Archive for June, 2015

26
Jun
15

QSAs Need More Certifications

Branden Williams has a great posting out on this topic that everyone that is a QSA needs to read. He brings up a number of good points that need to be discussed.

That said, I wanted to take on one of his discussion points and go a bit deeper. And that is the coming requirement that multiple certifications will be required as of July 1, 2016.

Note: The requirement to possess at least one industry-recognized certification is effective as of January 1, 2016 for new QSA Employees. For QSA Employees qualified and added to the search tool prior to January 1, 2016, this requirement is effective July 1, 2016 (for example, upon annual requalification after June 30, 2016).”

The document lists two types of certifications; “Information Security” and “Audit”. Under Information Security list you have the Certified Information Systems Security Professional (CISSP) and the Certified Information Security Manager (CISM).

Under the Audit list you have the Certified Information Systems Auditor (CISA), GIAC Systems and Network Auditor (GSNA), Certified ISO 27001, Lead Auditor, Internal Auditor, International Register of Certificated Auditors (IRCA), Information Security Management System (ISMS) Auditor, Certified Internal Auditor (CIA). How the Council developed this list of qualified certifications is beyond me as there are some others that I would think should be listed here.

I too face the issue that Branden faces. While I have multiple certifications, I no longer hold the CISA certification that I would need to remain a QSA after June 30, 2016. As a result, I would have to go back and obtain my CISA again after letting it lapse years ago. Why my Certified in Governance of Enterprise Information Technology (CGEIT) would not be acceptable and qualify me I have no idea.

But there is a larger issue here that I think needs to be discussed. Given how the Council has broken these certifications out, one would assume that they are looking to make QSAs better assessors by improving their auditing skills. I am also assuming that they are preparing QSAs for the onslaught of conducting true audits under the coming integration of business as usual (BAU) standards that will be introduced into the PCI DSS v4.

Based on those assumptions, I would argue that only the IRCA and CIA certifications have anything to do with certifying someone as capable of conducting a proper audit in addition to being a CPA. All of the other certifications they specify under the “Audit” category are focused on a particular auditing standard such as CoBIT, ISO 27K or similar and have nothing to do with improving a QSA’s auditing skills or preparing QSAs to become true auditors.

But that brings up an even more interesting question to ponder. Is the PCI SCC going to adopt the AICPA’s Statements on Standards for Attestation Engagements AT-101? This standard is what tells CPAs how to properly conduct audits. AT-101 lays out an extensive list of requirements for conducting an audit from planning, execution, work papers, client representations, report creation, report publication and everything in between.

A number of years ago when I worked at an accounting firm, we were approached by a few clients interested in conducting their PCI assessments to the AT-101 auditing standard. As we investigated what it would take, we and our clients quickly came to the realization that conducting a PCI assessment to AT-101 standards was going to be very costly and time consuming. The reason was that AT-101 has specific and rigorous evidence gathering and sampling requirements that go an exponential level beyond what any QSA does today for a PCI assessment.

With the introduction of BAU into the mix, QSAs are going to have to test compliance with certain requirements over the assessment period. Based on my analysis of v3, I am estimating that there are at least 213 requirements that could have testing over some period of time. As a result, AT-101 auditing standards could easily be applied to those requirements. Such an application would lend much more credence to a PCI assessment and better prove that organizations are complying with the PCI DSS.

Most departments in organizations have never been through an actual audit other than possibly their finance and accounting areas. As a result, the rigor involved with an audit will be a very new and frustrating experience for IT and the other areas involved with PCI compliance. If you think the PCI assessment process is annoying and painful now, wait until you see what you have to look forward to in the future if this is where I would bet the Council is headed.

Regardless, the PCI haters will really have something to complain about if this comes to pass.

My recommendation? Move as quickly as possible to reduce your PCI scope now.

18
Jun
15

What Drives Your QSA

David Froud has a great blog post out on LinkedIn titled ‘Why All QSAs Must Lie’. While the title is a bit misleading, it explains a lot as to why your QSA (accountant, auditor, etc.) act the way they do.

David provides some good things to keep in mind when you are wondering why your advisors are acting the way they do.

01
Jun
15

Supplemental Validation Procedures Coming

In the April 2015 Assessor Newsletter (received just last week) from the PCI SSC was the following announcement.

Coming Soon – Supplemental Validation procedures for Designated Entities

The analysis of PCI DSS compliance trends as well as the recent data breaches involving cardholder data has revealed that many organizations continue to view PCI DSS compliance as a periodic exercise only, and fail to implement processes to ensure that their PCI DSS controls are continuously enforced. This approach has been shown to result in a lapse in security controls between validation assessments. Organizations must remember that security is an ongoing process that must be incorporated into an entity’s overall strategy and PCI DSS security controls must be maintained on a continual basis.

In response to these trends, the PCI SSC is planning to issue additional validation procedures that are designed to help organizations illustrate how they are maintaining PCI DSS security controls on an ongoing basis. These supplemental validation procedures are due to be published in the upcoming weeks, along with guidance for understanding how and to whom these procedures may apply. Stay tuned!

Could it be that business as usual (BAU) is coming before v4 of the PCI DSS is released?

Who are these “designated entities”?

As the newsletter says, “Stay Tuned!”

UPDATE: On Friday, June 5, the Council issued the ‘PCI DSS Designated Entities Supplemental Validation’ standard. It can be downloaded from the Council’s Web site.  The document gives the following as examples where these supplemental procedures apply as entities that: (1) store, process, and/or transmit large volumes of cardholder data, (2) provide aggregation points for cardholder data, (3) have suffered significant or repeated breaches of cardholder data, or (4) anyone the card brands determine should go through this process.




June 2015
M T W T F S S
1234567
891011121314
15161718192021
22232425262728
2930  

Months