Visa struggles / Auditor Standards / ….Objectives Complete?
April 12th, 2007 Drazen Drazic Posted in PCI, Security-Assessment.com |
SearchSecurity reports on Visa’s push for PCI Compliance.
Finally, some figures that look almost realistic. You can take these figures to really mean that 60%+ of these businesses do not have good basic security controls in place. Let’s be realistic….as much as PCI has copped criticism, it’s really doing no more than stating, these are good security practices - nothing overly fancy - you should be deploying them.
Even companies who don’t fall in under the PCI program should have a look at the PCI DSS and see how they compare. Is the standard definitive? No…but its one of the better ones out there in the public arena. Would we base a whole state of security review around the PCI DSS Checklist? No way, but we’d certainly make sure that we’d covered the requirements at a minimum and then added our additional checks. But hey, we’re like that! 
The linked story goes on to state; “For example, a security lapse flagged by one auditor may not be considered an issue by another”…………”Clearly there needs to be more consistency between the way assessors interpret the requirements,” Adams said.”
COULD NOT AGREE MORE!! But you can’t always blame the standard itself. While there are grey areas in terms of interpretation that does not forgive basic incompetencies…..QSAs need to accept blame where it surely rests with them.
We’re generally pretty close to time estimations on our jobs for clients. Sour grapes - we’ve lost 2 recent bids for Tier 1 Onsite Audits. I don’t stress it too much, because we can’t compete and, nor do we want to compete in scenarios where we have quoted 30 days and get beaten by someone quoting 5 days. Let’s be honest, for most companies, PCI is a pain - they want the tick in the box and to forget it for another year. It’s the classic case of compliance going one way and security the other. Why would you want Security-Assessment.com poking around finding bad stuff for 30 days when you could get a Big guy in for 5 and you know you’ll probably do quite well?
We had a call from a Tier 1 (service provider) a couple of months ago. The Big guy who did their Onsite Audit last year is no longer in the game, so they were looking for a new QSA for this years audit. Somehow, Big guy pulled this audit off in 4 days last year and passed them! We were told in no uncertain terms that should we be hired, they would expect the job done in a similar time and they “expected to be passed!” ………Bull to a red rag……….We sized the job, quoted 3-4 weeks and stressed we’d really rip it up - finding EVERYTHING! Needless to say, we never heard from them again. So yeah, quotes like that talking about QSA inconsistencies are pretty much on the ball.
April 19th, 2007 at 1:46 am
A former GM of a security/standards section of a large Govt Health authority publicly stated that fraud committed upon her organisation was ‘less than 1%’. This organisation spends a whopping $14bn p.a. on public health. An impressive figure, so how was this figure measured ? It wasn’t. It was her best guess. And, no suprises, a guess that was favourable to her claim that she was doing a good job at combatting fraud(she no longer is employed in this position). If systems allow for those humans in positions of responsibility to manipulate statistics or figures to their advantage, they often will. If systems/standards allow for those people in positions of responsibility to deny a problem exists, they often will.