What are the common failure points of repeat info-security assessments?

 

Maintaining Compliance with any Information Security Standard is often a long and winding journey. You never quite know what is over the horizon or around the bend, so what things should we look out for when the times comes for that difficult second audit?

Long and Winding road

‘To lose one parent may be regarded as a misfortune; to lose both looks like carelessness’. So said Oscar Wilde. Of course, he was referring to human relationships rather than info-security audits and, like Mr Worthing in ‘The Importance of Being Ernest’, sometimes it is no one’s fault when a second misfortune strikes. But in the case of repeat info-security audits, we can see from the common failure points that there are lessons to be learned.

Common failure points in repeat assessments are:

  • Staff are not accountable and as a result, various tasks have not been completed. For example, the six-monthly Firewall Review. If it has not been diarised and no one has been given the task, who will remember?
  • Internal scanning is not always performed with the same diligence as external scanning. In reality they both require the same approach.
  • Payment procedures have been introduced that are at odds with the established methods for processing card data. A defined payment strategy is a great help here.
  • System patching: critical patches have not been risk assessed and may not have been applied within the 30 day window. A robust patching procedure is essential to limit exposure to risk.
  • Vulnerability scanning has identified errors that have not been fixed within the correct timescale or have not followed the correct change control or remediation process. Please note, an auditable process is required here.
  • Storage of encrypted card data: as part of the data discovery process, unencrypted card data is often found on desktops and servers. This is often in the form of unsolicited emails but breakdown in the payment strategy can lead to staff using unapproved methods of communication with customers.

A repeat info-security assessment tells you that whatever you did first time round was not sufficient to keep your organisation compliant. Like an MOT, a security audit is only a ‘snapshot’ of an environment at a given time. All too often, a security assessment is seen as a ‘tick box’ exercise rather than a programme of ongoing maintenance. For more on developing an effective Info-Security strategy, read our blog on ‘Navigating the minefield of info-security compliance’.

Information Security Consultant, SRM's Principal PCI DSS QSA and Payment Card Industry expert, Paul B is a regular contributor to the SRM blog.

Posted 2 years ago on · Permalink