Tags ArchivesSeven Deadly Sins of a QSA

QSAs are human, and humans make mistakes. Over the last several posts we have discussed seven deadly sins committed by QSAs, shown examples of what those mistakes look like, and given you guidance for how to avoid them or navigate your way through them if you find yourself in the middle of one. If you must comply with PCI DSS, one of the best investments you can make in your people is to put them through the same training QSAs go through and have them certified as Internal Security Assessors (ISAs). This way, you will have an additional check to know if a QSA is making one of these (or other) mistakes and have a chance at catching them before ...

Sin #6 – Q/A Tunnel Vision The Quality Assurance (Q/A) program is in full swing at the PCI Security Standards Council. After companies started taking PCI DSS seriously and retaining QSAs, merchants and service providers realized that not every QSA interpreted requirements the same. One of the biggest complaints about the QSA community is variance in interpretation on key items that could impact the cost of compliance—positive or negative. The Q/A program was announced at the 2008 PCI Community Meeting ((If you are a stakeholder in PCI DSS and are not going to these meetings, you are missing out.)) and began to take effect shortly thereafter. QSAs were put on the remediation list as early as 2009. Myopic Assessment Views The ...

Good PCI DSS, Bad Infosec Foundation You may also find that QSAs do not understand your environment thoroughly enough to make an accurate compliance call. More executives are telling me their recent QSAs struggle when assessing complex technology implementations. QSA work isn’t sexy like it used to be. Back in the day, my favorite projects involved helping companies rebuild their network to include security to close PCI DSS gaps. I solved complex problems involving hundreds of people, thousands of machines, and millions of dollars. It was taxing on my brain, but I absolutely loved the challenge! Solving PCI problems five years ago required considerable knowledge of how business processes and technology fit together. Most companies facing PCI DSS today are ...

Sin #5 – The FNG The Flipping New Guy (FNG) causes havoc wherever he goes. He also goes by the Pimply-Faced Youth (PFY) in some circles, and is often labeled as having the talent to tame a lion, but the experience to raise a hamster. He’s the guy that just went to new QSA training, passed his test, and showed up to do some good, old-fashioned assessing! Three Days of Ground School One summer, well after I became a QSA, I earned my private pilot certificate. If you ask my wife, she will tell you she remembers me babbling all of these fantastic ((My word, not hers.)) bits of knowledge that I was learning every day, and passing the time in ...

How to Avoid the Buddied-Up QSA If you are lucky enough to have one, it’s hard to avoid his impact. It could get even worse if the guy is also drunk with executive-sponsored power. When I was a buddied-up QSA, I told those managers to get a meeting together with the executive and discuss the technical and business constraints they faced. I also instructed them to make sure they do their homework. Don’t whine, and don’t focus on why you shouldn’t meet her standard. Bring everything to the table that is required to meet the executive’s directive. This should include any capital expenditures like hardware, software, and costs of people time, as well as soft costs  such as lost productivity, ...

How to Deal with a Power-Drunk QSA Above all, remember that he’s just a guy. He’s trying to do his job, just like you are trying to do yours. If you allow the situation to heat up, everyone will suffer. Play the game, work with the guy a little bit. Listen to what he has to say. Ask for suggestions on how you might meet the requirement in his eyes ((You may have to enable him further to diffuse the situation.)). Overall, he’s probably not a bad guy. Maybe he’s having a bad day and taking it out on you in an unprofessional manner, but that’s a bump in the road that can be overlooked. The first step is to remember ...