As you implement your cybersecurity program, make sure you understand why a security control is required so you can structure tools and processes around the protection each control offers.
*This article was taken from our PCI Guide. For more information on this topic, download our free PCI Guide.
In my experience, small merchants and service providers tend to struggle with documenting and following policies and procedures. During a PCI DSS assessment, a QSA will verify that required policies and procedures are in place and being followed.
Smaller merchants and service providers whose CDE consists of only a few machines often feel that they don’t have time to document procedures. Unfortunately, it’s not uncommon to perform a renewal assessment where the business neglected to maintain compliance due to employee turnover and lack of documentation.
At a minimum, small merchants should set up a PCI email user or active directory account and add reminders in their calendar to perform security processes throughout the year (e.g., quarterly vulnerability assessment scans, semi-annual firewall reviews). The evidence collected from these tasks can then be sent to that PCI account for storage. This is a low-cost solution that can help key personnel keep PCI DSS compliance on their minds throughout the year. It will also help document necessary evidence for their annual self-assessment (or to their assessor).
Large enterprise organizations usually document their policies and procedures sufficiently. They generally have very specific and thorough change control processes, and they typically follow documented approval processes prior to implementing changes to their CDE. Unfortunately, due to their size and the different entities involved in their CDE management, the reaction time tends to be much slower, with different stakeholders often making contradictory decisions. When vulnerability scans or penetration tests identify weaknesses that may place their CDE at risk, it’s not always apparent which group should be responsible for addressing these vulnerabilities.
To help address some of these concerns, requirement 12 details how service providers need to define a charter for the organization’s compliance program, involving executive management. While this is only required for service providers, it’s recommended that larger merchants follow this requirement as well.
Large organizations and service providers should establish an official PCI charter that describes the management and accountability of the organization’s compliance program. Additionally, they should implement internal audit procedures to ensure security practices are properly in place throughout the year.
PCI compliance cannot just be an annual audit event.
Often, organizations are not leveraging many of the PCI requirements in a way that actually increases security for their CDE.
Small merchants and service providers tend to struggle with documenting and following policies and procedures.
For instance, PCI requires log centralization and daily reviews. PCI also requires change detection or FIM on CDE systems to detect unauthorized changes to key files and directories. To achieve compliance, organizations might set up log monitoring and FIM, but then ignore every alert coming their way. They may technically have FIM and log monitoring in place, but these systems alone are not making their environments more secure because necessary time and effort are not taken to respond to genuine alerts.
As you implement your cybersecurity program, make sure you understand why a security control is required so you can structure tools and processes around the protection each control offers.
.svg)
