An Assertion About PCI & Risk Management
PCI is more about legal-wrangling (what constitutes due diligence) than it is about our ability to “prevent, detect, and respond” (more or less being about real risk management).
Why do I make that assertion? Well, the inspiration came to me from the PCI Yahoo group. The majority of questions I’ve seen aren’t about “how do I best protect cardholder information”, but rather:
”Section 6.X says blah, blah. We can’t do what the assessor says (note - almost 100% of the time because the cost is prohibitive) so now what?”
You know what kind of question that is? It’s not a security question, I’ll tell you that much. One might say it’s a risk question (I have to accept exposure, how can I lessen it), but really it’s a legal question. “What is the minimum I can do and still have my sweet patootie covered?”
The funny thing is, the answer to all these questions, at a high level of abstraction, has to always be the same. It is always:
Do what costs you the least, that which will get you certified, regardless of whether or not it really protects cardholder data.
The assessor wants you to have a database firewall, but you know it’s not a useful substitute for database encryption? Who cares? Buy the cheapest database firewall you can find, install it, and forget about it. No PCI assessor is going to care whether you actually use it, or if it actually does anything for you.
Richard and others have continued to tell us that Controls are not the solutions to our problems. Similarly, “Security is not a technology problem” is an axiom we’ve long agreed to the wisdom of.
Here’s another one for you today: Risk Management has two components. It’s one part what we’re doing, but it’s also an equal part of “how we’re doing it”. It is a combination of ISMS and Governance, and CMM.
And this is where I have to respectfully disagree when I hear others say that security professionals are too overburdened or not smart enough to “do risk models”, or that risk models only have worth to large corporations.
Bullcrap.
Only by using risk management models can anyone understand if they are better today than they were yesterday, or if they’ll be better tomorrow by doing something different. You should be smart and pragmatic enough to understand that patch levels, A/V outputs and scanner output by themselves are only useful in some context. You’re boss certainly is. She’s just waiting for you to give her that context.
shrdlu Jan 11
Gedankenexperiment: What if the one requirement for PCI compliance was “Pass our pentest”?
LonerVamp Jan 16
Amen to that rant, Alex! It’s no wonder the assessment targets weasel, wriggle, and whine to try to get out of doing the things an assessor says they need to do. I’m a firm believer that compliance only aims to raise the lowest denominator, the lowest bar in security. Rather than do nothing, companies do at least a little more than nothing. That’s it. That’s all I see compliance truly doing.
Sure, there are companies who use it to educate themselves and springboard up to actually doing MORE than just complying, but actually being good stewards of security. Kudos, but I think most prefer to do the least and try their best to get away with it or pretend it’s working and not actually check how it is doing. “Yes, we’re compliant and secure!” *glance over at the data center admins shivering in the corner, wide-eyed and shaking their heads ‘no’ quietly*