BOSTON -- The PCI assessor can be a CISO’s best ally or worst nightmare, and that outcome depends heavily on the management style of the CISO. This perspective was delivered in the session, Your PCI Assessor: Best friend or worst enemy?, featuring Michelle Klinger, senior security consultant for EMC Corp., and Martin Fisher, director of information security for Atlanta-based Wellstar Health System, at the 2012 SOURCE Conference Boston this week.
Once you’ve lost your credibility with the QSA, their only recourse is to do a fishing expedition for problems.
Wellstar Health System
The two speakers discussed best practices for security pros to use before, during and after a payment card industry data security standard (PCI DSS) assessment, with the qualified security assessor (QSA) perspective provided by Klinger, and the CISO perspective provided by Fisher.
Before the assessment
Fisher, who has been through two rounds of PCI assessment in a previous position at a Level 1 merchant company, encouraged attendees to start off right by choosing their own QSA. Even though the CISO usually can not choose the assessment firm itself (that decision is generally based on price), Fisher said CISOs do not need to accept the first QSA the assessment firm sends through their door. “Interview QSA candidates as thoroughly as you would interview to hire a full-time employee,“ Fisher said. “Look for a QSA with a good personality fit with your organization.”
Klinger emphasized the QSA wants to get through the assessment process just as quickly as the CISO does. The more the IT team can do to make the QSA’s job go smoothly, the more quickly the organization may receive an accurate and effective report on compliance (ROC). For example, Klinger recommended the IT team provide a diagram of each document they are providing to the QSA, mapped to the PCI requirement the document is meant to validate. “This is huge,” Klinger said. “It helps the QSA validate each document so they don’t have to bombard you with questions.”
During the assessment
QSAs look for the 2-3 people in each company who know 80% of the information the QSA needs, Klinger said. If the QSA can find those people, they can get most of their work done in a short time just by interviewing those people extensively.
“But prep them in advance,” Fisher warned. “Make sure your people understand PCI DSS requirements and scope. They should answer all PCI-related questions honestly. But if the questions are about non-PCI systems, they should know not to answer those questions.”
At the same time, Fisher urged attendees to be totally honest with their QSA, and to encourage their staff to do the same. “Don’t lie, or it will end badly,” he said. “Once you’ve lost your credibility with the QSA, their only recourse is to do a fishing expedition for problems.”
After the assessment
The CISO should have a wrap-up meeting with the QSA before the ROC is finalized, and the QSA should be able to discuss the remediation requirements that may be listed in the PCI ROC. “The worst thing that can happen is to be blindsided by the ROC,” Fisher said.
Klinger often provides a list of remediation requirements in a spreadsheet form to clients, in advance of the actual PCI ROC. “The QSA is relying on the client to validate everything is accurate. The client should feel absolutely comfortable discussing and debating the findings with the QSA,” she said. “There are times when a QSA will change a finding, so communication is important.”
CISOs can use the ROC as a tool to get security initiatives approved. “Your job is to figure out what the company does from here,” Fisher said. “Leverage the assessment to show the executive team the security projects you have to do.”
“In the end, the ROC is your responsibility,” Fisher said. “You may as well get something out of it.”