Standard: something considered by an authority or by general consent as a basis of comparison; an approved model.
During my assessments of entities that are facing compliance for the first time, I am quite often asked:
“I want to be compliant within date mm/dd/yyyy, can you make sure of that?”
My answer is always: “No.”
It is not a matter of being capable or incapable. It is a matter of responsibility. As a QSA, my duty is to assess the compliance towards a standard document, published by an official global organization. In my case, the standard is PCI-DSS.
An auditor MUST assess the compliance of a customer against a given standard during the period of auditing. The responsibility of the customer is to maintain all the in-scope systems, people, processes and data in compliance. An auditor can give guidance, consultancy and advice, but is not responsible for the result of the audit.
Unfortunately, there is sometimes a misconception that “compliance” can be bought. It is particularly true when someone, who isn’t fully aware of what achieving PCI-DSS entails, has set a deadline for the compliance.
- Developers inexperienced with secure coding
- CHD expired by 4-5 years
- Nonexistent Change Management
- Absence of key management
- Many other Security Horrors (SH)
The QSA puts the customer in remediation and most of the time the deadline to fix the SH is missed. The question is repeated:
“I want to be compliant within date mm/dd/yyyy, can you do that?””.
My answer: “That depends on YOU, it is your responsibility”.
It is a challenge to make customers understand that achieving compliance isn’t the responsibility of the QSA, but their own. And, that only a consolidated, stable and streamlined daily process can bring the real goal of compliance, which with PCI DSS is: PROTECT CARDHOLDER DATA.
The old Chinese wise Lao Tzu, author of the Tao Te Ching, the main script, which gave birth to the “Path of Tao” and afterwards to the discipline of Zen used to say: A JOURNEY OF A THOUSAND MILES, BEGINS WITH ONE STEP”.