Jul 12 2010

My “Letter to the Client”

Published by at 6:08 am under PCI

Last week another assessor friend of mine started a new blog, Fear Not the Assessor.  She started it off with an excellent post, Letter to the Client.  Almost every QSA goes into a new client with a certain sense of trepidation due to client’s preconceived notions and most merchants going into an assessment for the first time are nervous because they don’t know what to expect, all they know is what they’ve read online.  That first phone call with the client is always so much fun for everyone involved.  The Letter attacks some of those notions and list some of the steps a client should be taking before the QSA ever comes on site.  As a way of introduction, a letter like this really helps put many clients at ease, letting them know that you’re there to help and not simply pass judgment on them. 

Here’s a letter of my own with several more points to ponder.

Dear Client,

We’re about to start on an effort of many months of work that both of us hope will culminate in the issuance of a compliant Report on Compliance.  There will be surprises and setbacks along the way, but I’m sure that we can work together to overcome them.  My job is to help assess the security of your cardholder environment and provide you with honest feedback about your compliance with the PCI standards.  Your job is to provide me with the information I need to make that assessment.  Together we will document your environment and show that it is both secure and compliant.

Several things you should know:

  1. Securing your data and your network should be the goal and PCI is just a signpost along the way.  Please, please, please don’t make the mistake of thinking once you pass your assessment that you’re secure and you have no more work to do until next year.  PCI is a good starting point for securing your environment, but each company is so unique that there are innumerable holes it leaves open to exploitation.  And the assessment only covers your cardholder data environment: what about the rest of your network?
  2. I am judge, but I am not jury nor executioner.  I will make judgment calls on the state of your environment and I may find things I do not believe are compliant.  You may agree or you may think your controls and safeguards are sufficient.  Make your case to me, and if we still don’t agree, we can bring in other QSA’s within my company to review the situation, starting with my manager.  Sometimes they’ll see something I didn’t. 
  3. I will never leave you wondering if I found something wrong.   I will always try to let you know at the end of the day, if not at the end of each meeting, if I have any questions or concerns.  It’s in both of our best interests for me to be as transparent as possible.  The sooner you know of an issue, the sooner you can begin investigating and getting it resolved.
  4. You are my client and it is my job to help you receive a compliant RoC.  I will give you the best advice I can to help you achieve compliance.  But it is up to you to establish the policies, procedures and controls needed to reach this goal.  If I identify a requirement that is not being met, I will bring it to your attention and help you address the issue in a timely and cost conscious manner.

Clear communication is a good salve for many of the pains an annual PCI assessment brings.  I look forward to learning about your company, your network and your people.  And I hope that the lessons I’ve learned helping dozens of companies become compliant can be used to help you avoid some of the pitfalls and false starts of compliance.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

3 Responses to “My “Letter to the Client””

  1. Michellon 12 Jul 2010 at 6:15 am

    Oh damn, those were good ones too. We could play dueling letter’s to clients with the amount of do’s and don’ts.

    I think the best line was “I am judge, but I am not jury nor executioner.” I think that sums up how “we” see our clients perfectly. I say we, because you and I both know there are QSA’s and general infosec assessors among us that see themselves as judge, jury, and executioner. Gives us a bad name and hurts the client in the long run.

  2. Mister Reineron 13 Jul 2010 at 10:20 am

    This is an excellent letter Martin. Awesome!

  3. […] My “Letter to the Client” (mckeay.net) […]

%d bloggers like this: