BOSTON -- The PCI assessor is really a CISO's best ally or worst nightmare, and that outcome depends heavily at the management kind of the CISO. This attitude was delivered within the session, Your PCI Assessor: Ally or worst enemy?, featuring Michelle Klinger, senior security consultant for EMC Corp., and Martin Fisher, director of knowledge security for Atlanta-based Wellstar Health System, on the 2012 SOURCE Conference Boston this week.
Once you've lost your credibility with the QSA, their only recourse is to do a fishing expedition for problems.
Martin Fisher,
Wellstar Health System
The two speakers discussed best practices for security pros to take advantage of before, during and after a payment card industry data security standard (PCI DSS) assessment, with the qualified security assessor (QSA) perspective provided by Klinger, and the CISO perspective provided by Fisher.
Before the assessment
Fisher, who was through two rounds of PCI assessment in a prior position at a degree 1 merchant company, encouraged attendees to start out off right by choosing their very own QSA. Despite the fact that the CISO usually cannot choose the assessment firm itself (that call will likely be in line with price), Fisher said CISOs do not have to simply accept the 1st QSA the assessment firm sends through their door. “Interview QSA candidates as thoroughly as you may interview to rent a whole-time employee,“ Fisher said. “Look for a QSA with a very good personality fit together with your organization.â€
Klinger emphasized the QSA desires to get in the course of the assessment process just as quickly because the CISO does. The more the IT team can do to make the QSA's job go smoothly, the more quickly the organization may receive a correct and effective report on compliance (ROC). For instance, Klinger recommended the IT team provide a diagram of every document they're providing to the QSA, mapped to the PCI requirement the document is intended to validate. “This is massive,†Klinger said. “It helps the QSA validate each document in order that they should not have to bombard you with questions.â€
During the assessment
QSAs search for the two-3 people in each company who know 80% of the knowledge the QSA needs, Klinger said. If the QSA can find those people, they are able to get most in their work done in a brief time simply by interviewing those people extensively.
“But prep them earlier,†Fisher warned. “Make sure your people understand PCI DSS requirements and scope. They must answer all PCI-related questions honestly. But when the questions are about non-PCI systems, they need to know to not answer those questions.â€
At the identical time, Fisher urged attendees to be totally honest with their QSA, and to encourage their staff to do the identical. “Don't lie, or it'll end badly,†he said. “Once you've lost your credibility with the QSA, their only recourse is to do a fishing expedition for problems.â€
After the assessment
The CISO will need to have a wrap-up meeting with the QSA before the ROC is finalized, and the QSA need to be ready to discuss the remediation requirements that is listed within the PCI ROC. “The worst thing which can happen is to be blindsided by the ROC,†Fisher said.
Klinger often provides a listing of remediation requirements in a spreadsheet form to clients, in advance of the particular PCI ROC. “The QSA is counting on the customer to validate everything is accurate. The client should feel absolutely comfortable discussing and debating the findings with the QSA,†she said. “There are times when a QSA will change a finding, so communication is necessary.â€
CISOs can use the ROC as a device to get security initiatives approved. “Your job is to determine what the corporate does from here,†Fisher said. “Leverage the assessment to indicate the chief team the safety projects you'll want to do.â€
“In the tip, the ROC is your responsibility,†Fisher said. “You may besides get something out of it.â€
Nessun commento:
Posta un commento
Comments links could be nofollow free