PCI-DSS 3 requirement 6.4.2 calls for
Separation of duties between development/test and production environments.
Based on the guidance text and this, answer to another question, it appears that the purpose of this requirement is to ensure that no one person holds all the access.
While this is easy enough in a large company, does this automatically mean that a 1 person company (or a company small enough to be unable to afford hiring separate DBAs and syadmins for each environment) cannot possibly be PCI-DSS compliant?
Aucun commentaire:
Enregistrer un commentaire