Archive for February 19th, 2009

19
Feb
09

Compliance Morass

I promised more comments regarding Mr. Robert Gezelter’s blog post entitled ‘Securitization: A Risk To Compliance Integrity’.

To paraphrase Mr. Gezelter, he indicates that compliance programs become irrelevant due to the fact that there is no provision for feedback into the compliance program that periodically adds new requirements and reevaluates existing requirements to ensure that they are still relevant or that they are updated to reflect new conditions.  Mr. Gezelter is absolutely right about compliance programs remaining relevant as irrelevant programs no longer provide any benefit.

The PCI compliance program is kept relevant by the participating organizations, the card brands, the QSAs, the ASVs, the PA-QSAs, the PCI SSC and other relevant parties.  All of these groups are charged with periodically reviewing the various relevant PCI assessment processes and making suggestions for additions, changes and deletion of requirements.  The problem with this process is that with so many groups with their different constituencies involved, permanent changes can take a while to get published.  However, this is somewhat addressed by the fact that the PCI SSC can issue ‘clarifications’ to the PCI compliance programs to address immediate concerns with the programs.

If there is a problem with the PCI compliance process it is that it is conducted as of a point in time although there are some requirements such as vulnerability scanning and penetration testing where a year’s worth of reporting is required.  The problem with this is that the organization is compliant at the time of their assessment, but may not have been compliant at any other time.  This typically confuses people because Reports On Compliance (ROC) and Self Assessment Questionnaires (SAQ) are required to filed annually.  Thus most organizations assume that this implies that the assessment process covers the entire time between filings.  Nothing could be further from the truth.

Since organizations are not likely PCI compliant all of the time, companies can suffer breaches even when they are supposedly PCI compliant.  Even when organizations that are extremely diligent on their compliance they can still suffer breaches because there are still humans involved.  It’s not until the forensic examination is complete after a breach has occurred that a company is actually determined to have been PCI compliant or not.  Given the odds, I would say that most organizations for one reason or another are not compliant at the time of a breach.  And given that security is not a perfect science, it’s also likely that the breach was not necessarily the result of not being PCI compliant.

In the end, I think the PCI standards are being kept up to date and relevant, so Mr. Gezelter’s concern there is unfounded.  However, I do believe there is a gap in the compliance assessment process that gives organizations a false sense of security that if they are compliant, all is good all of the time.  And that is just not the case.




Announcements

FishNet Security is looking for experienced QSAs for their PCI practice. If you are an experienced QSA and are looking for a change, go to the Web site (http://www.fishnetsecurity.com/company/careers), search for 'PCI' and apply.

If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.

Calendar

February 2009
M T W T F S S
    Mar »
 1
2345678
9101112131415
16171819202122
232425262728  

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,035 other followers


Follow

Get every new post delivered to your Inbox.

Join 1,035 other followers