Good PCI DSS, Bad Infosec Foundation
You may also find that QSAs do not understand your environment thoroughly enough to make an accurate compliance call. More executives are telling me their recent QSAs struggle when assessing complex technology implementations.
QSA work isn’t sexy like it used to be. Back in the day, my favorite projects involved helping companies rebuild their network to include security to close PCI DSS gaps. I solved complex problems involving hundreds of people, thousands of machines, and millions of dollars. It was taxing on my brain, but I absolutely loved the challenge!
Solving PCI problems five years ago required considerable knowledge of how business processes and technology fit together. Most companies facing PCI DSS today are not first timers. As the saying goes, “This ain’t their first rodeo.” The crop of folks that solved those PCI problems has moved on to other big issues like healthcare information security, cloud, or mobile computing. The new crop of QSAs is at a tremendous disadvantage because they have significant pressure to deliver engagements in less time. QSAs don’t have time to learn about what virtualization actually entails—for example—they look to the Council to tell them what to do about virtualization. This puts more pressure on the company being assessed to get things right instead of allowing QSAs the time they need to really do the thorough job that I personally think needs to be done.
Your QSA may never have administered a server or configured a firewall or managed a Wide Area Network (WAN) or developed applications. This is a different kind of FNG problem than the newly minted QSA as you could have a QSA with a year’s experience under his belt, but no real working knowledge of the technologies he is assessing in your environment. This is why vetting your QSA up front is so vitally important to a good assessment and good assessment experience.
Combating the FNG Curse
I may sound like your parents when I say “you will get out of this experience what you put into it.”
The easiest way to deal with the FNG is to be prepared! If you have done a pre-assessment and organized your entire project from start to finish, you can guide your QSA through the assessment process in a way that ensures you don’t waste your time, and the QSA gets what he needs in order to complete the assessment. You cannot rely on the QSA for everything, you have to invest your own time to fully understand your environment and how payment cards are handled throughout your entire organization. Doing this will make you an MVP at your company as there are probably few (if any) co-workers that can articulate data and process flows, much less call themselves experts in the environment.
Like the Boy Scouts of America, be prepared. If you are, this sin will not be a factor.
Possibly Related Posts:
- PCI DSS 4.0 Released plus BOOK DETAILS!
- PCI Council Loses $600K in Revenue, PO Population on the Decline
- Why PCI DSS 4.0 Needs to be a Complete Rewrite
- Orfei Steps Down
- Should you be a PCI Participating Organization?