Doesn’t make much sense, right?
I watch, and participate with, organizations trying to push ropes forward, and I watch cats scurrying all over the place as one or three people chase the cats in an effort to herd them into one direction toward a common goal.
It’s hard enough to reach a common goal where disparate groups are actually striving to achieve the same thing, but then throw into this mix an added complexity when the groups are trying to achieve totally different objectives. Now, add the complexity of integrating all the “pieces and parts” of the Cardholder Data Environment (CDE) in a properly scoped Payment Card Industry (PCI) assessment and you have a real challenge on your hands! The scope of a PCI assessment must include:
Here are 3 essential tips to avoid the “herding cat syndrome” and ensure a successful PCI assessment for your business:
1. Communicate from the top down.
Make sure you clearly communicate that achieving PCI compliance is important to the organization and MUST be prioritized, achieved, and sustained. This effort is not effective, and it is extremely difficult to achieve, when an individual without top management support attempts to attain this.
2. Appoint one person to facilitate.
This person should drive this effort through the organization, and must have enough authority to ensure the assessment remains both a high priority for the teams involved, and must be able to drive operational process changes to ensure compliance is met and sustained.
3. Be clear about expectations.
Ensure that each team responsible for the various sections of the Payment Card Industry Data Security Standard (PCI DSS) requirements understands:
- Why PCI compliance is important to the organization,
- The PCI requirements they are responsible for maintaining, and
- How their team ensures compliance with those requirements, not just at assessment time, but throughout the year.
I am a PCI assessor and trusted advisor; however, I come from an operations-focused, Information Technology Infrastructure Library (ITIL) background where I was accountable for helping an organization to achieve compliance with various certifications, laws, regulations, customer requirements, business requirements, and so forth. In this role, I always strived to make assessments easier on my organization. I made sure the assessments took less of our peoples’ time and kept the assessment cost down, but still offered a true view of our risk as an organization. Most importantly, I always strived to avoid the 5 p.m. nightly news headline that contained the words “breach,” “sensitive data,” and “<insert your company name here>.”
Your organization has two choices. You can herd cats, push ropes, and wait until the Qualified Security Assessor (QSA) arrives onsite to ask what they need. Or, with top-down support, you can make this a priority, appoint the appropriate facilitator for the effort, ensure your teams are prepared, and have everything ready when your QSA arrives.
For your next PCI assessment, will your company’s PCI assessors be sitting idly in your conference room charging you an hourly rate while your people gather data, or will they be sitting in your conference room assessing the evidence presented immediately upon arrival?