How Do You Know Your Controls Are In Place and Effective?
Posted by: Carla Brinker
The PCI DSS requires service providers to confirm that their security personnel are “performing their tasks in accordance with all security policies and operational procedures” at least once every quarter (Requirement 12.11.x in PCI DSS v3.2.1, Requirement 12.4.2 in v4.0). This seems so obvious… but there’s more to it than meets the eye, and many organizations struggle with proving this activity is being completed.
It’s a pretty typical control – requirement, policy, procedure, activity every three months, signoff. The PCI DSS outlines some of the things that need to be verified, including daily log reviews, configuration reviews for all network security controls, applying configuration standards to new systems, responding to security alerts, and following change management processes. For many service providers, the daily log review and security alert response are centralized in a Security Operations Center (SOC) (in-house or outsourced). It’s easy enough to check and make sure the function is operating. For service providers, the firewall rulesets have to be reviewed every six months. Again, not something difficult to achieve.
Where service providers usually fail is in proving that the review activity occurred. A recurring ticket is best for documenting this activity. The ticket should list the person performing the review, describe the procedure that should be followed, document the results, and include the sign-off of the person accepting the results of the review. (The person completing the review cannot be the same as the person that executes the controls, but has an understanding of what an effective control looks like.) This isn’t just a checkbox. This is taking a sample of transactions and verifying that the critical controls are working as you expected. Expected review activity includes, but is not limited to:
- Request a sample of alerts from the SIEM and ensure the response was appropriate.
- Review a newly built system and ensure the configuration standard was properly applied.
- Ensure the firewall ruleset (or equivalent) was performed every six months and review the results.
- Review change tickets and ensure change management processes were followed (including authorizations, user acceptance testing/impact analysis, rollback procedures, etc.).
The procedure for this control should be written to define what is required to ensure each of the listed controls is truly working. The procedure should be written so that no matter who completes it, as long as they have the appropriate network access, they will come up with the same results. A detailed step-by-step approach of who to contact, questions to ask, and evidence to collect should be included in the procedure. The procedure should support a policy that requires the reviews to be completed every three months and indicates the assigned role that is responsible for those reviews. Additionally, whoever is responsible internally for the PCI DSS program should receive this review and sign off on it.
If a recurring ticket is not an option to document the review, be sure to establish a calendar reminder to alert when this control is due. Also, retain the evidence from the review for future audits. This control is required every three months, so the QSA is going to expect to see at least four of these reviews completed in the last year.
As a service provider, the need to confirm that policies are being followed and business is being conducted as usual all year long is required by the DSS. This control assists in preparing for the next assessment and ensures those critical controls are documented and functioning as expected all year long. While it feels like an exercise in paperwork, it’s really a check needed throughout the year to ensure the program is operating as expected. A robust monitoring program ensuring security controls are in place and effective has significant additional risk mitigation benefits as well.
Carla Brinker
Principal Cybersecurity Consultant,
GuidePoint Security
Carla Brinker, Principal Cybersecurity Consultant at GuidePoint Security, began her career in the security industry in 2000. Her professional experience includes PCI assessments ranging from Fortune 25 companies to small companies, risk assessments, IT governance, oversight of new controls implementation, technical writing, and security education. She has both led and participated in assessments for industries such as banking, retail, ecommerce, and hospitality and has managed teams of consultants delivering information security services. Carla holds several industry certifications, including Certified Information Security Assessor (CISA), Certified Information Security Manager (CISM), and PCI Qualified Security Assessor (PCI QSA).