It is tempting to think that once you have achieved PCIDSS compliance you can rest on your laurels. That’s it, finished isn’t it – nothing more to do until this time next year?
I know you have worked very hard onPCI, but I am going to disappoint you here. If you want toKEEP yourPCI DSS compliance you have work to do throughout the year. Unless you keep your eye on thePCIball you could end up with a very expensive compliance project each year. The key to ongoingPCIsuccess is continuity . You’ve got to keep up all that good work.
5 ways to ensure consistentPCIDSScompliance
1. Make someone responsible. Give someone responsibility for ensuring that all changes to business processes or the IT and network take account of yourPCIDSScompliance obligations. This person needs to have a say in all areas of the business and all aspects of operations.
Often a business will task a project manager to run aPCIDSScompliance achievement project but when the project is complete the project manager moves on to another project. Nominating an internalPCIDSSmanager – your organisation’sPCIconscience – will help to ensure that continuity is not lost.
2. Stay in touch with yourQSA. YourPCIDSSQualified Security Assessor is not only a worthwhile source of information and advice during the audit but throughout the year. They have a wealth of experience that can save you wasted time effort and considerable expenditure. Your QSA’s advice is invaluable to ensure that you are not undertaking work you don’t need to. At the very least they can give you the peace of mind that they are not going to raise objections next year at the audit.
3. Keep up the vulnerability testing . Most important of all make sure that you close off those “not so important low level vulnerabilities”. You will need to demonstrate to theQSAat the next audit that you have a good vulnerability management system in place. You can’t do that if you still have a lot of the same vulnerabilities that you had last year – even if they are unimportant low-level ones.
4. Focus on configuration control. Configuration management is essential in making sure that you have the correct versions in the right places.PCIDSScompliance is about keeping control of your network, routers, servers and ancillary devices. Without good and consistent version and configuration control you cannot hope to maintain control over your network and the way in which it works.
5. Make sure patch management and change control go hand in hand . Change control and patch management can cause inconsistency within a network. Systemise your patch management so that it is not a new job every time a new patch comes out. If you make it a continuous process there is less opportunity for overlooking a patch or failing to realise its significance. Patch management must be carried out within a change control framework. Without this framework the network will develop organically and consistent control becomes impossible.
“Variability is the enemy of efficiency.” Denning
Do these 5 things andPCIDSScompliance will be far easier and less expensive to maintain year on year. Reduce variability: consistency is key forPCIsuccess.
Article by Colin Dixon , Ascentor’s lead QSA for PCI DSS .
- If you have any questions aboutthis standard and how to achieve or retain compliance Colin would be pleased to help: [email protected] .
- Achieve PCI DSS, the Payment Card Industry Data Security Standard compliance with Ascentor