Ask the Expert

Should PCI DSS auditors be subjective?

How subjective is a PCI audit? Does the scope of a PCI audit make it more difficult for an auditor to be subjective?

    Requires Free Membership to View

Every audit, in some way shape or form is subjective. The reality is it needs to be. If you are looking simply for an automaton to go through a checklist and give you a clean bill of health, you are missing the point of the audit.

Most people fail to realize that audits can and should be a productive experience that not only helps an organization learn what it needs to do better, but also provides some perspective on best practices and other techniques that can improve the information security posture of an organization. The auditor sees far more than you do, so this person should be treated as a resource.

I would encourage my auditor to use his or her subjective opinion of my environment to help me improve my security. And given the wide-ranging nature of different technology environments, it's not possible to define regulations tightly enough to remove subjectivity.

If we are talking about PCI DSS specifically, let's take its first requirement -- "Install and maintain a firewall configuration to protect data." How is that anything but subjective? The auditor will ultimately be the one who defines what an acceptable firewall configuration should be. PCI DSS's third requirement -- "Protect stored data," is similarly nebulous. As you dig into the details of each requirement, there are more specifics detailing what each requirement means, but there is wiggle room -- there always is.

So the bottom line is that an audit, even a PCI DSS audit, is going to be partially subjective. Keep that in mind as you gather you data and go through your audit.

For more information:

  • In this tip by contributor John Kindervag, learn the five biggest misunderstandings about PCI DSS.
  • Learn how PCI DSS compensating controls can help corporations build a strong security program that appeases both examiners and security pros.
  • This was first published in July 2007

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: