In the aftermath of the last 12 months of payment card breaches, the PCI Security Council has announced new guidance addressing compliance practices they call “Business As Usual (BAU).”
As outlined, this program focuses on stressing the following:
– Increased Education and Awareness
– Greater Flexibility
– Make Security a Shared Responsibility
From a technical perspective, the program focuses on:
– Monitoring security control operations
– Detecting and respond to security control failures
– Understanding how changes in the organization affect security controls
– Conducting periodic security control assessments, as well as identifying and responding to vulnerabilities
Free eBook: Modern Retail Security Risk – Get your copy now.
Unfortunately, there is not much information on how to implement a program to manage the “Business As Usual” Approach or how to enforce and monitor it.
CompliancePoint has been evangelizing the “Continuous Compliance and Assurance Program” as a way to address the shortcomings of Point in Time Assessments (PITA) and ensure that organizations are maintaining compliance and a strong security posture throughout the year.
Over the last 8 years of delivering PCI DSS assessments to customers, the same question keeps coming up, “Once I get compliant with PCI DSS, how do I stay compliant?” The challenge is that organizations are dynamic, and change occurs constantly. These changes can significantly affect compliance levels or even introduce critical vulnerabilities into the organization and infrastructures.
To address this issue, an organization must adopt a program/process that assigns, monitors, escalates and reports the mandatory compliance and security tasks/events that need to be performed regularly at various intervals throughout the year. Failure to perform these tasks not only can put the organization in a non-compliant status but could result in a breach situation.
The program must combine assessment and validation services with a software into a single solution that will automate the workflow of assigning mandatory tasks, monitor that the tasks are being completed on time, and provide an escalation process. In addition, the technology should provide real-time visibility into the customer’s compliance and security levels.
The other aspect of “Business as Usual” is making security a shared responsibility. Without a program in place that promotes delegation and monitoring of responsibilities of the compliance/security controls within the PCI Standard and pushes the required tasks down to the asset owners, the compliance officers have no control on whether these task are being completed or if they are being completed according to the standard. Defining ownership and assigning control responsibility are critical steps. Almost as critical is the process of defining the control methodologies or how controls are implemented. This information is important on the automation of tasks and as documentation for the auditor.
I am very encouraged that the PCI Security Council is recognizing that there is a critical need to implement a process or program (such as the Continuous Compliance and Assurance program) to ensure the PCI Compliance controls are being managed and monitored on an ongoing basis. This is the only way to ensure a secure and compliant environment. If this year has taught us anything, it is the PCI DSS compliance is a lot more than a check box.
By Jeff Brown, Director of Business Development, CompliancePoint
Bio: Jeff Brown is the Director of Business Development at CompliancePoint, a leader in information risk management and Industry and Regulatory Compliance such as PCI and HIPAA. CompliancePoint helps clients safeguard information assets and ensure regulatory compliance. The company provides third party assessments and develops enterprise security policy and programs based on ISO-27001 Information Security framework and regulatory requirements of HIPAA, SSAE 16, Payment Card Industry(PCI) DSS 2.0, PCI PA-DSS and NERC CIP.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.