The "maintaining compliance" issue
There’s an interesting discussion over on PCI Compliance Demystified about maintaining compliance after you have initially achieved the “tick in the box”. The discussion is primarily about PCI DSS compliance but could be had about any compliance requirement.
To paraphrase, the question was raised: “how is compliance maintained?” which has developed into a “what’s being done about maintaining compliance?” question.
I find this interesting because when we first started looking at PCI DSS Compliance at my company I made more emphasis of the “maintaining compliance” requirement than the “achieving compliance” requirement. It was a hard sell, and not fully accepted as yet.
PCI DSS requires that you achieve compliance and continue to remain compliant from then on. If your company suffers a security breach and the investigators are sent in by the card schemes, they will not just assess your compliance when they turn up. What they will do is investigate the state of compliance for as long as the security breach occurred and even prior to that to identify whether a failure in maintaining compliance contributed to the breach. If it did, big money fines are on their way.
Take the TJX situation for example. Initially TJX reported that the security breach happened “over a period of a few months at the end of 2006”. After the investigators went in they found that the hack had been on going for a period of a couple of years. This being the case, the investigators will be assessing whether TJX was compliant for the whole of that time. From reports it appears they were not.
My company has accepted the “maintaining compliance” requirement to the extent where they have agreed to completely redesign the payment processing platform from the old legacy system (which was difficult to support and maintain) to a nice shiny new compliant and maintainable platform. Good news. However, the question of compliance management thereafter is still being discussed.
Without the compliance management process existing, the initial achievement of compliance is fairly pointless. 2 days after you tick the box, a new member of staff joins and unwittingly blows your achievements away by introducing a new business practice that ignores some fundamental PCI DSS requirement. Worse still are the creeping changes which in isolation are perfectly fine and compliant. However, over time, one thing leads to another and bang, a vulnerability slides in which “no one could possibly have foreseen….”
Compliance management is a functional process and requires not only resources but also an agreed corporate approach. Perhaps this is the issue, no one wants the responsibility monkey on their back.
|