At SOURCE Boston this morning, two experienced hands at PCI compliance -- Michelle Klinger, senior consultant at EMC Corp. (@diami03), and Martin Fisher, director of information security at WellStar Health System (@armorguy) -- offered a roadmap for making the best of a PCI audit.
Klinger offered the perspective of the QSA, explaining what's important to her when embarking on an assessment. Fisher offered the perspective of a CISO who can either cooperate with the QSA or be a jerk. Obviously, he advised against the latter strategy, though he also cautioned against giving the QSA too much control.
As for the things a QSA needs going in, Klinger emphasized:
--Establishing a relationship with the leadership team she'll be working with.
--Documentation preparation: Having as much documentation available up front as possible, and identifying appropriate resources.
She suggested CISOs choose their QSA very carefully and, once chosen, deal with them honestly. Don't be a jerk, she warned.
Adding to that point, Fisher noted that if you're a jerk about it -- dumping a bunch of ragtag documents in front of the QSA without context, for example -- chances are that you'll make the QSA angry and make it all the more tempting for them to engage in a fishing expedition. Choosing the QSA carefully and starting off on the right foot is of vital importance, he said. From there, he said, "Go slow and don't be a (expletive)."
On the point of honesty, Fisher warned, "Whatever you do, don't lie. You will find yourself on the receiving end of a fishing expedition and your credibility will be destroyed."
During an audit, Klinger advised CISOs against trying to strong-arm the QSA. Better to keep the QSA focused in a positive manner and being as honest as possible, she said, adding that the following will waste the QSA's time and make the process needlessly difficult:
--People ditching meetings
--Attempts to mislead the QSA
--A lack of managerial support for the process
"One of my greatest experiences was showing up on site for an assessment and having the CISO stand up at the first meeting and telling his staff to be as open as possible."
On the other side of the coin, Fisher noted that some QSAs will try to run roughshod over staff and be needlessly aggressive. He mentioned having to shut down a conversation where the QSA was asking questions about systems that were not related to PCI. "As a CISO, you have to keep the QSA focused. If you allow the QSA to be in charge, you'll be looking for a new gig. They need boundaries." Of course, he added, choosing a QSA carefully from the outset can avoid those scenarios.
After the audit, Klinger said a good QSA will give a wrap-up of the high-level findings and get outstanding questions answered in a timely fashion, though it's inevitable that there will still be lingering loose ends. Fisher warned that a company dragging its feet on delivering outstanding items is a bad strategy.
Said Klinger: "Prompt delivery of follow-up documentation is very important, but so is maintaining an open line of communication. Keeping the QSA apprised of your progress will allow the QSA to plan his-her time accordingly."
If an assessment uncovers dirty laundry, Fisher's advice is to "man up" and deal with it. "This is your job. This needs to be your priority as it's going on."
When the report comes back, Fisher said the CISO needs to put the findings in context, define where the organization must go from there, and check over the report for accuracy.
"Nobody gets a report that says 'everything is fine,'" Fisher added. "You have to take the assessment, figure out where the gaps are and make a plan to address it."