In an interview last month, Heartland Payment Systems CEO Robert Carr lashed out against qualified security assessors (QSAs) who audited his company for PCI security compliance, claiming they missed key network holes that ultimately enabled a massive data security breach. Readers hit back, slamming Carr for not owning up to problems rampant in his IT security operation - for one example, read One Man's View: Heartland CEO Must Accept Responsibility.
In response to the response, we polled security experts who have performed and received assessments in an effort to create a brief checklist for getting the company-QSA relationship off to the best possible start. Here are four key suggestions:
1. Choose your vendor wisely
One common problem is that the QSA is chosen too hastily because the company wants to get the process over with as quickly as possible. The result is that the company hires an assessor that isn't as well versed in the issues unique to their environment.
Mark Allison, vice president of information security at Global Cash Access, said companies must conduct a thorough vetting of all QSA providers to ensure whoever is chosen specialises in the problems most common in their particular industry.
"Ensure the vendor has SME's that meet your needs and don't be alarmed if some vendors subcontract with other qualified entities to build a comprehensive response," he said. "Like you, professionals leverage their strengths and shore up limitations by hiring expertise. Do your homework and assess the credentials of all vendors and participants and understand how blending their efforts into a comprehensive plan can lead to successful execution."
2. Lay the groundwork
One thing that's certain to get a company's security assessment off to a bad start is a lack of planning, Allison said. Therefore, he recommends starting with a self assessment. That way, the company has a pretty good idea of where the weak points are before the QSA arrives. On day 1, security administrators should brief the QSA on everything they know up to that point. That way, the QSA can sharpen his/her focus on particular problem areas and come up with a more productive action list.
"Obtain the latest self-assessment questionnaire from the PCI DSS website," Allison said. "And remember that anything less than complete candor will impede your assessor's ability to complete their work efficiently and effectively."
3. Give the QSA access to key players
Another thing that can cripple the assessment process is that the company tries to limit the QSAs exposure to as few people as possible. This might be because management doesn't want the QSA getting poor direction from employees that don't necessarily have a full grasp on things. But it's always better to give the QSA access to all the key players, said Daniel Wallace, a consultant and information security project manager. Wallace recently wrote a comprehensive post on the subject in the Information Security Resources blog.
QSAs will often conduct multiple interviews with key managers to make absolutely certain that every aspect of the operation has been studied to the fullest extent possible. Before the QSA arrives, the company should make a list of people who can do initial interviews. Scheduling appointments for the QSA from the get-go will speed the process along in the long run. One thing that can drag out the process is when key players break or forget their interview appointment, Wallace said.
4. Don't treat the QSA like an enemy
Another common problem, especially from the perspective of QSAs approached for this article, is that the assessors are often treated like an approaching rattlesnake by the company they're there to review. This too is a recipe for failure and should be avoided at all costs.
"There is no room for egos," Allison said. "The assessor will find weaknesses. Get over it and learn from it."
Ed Moyle, founding partner at Security Curve and former vice president of information security at Merrill Lynch, has experienced the good and bad aspects of the assessment process from both sides and agrees with these observations. He acknowledged that assessments aren't always as thorough as they should be and the blame usually belongs with both the company and the QSA.
He noted that pressure is high for the QSA as well as the company, and pressure can lead to mistakes.
"The customer is paying you and wants to be found compliant," he said. "You also have large complicated environments with many moving parts and there's plenty of opportunity to overlook things."
That said, Moyle noted that the more information and access the QSA has, the better the chance of a thorough, successful audit that can prevent a data breach further down the line.
"The company environment may be tremendously complex, with hundreds of locations throughout the country or the world and any one place can have weaknesses," he said. "If you have multiple lines of business and you don't tell the QSA about all of them, the QSA isn't going to know to look in those areas and something is going to be missed. That's not the QSA's fault."