yes... but the full information is held for a small amount time.
The module is self hold no card info its a run once and then destroy.

~~~
rpug
Not that I am an auditor, but if the data ever hits your environment then you
have a level of compliance to maintain.

