For most
CISOs, the pain of an audit is part of the job, but it doesn’t have to
be the nightmare that most of the IT community envisions. While
attending the SOURCE Boston conference last week, your faithful SecurityWeek
correspondent attended a rather frank discussion centered on the pain
of a PCI assessment, and why the said pain is completely unwarranted.
Here’s a recap of the talk.
Presented by Michelle Klinger, a Sr. Consultant with EMC, and Martin Fisher,
the Director of Information Security for WellStar Health System, the
talk looked at the PCI assessment process from the perspective of a
former QSA and an active security manager.
The goal
was to highlight some basic processes that business leaders can follow
in order to get through the assessment with as little stress as
possible, a task that seems harder than it actually is.
Making the best of the situation
The talk started with a simple fact. Most of what those in the IT community think they know about PCI assessments is wrong.
“Horror
stories that you’ve heard about assessments are generally that – horror
stories,” Fisher said, expanding on his statement.
“Like most
stories there’s two sides to it. Most of the horror stories that I’ve
personally experienced, eighty percent of the blame went on the CISO at
the time, and with the way he tried to manipulate the situation.”
At the
same time, when the experience is a positive one, this too can be placed
at the feet of the executive that is leading it. No matter what, the
general tone of the process is set before the assessment starts.
Before The Assessment
One of the
first things that a QSA will look to accomplish is the establishment of
an initial rapport with the organization’s leadership and their teams.
The idea is to discover what it is that the company is looking for.
Obviously, Klinger explained, they want a compliant ROC (Report on
Compliance), but what if there’s more? Organizations that are clear on
what it is they hope to accomplish, such as using the ROC to push
various security initiatives, will be helping themselves as well as the
QSA in the long run.
The other
side to this helpfulness is documentation. Assessments can sometimes
require lots of documentation. Having the proper documents in place can
mean the difference between a useless assessment, and one that actually
gets stuff done, Klinger explained.
It isn’t
as if the documents a QSA needs or how the validate the PCI process are a
secret, it’s well documented. Yet this area sometimes causes problems,
as organizations come to the table unprepared, which in turn leads to
issues further on.
With that
said, prior to the QSA arriving onsite, make sure that an agenda has
been discussed previously and make sure that all the people need for the
meeting are available and documents are in order to prevent time being
wasted, Klinger added. The documentation itself should have timestamps
and dates whenever possible, especially if they are screenshots.
The documentation should be as close to real time as possible, as to show what is going on in the organization’s environment.
Even
better, when the documentation is collected, present it to the QSA as a
map. This will enable the organization to show the QSA that document X
is looking to satisfy requirement Y. In the long run, the document map
is a timesaver and will benefit both sides of the process.
“From a
CISO perspective, if you don’t start this process well you’re going to
be hosed,” Fisher said. “While as a CISO or a director, you might not be
able to pick the QSA firm... you do have the ability to choose who the
individual assessor is. This is a critical, key first step.”
CISOs
should interview potential QSA candidates as if they were interviewing
an employee. For example, Fisher added, use hypothetical questions and
situations. “If their personality is one that will rub everybody on your
team wrong, don’t use that person.”
Another thing for CISOs to consider is the truth.
“You need
to be honest as a CISO. I’m not saying it’s like walking into a
confession booth, ‘forgive me assessor for I have sinned,’ and just lay
everything out. I’m not advocating that at all. But don’t lie. Because
once you’ve lost your credibility with the QSA, their only recourse is
to do a fishing expedition. It’s ugly and it’s painful, and you don’t
want to be there,” Fisher explained.
“You also
need to make sure that your team understands that lying to the QSA, is
going to give them the opportunity to add value to other organizations –
other than your own – very quickly. Don’t tolerate it from your staff.”
During the Assessment
One of the
things a QSA will look for is inconsistencies. This isn’t that they are
searching for lies, but they are looking for communication breakdowns
between policy makers and those with “boots on the ground.”
