Over the past 13 years or so I’ve assessed hundreds of organizations as a PCI Qualified Security Assessor (QSA). In that time there have only been a few instances where I walked away and there was no remediation that needed to be done. What I’ve most often found is that management had an expectation that a PCI security control was in place and functioning; however, staff were not always performing those activities as defined by policy or even management’s expectations.
Companies are often caught by surprise when faced with remediation steps following a QSA assessment. In this blog post I’m going to show you how to avoid these surprises and manage and maintain your PCI security controls the easy way.
Aligning Expectations with Reality
Avoiding surprises is all about the continuity of your PCI program. (Yes, I said program.) Once the PCI program has been established, it needs to be maintained. As a process and not an event, PCI compliance should become ingrained into your culture and how you do business.
Unless management implements processes to maintain continuity, your PCI security controls will eventually change for various reasons. In other words, your compliance program needs to be monitored, measured and reported on. What this means is that your policy will dictate an expected state of a control to address or reduce a security threat to an acceptable level of risk.
For example, imagine that your organization is at risk to a crypto virus, so you implement anti-virus to address it. The monitoring component of this control would be to ensure that it is installed, running, and receiving updates on a defined basis. Next, we need to look at the measurement of this control: Have you been infected? Is it protecting you from zero-day attacks? Is it working sufficiently? Lastly, as part of your program maintenance, it is equally important to provide the process owner with a report so they can decide on the program efficacy of the control.
Tracking PCI Security Controls the Easy Way
This handy control-tracking worksheet (click link to download) was created to help you manage and maintain each control based on its required cadence. Upon completion of each noted task, I recommend that all PCI program stakeholders (including management) be informed of its completion and efficacy, so everyone is ensured that company policy and procedures are in place and working as defined and expected.
Have additional questions on how to manage and maintain PCI security controls? Give ControlScan a call at 800-825-3301, ext. 2. We’re happy to help.