Sorry I couldn't get back to this earlier. I'll be brief.
For your sake I hope your companies don't accept credit cards through these
web interfaces. Placing a database in the DMZ is a direct violation of PCI
DSS 1.3.7.
Even if you aren't subject to PCI directly, know that more and more security
professionals are using it as their gold standard. Systems set up with PCI
controls will pass SOX, HIPAA, and virtually all other forms of audit with
ease.
Here's an example. One reason I couldn't get back to this on Wednesday was
that I was helping with a client survey that was evaluating the security of
one app that we supply for them to use. The client is one of the top 5
largest banks on earth. This issue was directly addressed by an audit
question. Even though the data we store is not subject to PCI we're being
asked questions as if it were.
Have a good weekend, folks.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact
[javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.