Sunday, December 12, 2010

Using a Framework to Control the Scope of PCI DSS Assessment

In A Framework for Introducing PCI DSS Requirements, I describe how a having a framework provides value by enabling a consistent and reasoned approach to changing existing workflows and that a framework is easy to explain to stakeholders. However, a framework’s true value lies in its ability to help understand the business and process needs for cardholder data. This understanding can directly affect the scope of assessment.

PCI DSS permits the scope of assessment to be reduced if there is a clear understanding of the business needs and processes related to the storage, processing or transmission of cardholder data. The scope is refined further in Appendix F, where the assessor is permitted to select the smallest sample size for assessment if there are centralized standards that all entities must follow.

A framework helps to develop a clear understanding of business needs and processes by virtue of it providing a place to record knowledge about the business and its ability to evolve as this knowledge or the business changes.

Using a framework to reason about changes to workflow and manage the relationships between documents virtually guarantees that centralized standards are created. It virtually guarantees the creation of centralized standards because the whole point of electing to define a framework is the benefit it provides in managing these documents.

Of course, there a lot of things that affect the scope of assessment. These go far beyond the ability of a framework to control. For example, is a framework able to reduce the scope of Requirement 1.2, where firewall configurations are needed between trusted and untrusted networks and any system components in the cardholder data environment?

If firewalls are not in place, then there is an unmanaged element required by PCI DSS in the network. A framework can shine here because it provides a starting point for the introduction of the network plan and the documents for managing this plan. In this case, a framework helps control the scope of assessment through the introduction of processes, procedures and plans that ensure these changes remain in place.

If firewalls are in place, then the only value a framework provides is to document the best practices that led to this network design, assuming that these best practices aren’t already documented. If these best practices are documented, then the value of the framework is limited to the possibility of being extended to include them. In this case there isn’t much affect on the scope.

In this example, the value of the framework for controlling the scope of assessment diminishes as the requirements gap shrinks. This implies that managing the introduction of PCI DSS using a framework is more valuable if the organization lacks documented policies, processes and procedures.

No comments:

Post a Comment