With just two weeks remaining before the auditors arrive, the entire staff is working feverishly, checklists in hand, to review tests of controls, past audit results, known issues and compliance guidelines. Even the janitorial staff is feeling the crunch from lugging trash bags full of pizza boxes and Chinese takeout cartons to the trash bin every night.
The clock is ticking as the annual ritual of audit preparation, once again, takes a toll on the staff and the budget. At the debriefing, you can’t help but lament the resources poured into the effort. That new software deployment you had planned? Backburnered. The updated security policy rollout? Due for revision, thanks to audit findings. There has to be a better way to stay on top of audit requirements.
For the vast majority of e-tailers, the annual PCI audit ritual has become a part of their corporate culture — they devote every resource toward passing the audit, only to return to business as usual once it’s all over. The inefficiency of the whole process is staggering: the procrastination and scrambling inevitably lead to mistakes, unnecessary stress and wasted energy.
Yet even if you pass the audit, doing so doesn’t automatically render your system secure, or even demonstrate an effort toward improving security. The recent breach at Heartland Payment Systems is, unfortunately, a shining example: The company had been audited and certified PCI-DSS compliant.
The PCI Challenge: Overcoming Technical and Cultural Hurdles
The reality is that, for many businesses, it is extremely difficult to achieve and sustain audit-quality compliance as an ongoing practice because of lack of resources, knowledge or, frankly, concern. Implementing a system of ongoing compliance often requires both technological and cultural changes across the organization. This, of course, requires an investment in both the proper tools and talent to build a robust program.
Achieving compliance also demands a thorough understanding of the business risks involved in not adhering to compliance mandates. Finally, it may even call for a new appreciation for the value of public perception. After all, some of the biggest payment card industry breaches have actually had little immediate impact on the company, at least in the minds of the CIOs who allocate resources for security. But certainly consumer trust in the payment card industry dwindles with each data loss — a symptom that impacts the entire value chain.
The complexity of a continuous compliance program may seem daunting in the face of dwindling resources, especially in light of the difficult economic situation at hand. Furthermore, frequent infrastructure changes and evolving PCI standards can make ongoing compliance seem like a moving target. However, maintaining compliance is exceptionally more efficient than the audit scramble and checklist mentality, especially with the right tools in place.
Ongoing Compliance Fundamentals
The first key to maintaining continuous compliance is achieving visibility into the environment. Simply put: you must see what you have before you can secure it. This visibility must encompass all IT assets, both physical and virtual, both on-site and off. Comprehensive asset visibility is the foundation to any compliance program — without a clear view of all the assets in place, it is impossible to design a protocol to secure the environment.
Secondly, maintaining compliance requires continuous monitoring of system assets on a day-to-day basis. Change is the biggest enemy in ensuring compliance; without a change management program in place, full compliance at one moment can be undone in the next. When a single unplanned change goes undetected or an orchestrated change goes awry and causes instability, the whole system begins a downward spiral. Change management requires that we transcend the perception of the audit as a snapshot in time of the IT landscape and instead look to continuously monitor for changes so that these may be remedied before they spiral out of control.
It is also important to determine the exact scope of the IT environment that must be secured in order to meet compliance mandates. Often it’s not necessary to cover the whole enterprise, so only bite off what you have to. This will help save money and resources by only involving the necessary employees and/or business units.
Finding the Right Solution
Once these fundamentals are in place, it’s time to find the right solution to meet your needs. Sometimes single point solutions are required to meet specific needs, for data encryption at rest or in transit, for example. However, when possible, it is better to find a comprehensive package that covers as much ground as possible. Look for systems with the right level of scalability, flexibility and a broad feature set that will allow you to customize it to meet your current needs and accommodate growth. It’s also important that the solution itself not be a drain on resources — the goal here is to free up resources, not contribute to the drain. The ideal solution can be managed by just one or two people.
Finally, it’s important to find a solution that will meet the company’s long-term objectives. While investing in a more robust solution will cost more, a tough sell in these difficult economic times, the long-term ROI will make it worthwhile. Instead of a making a knee-jerk reaction to just get something in place, consider solutions that will help you meet multiple compliance objectives, like SOX and HIPAA if warranted, in addition to PCI.
Dave Shackleford is the chief security officer at Configuresoft and director of the company’s Center for Policy & Compliance (CP&C). The CP&C conducts ongoing research and analysis of rapidly changing IT security and compliance data to turn abstract mandates into sustainable compliance processes.