Noone at SecurityMetrics had any comment on why the company was sent into remediation. As you’ll notice, Chris Konrad from Fortrex kindly stepped up and posted the yesterday about the plan to remediate, and the company’s committment to resolve the internal issues that caused the status change. Anyone from SecurityMetrics? PSC?
Choosing an assessor is a lot like choosing a car. Some of them get you there quickly, some of them are reliable, and your mileage may vary. There are a number of factors to consider, including:
Ask to See Your QSA’s Resume
There are A LOT of people in the information security space, and their backgrounds vary pretty wildly. Make sure that you are comfortable with the skillset of your assessor, his or her work experience, and their knowledge of PCI. Also, make sure that the person who shows up is in fact the person who’s resume you reviewed. You may want to interview them as well to insure that they have a knowledge level that you’re comfortable with.
Talk to other Merchants
There are people out there who have gone through this multiple times, and have probably used more than one assessor. Ask them what they thought about the assessor meeting their expectations in terms of technical abilities, and delivery timeframes.
Timeframe to Completion / QSA Availability
What is sales willing to commit to on paper in terms of having an assessor at your facility? How long will the assessment take? The answer may surprise you. If you’re a level 1 service provider, and they’re only going to spend 3 days reviewing your security controls, you may want to keep shopping. On the other hand, if its going to take 6 months to complete the assessment, that’s probably less than optimal as well.
Your assessor should be able to start within 30 days, and given that there are 200+ requirements that need to be answered for with interviews, observation, and direct evidence gathering, the process will take some time. For an average level 1 merchant , 60-90 days is a reasonable expectation if you’ve been through the process before and are prepared.
Perform a “Pre-Assessment” Yourself
Understand what the scope of your environment is, and try to anticipate the results of your assessment. This will allow you to speak to the issues with confidence. In the event that you disagree with your assessor on a particular technology or architecture, you’ll be able to defend your position on its deployment without having to use your bank as an intermediary.
(Shameless Plug: We help a lot of people with this.)
Talk to your bank
Do they have a solid reputation with your acquiring bank and/or the card brands that you work with? Banks have to review a lot of scan reports, ROCs, and self assessment questionnaires. They see the cumulative results of many different assessors, and can provide you with valuable input as to who has delivered consistent, quality assessments. On the other hand, some assessors have a practice of “partnering” with banks, and those banks use that assessor as their “preferred assessor,” making the recommendation somewhat worthless, because the answer is always the same, irrespective of the situation.
Neither the principals of PSC (Payment Software Company) or Fortrex, Inc. (both Qualified Security Assessors) had any comment when asked about why their companies were put on probation by the PCI Security Standards Council in late January.
Both companies appear to be lacking the appropriate work papers that are required as supporting documentation to PCI assessments. All QSACs were told about the SSC reviews of work materials in July of last year, so unless they just weren’t collecting or keeping their evidence, i’m unsure how you would screw up this badly. Maybe they didn’t believe the QA program was real?
What will be interesting to see is whether or not they are able to recover from this. I suppose that if Trustwave can be the assessor of record for 2 of the 3 most major breaches in world history and noone wants to talk about it that these guys will be fine by next quarter.
A friend who recently went through the new annual QSA re-certification training a while back shared the most recent training manual with me. I have to say, that some of the clarifications are astonishingly… bad.
Specifically what I am taking issue with is the clarification around network segmentation. The title of the slide is:
“What are acceptable forms of Network Segementation?”
Then the slide describes Cisco access control lists.
Right.
Think I’m nuts? The slide goes on further to give the following example:
access-list 100 deny ip 10.0.0.0 0.255.255.255 any logaccess-list 100 deny ip 127.0.0.0 0.255.255.255 any logetc...
Another interesting sub bulletpoint is “Confirm audit logging is in place for all access to segmented network,” suggesting that there are cases wherein you would not only be exclusively using ACLs, but that you may create specific ACLs which allow access to the “protected” network from the unprotected interface.
Translated:
“Cisco ACLs are effective protection for the cardholder environment, and if you need to make exceptions to your already bad security practice by allowing administrative traffic in from the outside, then go ahead.”
Its any wonder that compliance numbers grow every year, and so do the number of compromises.
I was speaking with a friend and colleague today about his experience with the most recent PCI training and what I found out was, well, interesting to say the least.
On the topic of independence and thoroughness, the SSC is apparently suggesting that it is acceptable to have an individual QSA:
In my opinion, you may as well have the merchant or service provider simply self-assess at this point, because the QSA’s objectivity is all but gone.
Anyone who has ever gone through QSA training and has spent any time doing work in the infosec space will tell you that the training materials are fairly simple, and the test is a walk in the park.
In fact most QSAs will tell you that they haven’t learned anything substantially new by virtue of becoming a QSA. For the most part, the certification only enables them be the examiner of record on paper.
In other words, no special knowledge required, zero objectivity, and lots of multi-year managed service contracts between QSAs and merchants.
Its not hard to see why things like Heartland and RBS are happening. The ROC has become less honest than the tax return.