Where can I find policy and procedure templates
Los Angeles, CA (Vocus) September 16, 2010
Looking to undertake an annual on-site assessment by a Payment Card Industry Qualified Security Assessor (PCI QSA) or are seeking to achieve compliance with the Payment Card Industry Data Security Standards (PCI DSS) initiatives in the near future?
Well, then read on because according to NDB Advisory, PCI DSS compliance is fast becoming one of the most widely recognized compliance initiatives around the globe, and for good reason. Organizations that are directly involved in the processing, storage, or transmission of transaction data or cardholder are without question prime candidates for PCI DSS compliance.
But how difficult can PCI compliance be? After all, simply follow the prescribed matrix from the PCI Security Standards Council, implement the requirements and "check the box", right? Wrong. On-site assessments turn into engagements of nightmarish proportions because personnel involved within the assessment itself fail to effectively plan and strategize for the following 3 key areas.
A PCI DSS Readiness Assessment
It's essential to crawl before we walk, and with that said, successful PCI DSS engagements can only be achieved when organizations undertake an actual PCI DSS Readiness Assessment. Crucial to the overall on-site assessment, a well-planned and executed readiness assessment effectively defines scope, personnel, while helping to create a gap analysis for all areas that need remediation. Make no mistake, when a PCI DSS Readiness Assessment is done correctly, EVERY company will have a marginal to meaningful amount of remediation to conduct.
Policies and Procedures
As a Qualified Security Assessor, many times prospective or actual clients would ask, "Where can I find policy and procedure templates" or "how much do you charge to write them, because we just don't have the time". The point is that developing policies and procedures for PCI DSS compliance is often one of the most time consuming aspects of the engagement itself. Shocked at that statement? You shouldn't be. Read through the PCI requirements matrix lately? There are approximately three dozen “tests” throughout the 12 functional PCI requirements that call for a documented policy or procedure. My advice is to find a reputable vendor that provides policies and procedures (they’re out there, just search for PCI policy templates) or have a Qualified Security Assessor provide you a set of quality, cost-effective templates.
Unexpected Operational Time Commitments
Familiar with two-factor authentication, a web application firewall (WAF), or file integrity monitoring (FIM), just to name a few catchy PCI phrases? If not, and you’re considering tackling PCI compliance, then expect to invest considerable operational time commitments into implementing many of the tools and appliances required by PCI. And here’s what’s interesting-many of these tools can be had via open source-requiring minimal costs to obtain usage rights for them. Thus, it’s generally not the financial costs to obtain these tools that cause significant strains on PCI engagements, rather, the unplanned operational time commitments in provisioning and hardening these tools within the cardholder data environment.
PCI DSS on-site assessments simply take time. Organizations need to effectively plan for undertaking a Readiness Assessment, developing policies and procedures, and spending considerable resources in implementing, configuring, and hardening system devices within the cardholder data environment.
Contact Charles Denyer, a PCI QSA, directly at 800-277-5415-extension 705 or email at info(at)pciassessment(dot)org to discuss your compliance needs.