Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

7/18/2012
01:00 AM
50%
50%

A Common-Sense Secret For Cheaper PCI Audits

Pre-audit logistics prep can go a long way toward saving on PCI assessment costs

There are plenty of legitimate reasons why PCI compliance efforts can cost an enterprise a bundle. Legacy systems may need to be rearchitected, new technologies have to be purchased, and improved business processes must be implemented. Those types of activities take capital, but they often offer ROI in terms of improved security.

But there's one PCI expense that's guaranteed to offer zero return: disorganization. Most Qualified Security Assessors (QSAs) will tell you that one of the biggest ways PCI-regulated companies waste their money is through poor logistical planning prior to the audit itself.

"Time is money, and if I have to extend the audit by four more days because I spend half my time sitting around while the company is scrambling, that can cost a lot of money," says Court Little, director of strategic security at Solutionary.

A company can bungle pre-audit logistics in many ways. Sometimes the organization fails to gather its documentation in advance. Other times a manager forgets that a key person the assessor needs to access will be away at a conference or on vacation during the scheduled audit. Some managers realize on the day of the audit that they need to clear access to resources or interviewees through legal, a sometimes time-consuming process. And still other times, the organization fails to prepare guest credentials into IT resources necessary to give the assessor enough access to validate the company's claim. Often, the matter is exacerbated when any combination of these oversights occur during the same audit.

Each of these offenses drastically increases the length of time the QSA spends on the audit, and could affect that auditor's perception of your PCI readiness, increasing the chances of an initial fail and future mitigation work to get into compliance. If an enterprise can't even get the required people and documents together to satisfy the auditor, then what does that say about its ability to secure cardholder data?

According to Little, these procedural hang-ups can be easily avoided with a little communication with the QSA prior to the audit and a lot of homework before that auditor hits your doorstep.

"Whether they're veterans of PCI or not, they should definitely request a list from their QSA of everything that they need to have ready for them when the audit begins," he says. "If the company can organize and know exactly what the auditor is going to need and who they're going to need to talk to, that will greatly increase the efficiency of an audit."

More than likely, the No. 1 item on that list will be meticulous documentation of policies and procedures. According to Bob Gaines, every kind of auditor, whether a PCI QSA or not, cites lack of documentation as the biggest pet peeve during the audit process.

"The biggest pet peeve they'll have is that the company had all of its policies, but it is stuck in Ed's head somewhere in the finance department or wherever," says Gaines, security and compliance manager for All Covered. "The policy isn't written down anywhere."

So companies need to think several steps ahead, preparing for the audit by keeping gradual and meticulous records throughout the year to avoid the eleventh-hour scramble to re-create documentation before the QSA's arrival. But documentation isn't all you'll be asked for. Little says organizations are also usually unprepared for the interview process required by PCI assessments. He has seen many companies waste everybody's time by making bad assumptions about who the auditor will need to talk to because they've failed to talk to that QSA in advance.

"We literally have meetings where they schedule 10 to 15 people in a room and I don't need all those people there. I just need two people," he says, explaining that a simple preflight checklist could avoid such excess. "The QSA shouldn't come in blind -- the people should be prepared before the audit. If you can do a lot of that logistics work leading up to it, it becomes a well-oiled audit versus just a grab bag of activity where either the client brings nobody to answer questions and the QSA has to fetch everybody, or they bring everybody and they waste everybody's time."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...