Select Monthly Archives
- September 2019
- August 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- December 2018
- November 2018
- August 2018
- July 2018
- May 2018
- March 2018
- February 2018
- December 2017
- November 2017
- September 2017
- August 2017
- June 2017
- May 2017
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- July 2016
- March 2016
- October 2015
- September 2015
- July 2015
- May 2015
- March 2015
- February 2015
- January 2015
- December 2014
- September 2014
- August 2014
- July 2014
- June 2014
- December 2013
- September 2012
Written By: Chip Ross May 07, 2019
This is Part 3 in a 4-part series exploring how to ensure readiness for a PCI assessment, and how to avoid issues that can cause delays and additional costs.
In Part 1, we discussed:
- The need for upper-management commitment
- Definitions of Merchants and Service Providers
- Who might be asking for proof of PCI compliance
- Determination of Merchant or Service Provider level
- Available PCI compliance validation options
In Part 2, we discussed:
- Business Organization
- How cardholder data (CHD) is handled
- Scope of the PCI assessment
In Part 3, we discuss time and personnel considerations.
Am I Allowing Enough Time For My Assessment?
Organizations, especially those performing a first-time assessment, frequently do not allow enough time to understand their PCI compliance responsibilities thoroughly, or to complete all of the assessment activities.
The reality is obtaining PCI compliance can be a complex undertaking. We have not even begun discussing the actual activities involved in validating compliance, and previous articles have already shown that a significant time investment is required to understand the environment, organization, and scope.
Availability of personnel resources is usually limited. Often, the same personnel that are handling day-to-day operations are responsible for attending interviews, obtaining or creating evidence, and performing remediation activities throughout the engagement. An average Report on Compliance (ROC) takes anywhere from four to eight weeks, and some self-assessments may take an equal amount of time. Careful consideration and planning before the engagement begins is critical.
Have I Considered Personnel Responsibilities?
Without good organization, things can fall through the cracks during an assessment. It’s important that these responsibilities are understood from the outset. A number of different areas of responsibility exist:
- Scoping/overall responsibility
Service Providers are required to define a PCI Charter for their PCI DSS compliance program, and it must include executive management assignment of overall responsibility for maintaining PCI DSS compliance, and how the PCI DSS compliance program is organized and communicated to Executive Management.
For larger Merchant organizations, having this sort of PCI Charter may be a good idea, or it might mean creating an oversight committee. There may also be dedicated compliance personnel who are familiar with other regulatory compliance efforts that may be enlisted.
For smaller organizations, overall PCI compliance responsibility ultimately resides with executive management.
For all organizations, as discussed in previous articles, it’s extremely important to communicate the importance of PCI compliance throughout the organization.
- Interacting with business units/requesting evidence
Ideally, compliance personnel dedicated to PCI would occupy this role. Lacking that, it should be clearly defined who will be scheduling meetings, requesting interviews, and requesting evidence from the business units involved in the assessment. We recommend communicating this to business units in advance, and that the communication directs the business units to cooperate with the requests for interviews and evidence, and provide responses to those requests in a timely manner.
Additionally, understand that whomever has this responsibility will put in as much time, if not more, than the QSA engaged for the assessment. Including this time in scheduling, workload, and budgeting for the engagement is critical. AppSec Consulting sees too many instances where inadequate availability of this point-of-contact resource leads to delays.
There are numerous items to track including meeting and interview scheduling, evidence requested, received, reviewed, and submitted to the QSA, outstanding items needed for the compliance of any particular requirement, and the status of remediation activities for those items found to be non-compliant.
A QSA can help with tracking tools. It is also helpful to institute processes separate from the QSA, as a means of providing checks and balances. If commercial GRC (Governance, Risk, and Compliance) tools are available, they may be valuable in this effort. Where they are not available, create spreadsheets that show all the applicable requirements, and their status throughout the assessment.
Most often, the personnel assigned the interaction and evidence request responsibilities above are responsible for tracking the compliance status.
Many PCI requirements require interviews with personnel with expertise in various areas. In smaller organizations, this may be only a few people. In larger organizations, there may be multiple personnel needed to address specific portions of their areas. The converse may also be true. For example, a single IT organization might provide authentication services to multiple business units or applications. Interviews most often address documentation and execution of different processes.
It is helpful to communicate the expected discussion topics to the business units before the interviews, so they have time to consider which personnel should be present. If there are questions regarding the interview topics, discuss it with the QSA before scheduling the interview.
- Providing and/or creating evidence
Regardless of the environment, organization, scope, or validation documentation required for any particular assessment, there is evidence that needs to be supplied. Slightly over 50% of PCI requirements are documentation related!
Most often, the personnel that are interviewed are also asked to provide evidence. Depending on the type of assessment, it can be a lot of evidence. Types of evidence that are requested can include:
- Documents including network and data-flow diagrams, processes, configuration standards, industry standards, vendor manuals and patch lists, software development, change management, role definitions, physical security, inventories, vulnerability management, risk management, vendor management, training, incident response, and policies
- Configuration exports from firewalls, other network devices, servers, workstations, and appliances
- User lists for all facilities, system components, and applications
- Logs from samples of system components
- Change records from infrastructure and applications
- Screen-shots from ‘shoulder-surfing’ activities where the assessor is required to conduct observations
- Data captures
- Exports of production, test, and development databases
- Vulnerability, risk, and incident activities results
- HR activities including background checks and user termination lists
It is important that personnel are aware that they are responsible for obtaining and providing the necessary evidence. In some cases, they may be required to create evidence. For example, creating a policy or procedure that does not currently exist.
Communicate the time allowed for assembling the requested evidence. Document and track the status of each request, and report the status to those responsible for overall compliance. Promptly escalate the status of delayed evidence request submission to ensure that these requests receive
appropriate priority, and to avoid any additional costs.
Most often, the personnel that must obtain or create this evidence are also responsible for parts of the day-to-day operations of the organization. Sufficient time and planning should be given to ensure that no delays are encountered.
- Reviewing evidence
You might think this is easy – the QSA is the one that reviews the evidence, right? However, we consistently run into situations where the evidence supplied is insufficient, and is rejected. A good QSA will provide recommendations for correcting the evidence, but it is an unnecessary cycle of evidence re-submission.
In fact, even though it is another step in the process, reviewing the evidence internally prior to submission to the QSA is actually more efficient and speeds up the validation process. Ideally, this would be done by personnel that are very familiar with PCI compliance. If no such dedicated personnel exist, a peer review can be conducted. The most important question to consider is whether the supplied evidence provides enough information to satisfy the requirement involved.
If there are questions about what is required, consult the QSA before requesting the evidence to avoid re-work.
- Performing remediation tasks
Again, it’s very likely that the same personnel asked to sit in interviews, and provide or create evidence, are the ones performing day-to-day operational tasks.
Communicate the time allowed for completion of remediation activities to the personnel performing the activities. Document and track the status of each activity, and report the status to those responsible for overall compliance. Promptly escalate the status of all remediation activities that might result in significant delays to ensure that these efforts receive appropriate priority, and to avoid any additional costs.
How Can AppSec Consulting Help?
Our Qualified Security Assessors (QSAs) leverage AppSec Consulting’s proven methodologies. Their many years of security, IT, development, and PCI auditing experience ensures that whatever your goals, the outcome is exactly what you need and makes strategic sense for your business. Whether you’ve been asked by your bank “to comply with PCI”, or preparing for your first validation with a Report on Compliance (ROC), gearing up for annual re-validation, or would just like to know what the PCI DSS mean to your business, our team of experts are there to help.
More information can be found at www.appsecconsulting.com, or call us at 408-224-1110