This topic seems to keep coming back, and it’s getting more frequent. I mentioned this as an element of Sin #2, Compensating Control Chaos in my recent paper, and more companies are coming to my team to help them through an inexperienced QSA’s assessment. The worst part is that it is a self-fulfilling prophecy. If you squeeze the dollars you pay a QSA, they will squeeze the quality and thoroughness of what you are getting.

Troop Inspection (Explored), by pasukaru76

It’s been a while since I have performed an assessment from start to finish. That said, I’ve seen people ((Meaning me.)) guilty of assuming that an Iron Mountain truck seen near a company’s data center equals secure off-site transport and tracking of goods—no questions asked. While Iron Mountain has a pretty stellar reputation and it would be a pretty safe bet by a QSA, it’s not necessarily the right thing to do.

Most of us have complex environments, and companies are putting more emphasis on the QSA’s assessment than they probably should because it’s easier to justify dollars for a PCI Assessment than it is for a security assessment. So if the QSA does not discover that nagging hole in the environment, it might go undetected and lead to a breach (which may include your PCI data). It has happened before, and we are setting ourselves up to let it keep happening.

In order to fully assess or audit any technology against some pre-determined list of requirements, the assessor or auditor should have some kind of working knowledge of the technology to give an accurate result. I’m not sure how someone could assess a private cloud environment for compliance with anything without understanding private clouds. Ex-administrators have a huge advantage when it comes to security as they tend to know more about how the environment operates than someone who only lived in the audit world ((This is not a knock against auditors, just a statement of reality. There are always exceptions.)).

The human brain is a powerful piece of bio-engineered machinery. It can convince itself (and even others like it) that the absence of an incident is the same thing as an absence of a threat or vulnerability. Without good inspection, vulnerabilities will go undetected and the risk calculations start to swing the results unfavorably over time.

This post originally appeared on

Possibly Related Posts: