If it isn't documented, how do you know what your employees are doing?
It appears to be fairly common to see organizations of all sizes think of the documentation requirements for PCI compliance as one of the easiest aspects of the standard to meet. After all, when you compare the ease of simply having to document specific requirements versus actually deploying the architecture, hardware, software and personnel to meet them, the documentation requirements seem fairly benign. Documentation may then become an afterthought: "Let's get the large gaps closed, and then we'll just type up whatever the Self-Assessment Questionnaire (SAQ) or the assessor (if you are undergoing a Level 1 assessment) is asking for." This is the wrong approach to take as having policies and procedures in place is a critical component of your security program.
"Wait –"I can hear you say – "you consider documentation to be a critical component of my security program? Of all the things I have to do. I have to segment my network. I have to configure my firewalls and routers. I have to define access controls. I have to deploy anti-virus, file integrity monitoring, intrusion detection systems and a whole slew of other security controls, and you're telling me that documentation should be at the top of my list? My administrators have much better things to do, quite frankly."
If your goal is to check off all the PCI requirements on a list in order to gain compliance, then – yes – you are correct in your thinking, albeit opening up your organization to risk. If your goal is to protect your organization as much as possible from the ever-changing threat landscape and emerging vulnerabilities, then documentation should be a high priority as it is one of the most critical components of your security program. And this is because of the number one vulnerability that you face as an organization: your own employees.
Several recent breaches have occurred because attackers took advantage of well-meaning employees at companies such as EMC Corp.'s RSA security unit, Epsilon Data Management, and even Twitter1 . A report released by Check Point Technologies, The Risk of Social Engineering on Information Security, states that 32% of companies of all sizes have experienced 25 or more social engineering attempts within the last two years2, and the same very report found that 34% of businesses do not have any employee training or security policies in place.
The questions you ask then are how do employees know what to do and how to perform their everyday functions without documented guidance? That is where the PCI requirements for documentation come into play.
Documentation of policies and procedures should be the first step in meeting PCI compliance, not the last. Documentation is the foundation of defining how your security program with all its intricacies will be built, maintained and improved. After all, how would your employees know what is required of them in order to meet and maintain PCI compliance? How would a newly-employed Network Administrator, for example, know what to do with a change request to open up a port or two on the firewall placed in front of the cardholder environment? Without the change control process documented, they may proceed with the request and instantly open up your network to risk.
Looking back at some of the things that may be on your plate, documentation is the foundation to effectively achieving the result you need to safeguard your organization. Network segmentation is achievable using various methods, but do your employees know how to sustain the segmentation? What if the example above of receiving an immediate request to open up ports on your firewall is actually received and your Network Manager is on vacation in Hawaii and unreachable?
If the configurations for systems and networking equipment in use are not documented, there is nothing for employees to follow other than what they themselves believe to be appropriate. You may think that they know not to use FTP or Telnet, but people make mistakes. Just look at the Check Point report referenced earlier.
The definitions for the role-based access controls need to be documented or else a new user may receive more privileged access permissions than they are supposed to. If there is nothing stating that Accounting group employees are not to receive access to the database server in the cardholder environment, what's stopping them from receiving it?
The same concepts apply to the deployment of anti-virus, file integrity, intrusion detection systems and other security controls. If it is not documented, your employees have nothing to follow as guidance for securing your environment and maintaining that level of security.
Chasing after vulnerabilities is a far less effective approach to a security program than proactively protecting and safeguarding against them. Not providing your employees and organization with the "do's and don't's" of what is expected of them in their operational and strategic activities, leaves them unable to be proactive. Do your Administrators have something better to do than chasing after vulnerabilities? Absolutely. Do they have something better to do than not following organizational policies and procedures? Absolutely not.
If you have questions on how to develop the right documentation for your business, or would like to speak with a PCI compliance and security consultant, we stand ready to help. Please contact us at 1-800-825-3301 x 1.