QSAs have to walk a very fine line with customers. Especially those that are coming back for years two and three on a multi-year contract.
I’ve seen it happen to other companies, and it’s happened to me. The conversation goes something like this:
Me: OK, now that we are on logging, please provide me with the logs you pulled from X server in Y environment.
Them: Here you go.
Me: This is exactly what we need, but I need a set pulled from recent data, not the ones we looked at last year.
Them: But you looked at it last year! I’ll give you access to our change control system and you can see nothing changed on that box.
Me: Hrm…. yeah, still going to need to see updated logs.
Them: WHO IS YOUR SUPERVISOR! I’m escalating on you because you are slowing this down! I thought this was supposed to be easier after the first year! ARGH!
Me: . . . . . .
I bet many of you QSAs can back me up on an interview that went something like this over their careers. It’s not surprising that you get the pushback that you do from the customer, but it sure does get a little old after a while. They don’t understand the liability you face by performing their assessments, nor do they care (in most cases).
I’m reminded of a phrase that Reagan made popular during his presidency, “Trust, but Verify.” In these situations, QSAs must trust that their customer has the best intentions (until proven otherwise), but still verify that they are doing the things they need to be doing as part of the responsibility of performing an assessment. Blindly accepting a customer’s statement is foolish and will ultimately ruin the relationship between the companies if a breach occurs.
While mid-line managers may not care about the accuracy of an assessment (they just want the pass), executives do.
If they don’t, think hard before signing that contract.
Possibly Related Posts:
- Selective Domain Filtering with Postfix and a SPAM Filtering Service
- PCI DSS 4.0 Released plus BOOK DETAILS!
- Preventing Account Takeover, Enable MFA!
- Proofpoint Patches URL Sandbox Bypass Bug
- Improve Outbound Email with SPF, DKIM, and DMARC