For the past few weeks, I've been knee-deep in PCI compliance. I have previously mentioned that although my company's current credit card transaction volume doesn't require a full PCI audit, we have made a business decision to get the full PCI Report on Compliance, which entails hiring a qualified security assessor (QSA), submitting evidence, conducting a variety of qualified penetration tests and assessment scans and ultimately having an auditor spend about a week on site reviewing evidence and conducting in-depth testing of the 400-plus controls.
The QSA has to understand the scope of the audit. To help, we provided things such as network and data flow diagrams, a list of hardware and software assets and the names of everyone who has a significant level of access to the environment that we use to store customer credit card data. With this information in hand, we met with our QSA and narrowed the scope to our two production data centers and our disaster recovery data center, where we store customer credit card data. Because we use very strict firewall rules and proper physical and logical segmentation, our very large corporate IT infrastructure is not in scope.
And now the fun begins. Of those more than 400 controls, it is just a few that tend to get companies in trouble. One of these pertains to security incident and event management (SIEM). If you have a robust SIEM infrastructure, a dedicated security operations center or a managed service, you'll probably do well. I wish that were the case for us, but our SIEM program is still in its infancy. We're working on selecting and then implementing a robust SIEM tool, but for now we are still doing things via log collection, scripts and the manual review of events. That makes it difficult for us to prove that we can reliably identify and take action on security attacks. We do an OK job but could really use the help of a modern event correlation product or service.
Another area that many companies are weak in is configuration management. I'm hopeful that we will be OK. We use standard baseline images for our Microsoft Windows, Linux and Cisco operating systems and major applications, such as Apache and Oracle, which follow most of the recommendations from the Center for Information Security. We also have integrity-checking software that monitors when any of the configurations have changed from the initial baseline. I know the QSA will choose a sampling of identified devices (servers, firewalls, routers, etc.) and match the configuration against our defined baseline, and given our procedures in this area, I think we'll pass this portion of the audit without any problems.
Sign up for CIO Asia eNewsletters.