This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PCI-DSS Compliance

Hi.

As part of our customers PCI-DSS audit, we are implementing more rigorous data protection rules. One thing that they would like to do is run a one time scan of all computers running Sophos AV to check that there are no unencrypted credit card numbers being stored (in spreadsheets etc).

I know that I can create rules to stop data being copied to/from machines and within emails etc but once the rules are configured, do these also apply to scheduled scans?

Thanks

Phil

This thread was automatically locked due to age.

0 QC over 11 years ago

Hello Phil,
Data Control kicks in when static data (i.e. the contents of a file) is about to be ~~transferred~~ written to removable storage (this does not include computer to computer copy) or read by certain applications (this does not prevent e.g. copy/paste). Thus the rules are not applied by a scheduled scan.
OTOH there's no reason that a scheduled scan couldn't do this other than that it's not implemented. Well, of course :smileyhappy: - but implemented meaning all it has to do is mimicking the call made by the on-access scanner. Here it gets complicated though as different rules might apply to different destinations and ideally the scanner would have to support an anyDestination.
Haven't found you (if I have guessed your company correctly) in the Sophos Partner list, nevertheless I'd suggest that you contact Sophos directly. I'd be surprised if such a tool wouldn't exist - naturally (I'm neither Sophos nor a partner) I can't say whether such a tool would be made available and if, on what conditions.
Christian
:51660
Cancel
Vote Up 0 Vote Down

Cancel