A number of dynamics are at work that have made attaining PCI compliance a more difficult proposition over previous years. The guidance assessors are receiving from the PCI Council is that evidence must be provided that demonstrates your Infosec program is in place and functioning as designed. Expect to respond to requests for multiple change records that cover the gamut of firewall rule changes, architecture changes, code changes, etc. Further anticipate providing evidence of daily log analysis and how alerts are managed, how in scope web-applications are being properly reviewed, proof an annual risk assessment was performed (and to answer the question..No, the PCI assessment doesn’t count!), quarterly scans that demonstrate clean scan results, servers that match configuration standards, and an ability to prove that if a file containing cardholder data is being monitored by FIM for unauthorized copying, alerts are generated and actioned accordingly. In short, this is the year that many multi-year certified organizations will need to prove in ways that they may have not in previous years that the people, processes, and associated technologies matches policy. This is no small feat, particularly for those companies who were unfortunate enough to have had weak previous assessors who either let things slide or simply missed major areas of cardholder data flow (we’ve observed both on multiple occasions.)
I’m held accountable for maintaining PCI compliance, what should I do?
- The first thing we recommend to all who own compliance is to be prepared. For those that have not had a gap analysis against the latest version of the standard, expect findings and ensure enough time & budget is set aside to deal with them.
- The second recommendation we consistently make is to ensure that your program is fully operationalized and well documented. Nothing sets an assessors mind at ease better than well organized documentation and associated observations that demonstrate the rubber is clearly meeting the road.
- The third item we suggest is to put yourself in the assessors shoes. They have very little time relative to the job at hand, are feeling the pressure of doing an adequate job, and are being subjected to lawsuits when companies they assess are later breached. If you could switch sides at the table, how would you respond to what you are hearing?
- Finally, we recommend that a new approach to PCI compliance be adopted. Compliance failures are rarely attributed to technology limitations, but rather a breakdown in the required resources and/or associated methodologies required to truly operationalize requirements. It was this realization that prompted Alchemy Security to embrace project management methodologies such as Scrum. Scrum was originally designed to support agile software development, and what we realized is there is little difference between Agile Development and Agile Security. Borrowing concepts and metaphors from lean manufacturing frameworks, Scrum supports “just enough” project management to ensure a nimble process is in place to ensure ongoing compliance. Based upon our observations in the field, the Infosec community could greatly benefit from adopting more of these ideas to make compliance processes manageable, and the goal of remaining compliant between yearly audits attainable.