In the aftermath of the last 12 months of payment card breaches, the PCI Security Council has announced new guidance addressing compliance practices they call “Business As Usual (BAU)”.
As outlined, this program focuses on stressing the following:
From a technical perspective the program focuses on:
· Monitoring security control operations
· Detecting and respond to security control failures
· Understanding how changes in the organization affect security controls
· Conducting periodic security control assessments, and identify and respond to vulnerabilities
Unfortunately, there is not much information on how to implement a program to manage the “Business As Usual” Approach or how to enforce and monitor it.
CompliancePoint has been evangelizing the “Continuous Compliance and Assurance Program” as a way to address the shortcomings of Point in Time Assessments (PITA) and ensure that organizations are maintaining compliance and a strong security posture throughout the year.
Over the last 8 years of delivering PCI DSS assessments to customers, the same question keeps coming up, “Once I get compliant with PCI DSS, how do I stay compliant?” The challenge is that organizations are dynamic and change occurs constantly. These changes can significantly impact compliance levels or even introduce critical vulnerabilities into the organization and infrastructures.
To address this issue, an organization must adopt a program/process that assigns, monitors, escalates and reports the mandatory compliance and security tasks/events that need to be performed regularly at various intervals throughout the year. Failure to perform these tasks not only can put the organization in a non-compliant status but could result in a breach situation.
The program must combine assessment and validation services with a software into a single solution that will automate the workflow of assigning mandatory tasks, monitor that the tasks are being completed on time and provide an escalation process. In addition, the technology should provide real-time visibility into the customer’s compliance and security levels.
The other aspect of “Business as Usual” is making security a shared responsibility. Without a program in place that promotes delegation and monitoring of responsibilities of the compliance/security controls within the PCI Standard and pushes the required tasks down to the asset owners, the compliance officers have no control on whether these task are being completed or if they are being completed according to the standard. Defining ownership and assigning control responsibility is a critical step. Almost as critical, is the process to define the control methodologies or how controls are implemented. This information is important on the automation of tasks and as documentation for the auditor.
I am very encouraged that the PCI Security Council is recognizing that there is a critical need to implement a process or program (such as the Continuous Compliance and Assurance program) to ensure the PCI Compliance controls are being managed and monitored on an ongoing basis and this is the only way to ensure a secure and compliant environment. If this year has taught us anything, it is the PCI DSS compliance is a lot more than a check box.