TheSupe87 - Fotolia
What are the most important pieces of advice you suggest taking out of the new PCI Special Interest Group guidance document on maintaining PCI DSS compliance?
In its recent guidance, the PCI Security Standards Council seeks to address the issue of PCI DSS compliance "fall-offs" that occur between the annual assessment cycles required by merchant banks. It uses the diagram shown below to illustrate how compliance begins to fall off in many organizations immediately after an assessment (see image below).
The document itself is full of good advice on building a robust, sustainable compliance program. Here's the quick rundown of the seven steps it encourages compliance-minded organizations to take:
- Maintain the proper perspective. Remember, the driving objective is to protect sensitive cardholder information from unauthorized disclosure and use. Everything else in the compliance program is designed to achieve that goal.
- Assign ownership for coordinating security activities. Simply put, if someone specific isn't in charge, then it's not going to get done. Identify a compliance manager to keep the focus on compliance year-round.
- Emphasize security and risk, not just compliance. Organizations shouldn't be designing for compliance. Instead, they should be designing for security and achieving compliance as a consequence.
- Continuously monitor security controls. A security program requires daily attention, and it should generate evidence that illustrates ongoing compliance.
- Detect and respond to security control failures. Things go wrong. Design the security program so that when they do, the appropriate personnel are made aware of the failure and can take immediate remediation action.
- Develop performance metrics to measure success. Use a combination of implementation, effectiveness and impact measures to monitor the status of the security program over time.
- Adjust the program to address changes. Businesses change regularly. Monitor changes in your organization, business processes and technologies to evaluate the ongoing effectiveness of security controls.
This new guidance document provides some great common-sense ways to improve a compliance management program. The advice it contains should be required reading for anyone responsible for security or compliance in an environment handling any type of regulated data.
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Is your company ready for mandatory PCI DSS compliance in 2015?
Could open source security software solve PCI DSS compliance problems?
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading