It’s a bright Monday morning in May 2014. You are just back to your cabin after the morning briefing with your team and enjoying your hot black coffee and the cell phone pings! It is the big boss texting “See Me…”
In the next 30 odd minutes you are told that the company needs to demonstrate PCI compliance to win a major contract and as a CISO you will have to lead the effort. You are both excited and concerned!
You call your team and explain to them the state of affairs and the tight (3 months!) deadline. They, being good colleagues, support you wholeheartedly and your company gets the certification. All are happy!
Your team met the 3-month deadline and your company won the contract! You are on the Wall of Fame!
One year later…
It’s a languid Friday afternoon in July 2015. While replying to a few unanswered emails you see a forwarded mail from the boss. It is the QSA Company’s project team informing you that you are due for an assessment in a month’s time. You have plans for an amazing weekend and choose to deal with it post your revitalising weekend. You are confident that the team which did it in such a tight deadline last time will do the wonders this time as well!
Monday arrives and you start following up with the network, systems, administration, human resources asking them to send the Status Quo in three days since you are meeting the boss on Thursday!
By Wednesday, you have the facts – network team has missed firewall and router rules review; the newly added servers did not undergo vulnerability scanning and penetration testing; the log server had crashed and hence the logs are only available for 7 months; etc…!!
The dashboard you prepared for the boss now shows 33 % RED! You are stuck!
If this sounds familiar and you don’t want to face this uncanny situation, here are my Five Platinum Principles for continual PCI compliance:
- Know the Standard
Unlike many other compliance standards e.g. ISO 27k (too generic) and SSAE 16 (you can define your own frequency), PCI DSS has a definite frequency for maintaining controls. There are multiple requirements which could have a cascading effect on your compliance posture if you fail to maintain the effectiveness of the required controls. There could be various teams involved and unless there is a crystal clear understanding and communication within the teams, you are most likely to face difficulties. For example – the purchase is done by procurement team, device hardening is done by some other team and vulnerability scanning is someone else’s responsibility. Unless these teams are in sync and know the standard well, maintenance becomes difficult.
- Get the Necessary Budgetary Approval for the Upkeep
As a CISO, you may need to procure stuff and outsource some of your activities viz. Scans from ASV and other periodic scans. While submitting the budget, it is advisable to include the recurring maintenance cost as well. This will ensure that you have necessary funds available and you don’t need to run at the eleventh hour and delay the mandatory requirements for compliance.
- Develop an Annual Compliance Calendar
A simple spreadsheet can do wonders. List the tasks as Daily (Log Reviews), Weekly (File Integrity Checks), Monthly (Newly Added Devices, Employee Background Checks, Recent Infrastructure Changes etc), Quarterly (Scans), Semi-Annually (Network device ruleset reviews) and Annually (policy reviews, risk assessment, training programs, pen tests, incidents).Once the list is ready, name the “Owner” for each activity. Add the column “Checker”. Circulate the calendar to all the relevant stakeholders.
- Assign Tasks and Monitor Them
Once the calendar is circulated, ask all the checkers to report the progress on a periodic basis. My strong recommendation – do this on a fortnight basis. This will ensure in initiating the immediate corrections and corrective actions if something is amiss and will not come as a last minute surprise or show spoiler. My sincere advice – For any challenges, take required advice from the QSA Company. They will guide in addressing any bottlenecks. Remember – hiding facts helps nobody in compliance.
- Include Vendors in Compliance Program
Communicate your compliance requirements to the vendors well in advance; in fact, it needs to be a contractual obligation. Vendors play a vital role in maintaining the compliance program when it comes to PCI DSS. If you have third party vendors, keep them well informed. If you have outsourced any of your activities, get the records well in time to avoid last minute hiccups. You’re also now required to maintain a formal list of PCI responsibilities shared with vendors, down to the specific requirements you and the vendor handle. Vendor non-compliance can become a big challenge for your own maintenance and could be a show stopper.
Lastly, remember that the cost of not maintaining compliance in PCI DSS would always be multiple times higher than the cost of continual maintenance. Non-compliance may invite consequences leading to huge fines and penalties from card brands, data breaches, loss of reputation and business, and much more.
The situation I opened this post with, as well as the financial and business pitfalls, can certainly be far less dire with regular efforts and making the required compliance as a part of your routine activities.
Subscribe to this blog for additional tips and webinar announcements.