Step 5: Create a rapid response and internal audit/compliance team

Once the plan is created, and distributed company-wide, including distribution to all upper management team members, it's best to determine who will serve on an internal audit/compliance team.

It's this team who should review, revise, test and enforce the policies and procedures on a regular timetable, as well as determine what security areas should be audited at any given time.

Based on the outcomes of the routine testing of policies and procedures, revisions and/or new policies should be enforced. This is an area where PCI DSS and an organization's own security policy can converge, in order to prevent data breaches before they have a chance to even occur.

In an article entitled, "PCI Compliance after the TJX data breach," it's author, Joel Dubin-a Chicago-based CISSP, an independent computer security consultant, a Microsoft MVP, specializing in Web and application security and the author of The Little Black

Book of Computer Security-described how PCI can easily integrate into an organization's existing security plan. "To stay compliant, keep complete records of how the required controls are set up, maintained and changed. Internal IT auditors should also use the PCI standard as a point of reference in regular audits to ensure the company remains compliant," wrote Dubin.

"It's also a good idea to hold employee training sessions for those who handle credit card data in compliance procedures." Dubin explained that organizations should use two keys for PCI compliance: Remote vulnerability scans and assessments.

"Remote vulnerability scans should be conducted on a quarterly basis, cover all Internet connections to and from the company, including dedicated ones, like those for Web and email servers," wrote Dubin.

Continuing, he wrote, "When choosing a QSA and ASV for a compliance program, check if they have the technical experience and expertise in the six control areas. A QSA should be able to audit for the 12 controls, while an ASV should have a track record of conducting vulnerability assessments."

In addition to creating and deploying an audit/compliance team, every organization should have a rapid response team ready to address the aftermath of any data breach when it occurs.

It's up to each organization to determine what areas should be represented in a data breach response team, but many come from HR, legal, IT and especially public relations.

                    

Print this page

Send this page to a friend

Data Breaches Part I - Is it possible to prevent the inevitable? Introduction Step 1: A Good Defense is an Offense Step 2: Perform a company-wide risk assessment/inventory Step 3: Educate employees on breach/data security Step 4: Create a pre-breach containment and communication plan Step 5: Create a rapid response and internal audit/compliance team Epilogue: Spend now or pay later Data Breaches Part II Five Steps to manage a data breach Introduction New changes to PCI DSS Self Assessment Questionnaire Step 1: Spot/investigate the breach Step 2: Circle the wagons: Deploy the rapid response team Step 3: Create a Notification Plan Step 4: Implement the Notification/Communications Plan Step 5: Perform a response audit after the event Navigating state disclosure laws Outsourcing data breach response to a third-party Recommended reading PCI Compliance Polls Are you currently PCI Compliant? Yes No Working towards compliance Why are you looking at PCI Compliance Required By Credit Card Processor Required By Bank Want to meet industry standards Looking to secure network What merchant level do you fall under for PCI Compliance? Level 1 Level 2 Level 3 Level 4 I have no idea View PCI Merchant Level Results View All PCI Compliance Poll Results EV SSL Certificate Guide Sponsored Listing: