
Oops, by Victoria-Ann
The QSA community at large received the May edition of the assessor update from the council on Friday. In it, Troy Leach is giving us hints on which requirements assessors are messing up the most. Keep in mind, he is speaking about this from the Quality Assurance process, and not from watching assessors conduct assessments. The reason I make this distinction is that your assessor COULD be evaluating the criteria mentioned and not documenting it properly in the ROC.
Here ya go, here’s the top 8 (from the May 2009 Assessor Update) copied right from the update.
- Requirement 2.2.4 – “For a sample of components…”, often there is no sampling defined or components listed
- Requirement 3.2 – Few if any of the bulleted items in subrequirements of system components are addressed
- Requirement 4.1.a – The 4-7 bullets of evidence are often neglected
- Requirement 5.2 – Automatic updates and periodic scans of the anti-virus solutions are not addressed
- Requirement 6.3.6 – The requirement to demonstrate custom accounts are removed before system is released is often not documented
- Requirement 11.2.a – QSA only documents the external ASV scan and internal scans are not addressed
- Requirement 11.3 – There is seldom documentation that the process of penetration test is in place.
- Requirement 11.4.b – There is seldom documentation that the QSA reviewed the IDS/IPS to verify the solution alerts personnel of suspected compromises
While some of these seem to expand beyond the scope of what the requirement is asking for (such as 11.3, unless I misunderstand what he is saying), but some of these are blaring examples of the gloss-over effect that an assessor might fall victim to if they do not do a thorough assessment. Of course all companies have A/V, right?
Possibly Related Posts:
- PCI DSS 4.0 Released plus BOOK DETAILS!
- PCI Council Loses $600K in Revenue, PO Population on the Decline
- Why PCI DSS 4.0 Needs to be a Complete Rewrite
- Orfei Steps Down
- Should you be a PCI Participating Organization?