A recent article was published that proffered that companies need not hire expensive consultants to meet PCI compliance. The author goes on to detail the best approach is to first – walk through the documents internally, and second – document your controls. I whole heartedly agree that self reflection and properly recording controls is absolutely pivotal to reaching compliance with PCI, and in fact you could apply it to any mandate or legal burden.
I feel however the author has left a few rocks unturned, and wanted to highlight additional practices (demonstrated by clients in the U.S.) that can maximize your efforts in demonstrating, maintaining, and operating a compliant control environment.
Align control environments and produce a single repository:
Organizations should consider how their existing control environments are deployed, and whether other attestation events will examine the same systems. It is very likely that the identity management system, firewall, logging servers, anti-virus, etc that are identified as core controls for PCI are also applicable to SOX, FERC/NERC, and many others. So, identifying what controls are in place, and then producing a single set of audit documentation can maximize the audit engagement and remove duplication.
Consider having more than one audit at a time:
Audits are done to examine a period of time in the past to validate that the controls are operating correctly. If audit events are stretched out over several months then the test period in question shifts with the audits, and while it is good for the organization to maintain an optimal level of compliance due to these long audit windows it is also extremely wasteful. Similar to the alignment savings, having to provide the logs of your LDAP server once instead of six times has obvious benefits and results in clear savings.
Assign an internal resource to conduct your PCI audit:
Merchants required to produce a report on compliance to VISA and the other card associations may hire an assessor, OR through an “internal audit if signed by an Officer of the company“. That can translate to very large savings both in audit fees and the fact that internal audit departments (or assigned persons) will have greater knowledge of the business than an outsider. A note of caution to this saving recommendation – third parties come with experience of multiple environments (likely areas of weakness), and without assumptions made and accepted by being part of a culture within a company. Extreme diligence must be taken when internal resources are relied upon – especially if those assigned are those running the environments (fox watching hen house).
There are many other areas of savings that can be achieved for PCI, and a larger amount of practices for SOX, and others… but another time. I welcome any additional areas of savings people have seen!!
James DeLuccia IV
IT Compliance and Controls Book Release is March 19th 2008!! Pre-Order Today
Upcoming Speaking Engagements:
- Please join me at RSA 2008 for my session on: Emergence of international regulatory synergies
- Please join me in Boston, for the Association of Certified Fraud Examiner’s Conference with my session on: Worst and Best IT Management Practices