Oops, by Victoria-Ann

Oops, by Victoria-Ann

The QSA community at large received the May edition of the assessor update from the council on Friday. In it, Troy Leach is giving us hints on which requirements assessors are messing up the most. Keep in mind, he is speaking about this from the Quality Assurance process, and not from watching assessors conduct assessments. The reason I make this distinction is that your assessor COULD be evaluating the criteria mentioned and not documenting it properly in the ROC.

Here ya go, here’s the top 8 (from the May 2009 Assessor Update) copied right from the update.

  • Requirement 2.2.4 – “For a sample of components…”, often there is no sampling defined or components listed
  • Requirement 3.2 – Few if any of the bulleted items in subrequirements of system components are addressed
  • Requirement 4.1.a – The 4-7 bullets of evidence are often neglected
  • Requirement 5.2 – Automatic updates and periodic scans of the anti-virus solutions are not addressed
  • Requirement 6.3.6 – The requirement to demonstrate custom accounts are removed before system is released is often not documented
  • Requirement 11.2.a – QSA only documents the external ASV scan and internal scans are not addressed
  • Requirement 11.3 – There is seldom documentation that the process of penetration test is in place.
  • Requirement 11.4.b – There is seldom documentation that the QSA reviewed the IDS/IPS to verify the solution alerts personnel of suspected compromises

While some of these seem to expand beyond the scope of what the requirement is asking for (such as 11.3, unless I misunderstand what he is saying), but some of these are blaring examples of the gloss-over effect that an assessor might fall victim to if they do not do a thorough assessment. Of course all companies have A/V, right?

This post originally appeared on BrandenWilliams.com.