Some companies fear the season of audits where routine maintenance and proper procedures may have taken a backseat to current business events. This, however, does not condemn you to a tough auditing process. Following these simple steps will ensure your team can function flawlessly when tasked with the audit process and make compliance come more easily. These steps are focused mainly on training your employees, adhering to periodic control requests, and maintaining your information security infrastructure.
The most important measure of auditing for PCI DSS would be appropriate scoping for your production environment. Have there been any changes? What about major system upgrades? Throughout the year, many individuals say that they will update the system inventory, dataflow and network diagrams when they have a moment and this task is often lost. Maintaining accurate and comprehensive dataflow and network diagrams will ensure that the assessor has a clear picture of the environment they are auditing without the pressure of increasing the scope of systems halfway through the audit. This is heavily linked with the management of a systems inventory. Whether you have on premises, co-located, or cloud based systems, maintaining an inventory of these systems including, but not limited to, servers, network devices, and POI terminals is exceedingly important. An accurate inventory will not only assist you in preventing malicious or fraudulent activity but also allows the assessor to take an appropriate sample set for your environment which creates less hassle during the audit.
A commonly overlooked aspect of annual audits would be the updating and approval of all company policy and procedures. While it is important that technology trends stay current, it is equally as important that the supporting documentation for system configurations, policies, procedures, and change management remain up-to-date with current business practices. The processes and procedures regarding the handling of your production environment will not only assist the assessor in ascertaining the workflow of your company, but will also benefit employees as they are constrained to a standard venue for which to conduct work and manipulate data within your system. Employees that don’t follow appropriate change control procedures or network policies may cause damage to your organization via the leak of information or misconfigurations in security settings. In addition, a yearly review of policies and procedures will ensure that the documents are current with your business practices, business direction, and methods to which you perform transactions.
Knowledge is half the battle when it comes to PCI DSS assessments. Informing your team of the standards and having a common familiarity of the twelve requirement domains will ensure that your team can provide accurate and specific evidence, resulting in a more streamlined assessment process when providing data samples and understanding the scope of engagement. While not encompassing the entirety of all data standards, PCI DSS is a great stepping point to work towards a prodigious information security structure. Lessons learned from the standard may improve your organizations’ security posture and allow your IT or Compliance Departments’ growth into the information security industry. This may lead to increased industry trust within your company and lower risk factors for malicious activity.
Establishing goals for both information security teams and adherence to your information security policy is daunting. Setting expectations of your compliance team even at a micro level will promote that your next audit proceeds smoothly and with as little impact to your production systems as possible. Organization between departments on responsibilities therein will be paramount to having successful audits. The periodic tasks outlined in your information security policy around such requirements as internal and external vulnerability scanning (11.2), quarterly rouge wireless checks (11.1), and six month firewall reviews (1.1.7) should be delegated to appropriate personnel and ensured to be properly in place (12.11)
Key Focus Areas:
In closing, the goal of a PCI DSS audit is to not only prove your adherence to the standards but to allow your organization to enhance their information security stance. Simple steps taken to strengthen your security teams and following the company mandated policies and procedures will result in an easier audit season, thus allowing your teams to get back to business as usual. The organization of documents and observance to them will help prevent accidental disclosures and incidents related to your environment, preventing costly fines or sanctions.
Certified Compliance Experts
Qualified Security Assessors
MegaplanIT Can Be Your Guide Through The PCI Assessment Process
Get In Touch With A MegaplanIT Certified Expert Today