In the spirit of Cybersecurity Awareness Month, we are wanting to help showcase the many facets of cybersecurity and how it intertwines with everyday business processes.
This post shares the unique and valuable perspective of a former GRC Director-turned-QSA, on how to make your PCI Assessment easier on all parties.
When I worked as the GRC Director for a major national retailer, I would often ask the QSA working with us on our PCI assessment two of my favorite questions:
“Why do you need that?”
and
“Why is it taking so long to get me the ROC (Report on Compliance)?”
From my perspective, the process for an assessor to complete the ROC simply included an interview or document, a checked box, and maybe a few comments if something is delivered, and move on, right?
Now the truth is I knew there was more involved in getting the ROC completed than just that. After all, I provided the QSA with copies of all the documentation and supporting evidence they needed to review, I was in all the interviews they conducted and I received the 200+ page report.
But you get my point. It should be a slam-dunk for a QSA to complete.
After 11 years in that role, I decided to take on a new challenge: become a QSA.
Welcome to the dark side, right?
Let me be honest and confess something to you before I go any further. After I completed my first assessment as the lead QSA, I had to reach out and apologize to my previous assessors for all my past remarks from my previous lofty role!
Hello!
I had NO IDEA what was required to complete a ROC. NO IDEA of the work effort and time it took to review documents or the exercise to pull samples. NO IDEA…
Let’s think about it: there are over 500 blocks of information to fill out in a ROC. And it is NOT just checking a box. In order to respond to any of the requirements, an understanding of the environment is needed, scope of systems must be defined, evidence and business documentation must be linked to requirements. Then the oversight: interviewing responsible personnel for each item, review of systems in production, testing, etc. Whew – the process is extensive! And then of course any new discoveries along the way could increase work on both sides. Now that I’ve walked a few miles in both sets of shoes, I have a new perspective on what it takes to achieve PCI compliance!
No matter how you look at it, there are two perspectives to every PCI Assessment – the organization and the QSA. Both perspectives are important to achieving compliance but the lenses they look through are different, and the impacts are different too. Let me share two quick examples:
Maintaining PCI compliance is an ongoing effort for every organization. The requirements are constructed to ensure that the organization’s eye is always on the security ball. But we know that situations happen, best practices are overlooked, and gaps are created. During quarterly reviews, program elements such as missed patches on an in-scope system or undocumented changes to a production application would have unintended consequences to sustaining PCI compliance. I could not keep the assessment on schedule if a QSA came into our organization and found compliance gaps. Once a gap was found, other projects for the impacted team would need to be put on hold until the issue was addressed.
As a QSA, when a gap is discovered, rework of previous reviews is necessary. Additionally, new documentation from the customer on how they will ensure the gap will not occur again is required. Depending on the extent and risk of the gap, a QSA may now need to look at an increased sample size up to all in-scope systems--not just a sample set. The more compliance is part of daily work efforts, the more straightforward the assessment will be for both sides.
As a GRC lead, when a QSA asked a question that I felt did not align with a requirement, it put me on the defensive and I immediately went back to one of my two favorite questions – “Why do you need that?“ Part of my responsibility was to ensure the QSA stayed on track, looking at the situation within the organization, and determining if a call-out was necessary. This can be challenging.
One year, we were working with a new QSA who insisted that our Information Security Policy use the word “must” versus “should”. The impact of this change had a ripple effect in the organization when it really didn’t need to. “Should” would have still met the spirit of what is intended by the PCI requirement. As a QSA, this lesson resonates with me during all my assessments. When I ask for additional information or call something out, it needs to be significant and important to the customer’s overall business security.
Now that I have been on both sides, I wanted to share a few suggestions that I believe can make getting through an annual PCI assessment easier, more efficient, and simply less hard. And guess what? It requires consideration from both sides.
#TeamGovernance
If you are reading this and are on the governance side, here are some things to consider for a smoother assessment:
#TeamQSA
If you are reading this and you are a QSA, here are things to consider:
Today, I find that my past role and my current role really help me empathize with my clients while completing their PCI assessments. I understand the point of contact’s role and what they need from me during the PCI assessment process. I have experienced their challenges within the organization. I really do believe that the PCI assessment process can be a much smoother one when we work together. And,
I don’t get bothered when they ask me – Where is my ROC?