This is
why making sure that the documentation is prepared, and the correct
people with the relevant information are available from the start. It’s
also why honesty is important. Communication breakdowns happen, and
often no one is aware of them, so this provides an opportunity to
correct them and better strengthen the organization.
“I can’t
tell you how many times I’ve been stood up for meetings,” Klinger said.
“The QSA, you have to understand, as well as the people being
interviewed, want this to be done.”
Planning
meetings with a QSA and then canceling them at the last moment or not
showing up entirely wastes time, and time can translate into money.
Cancelations are expected, but if a meeting has to be canceled, then
there should be as much notice as possible and an alternative date and
time proposed in order to reschedule.
It’s basic
politeness in many cases, but it can go a long way towards keeping the
assessment process smooth. The last thing an organization or its staff
needs is a QSA hunting people down. Most times these meetings can be
painful, which in some cases are why they’re avoided. But, Fisher added,
the CISO should make it clear that the meetings are important and the
pain from the meeting is nothing compared to the pain that could come
from blowing them off or neglecting them.
Another
thing for organizations to remember, particularly the CISO, is the
importance of managerial support. CISOs need to be supportive of their
teams during the process and encourage them to work with the QSA, not
against them. Again, being honest and open will play a large role in
this.
However,
on the other side of support is influence. CISOs that try to strong arm
the QSA, or improperly influence the process, will cause more harm than
good. In short, this is a career-ending move in some business segments.
Never let
the QSA to be in charge. They need scope and boundaries, and the CISO
needs to enforce this. If the QSA doubts the CISO or his staff’s
honestly, “you’re done,” Fisher explained.
“Their not
going to believe anything you say. The assessment will take longer, and
instead of giving you the benefit of the doubt on something that’s on
the cusp – you’re toast.”
The bottom
line is that given the fact that one cannot improperly influence the
QSA or even appear as if they’re doing so, should there be a problem
with the QSA, the CISO needs to address this with the QSA’s boss.
However, if the QSA was interviewed previously, this shouldn’t be an
issue.
After the Onsite Assessment
Before the
QSA leaves, get a meeting with them to offer an overview of the major
items that they’ve identified. This helps management get an idea on the
level of effort needed for remediation. It also helps with identifying
potential discrepancies.
In
addition, the organization needs to make sure that outstanding items are
delivered in a timely fashion. Outstanding items happen. This is part
of the process, but it’s something that must be addressed sooner rather
than later. Also, make sure that the QSA sends a list of findings is
delivered.
CISOs
should just expect this, but make sure that it’s clear to the QSA that
this is to be delivered ASAP. The QSA is relying on the organization to
review the findings and discuss them. As remediation begins, keep the
QSA in the loop and communicate with them periodically as changes are
made.
“The biggest mistake that too many CISOs make is they don’t realize the ROC is negotiable,” Fisher said.
“Now I’m
not saying that you can bend reality. I’m not saying that at all. But
for example, in certain industries, certain words [have different
meanings]... If in your conversation with the assessor, if they keep
using a word that to them is a middle sized problem, but in your world
it means the four horsemen are saddling up, explain to them the cultural
context of that word...”
Doing so,
will the ROC to represent language that the organization’s board of
directors and senior leadership understands. It also enables the CISO to
ensure that the ROC is accurate.
From
there, the CISO needs to use the ROC and determine where the
organization “needs to go from here,” Fisher adds. However, while it is
vital that the CISO form a plan, they cannot use the list of remediation
items as their plan.
“If you do
that, you suck,” he said. “PCI is not your whole program. If PCI is
your whole program, you’re not doing your job right.”
In the
end, assessments can be heaven or hell. “You either get a Scotch that’s
warm and peaty or you get a warm bottle of Zima,” Fisher humorously
concluded.
The
quality of beverage (and the assessment) and the level of pain, is
completely in the hands of the organization. With a little effort and
some focus, it’s entirely possible for CISOs and their teams to not only
survive a PCI assessment, but also survive it with their sanity intact.
0 komentar:
Posting Komentar