Oct 17 2011

Think about what you want from your QSA/QSAC

Published by at 6:11 am under PCI,Security Advisories

After four years of working as a Qualified Security Assessor (QSA) for two different Qualified Security Assessment Companies (QSAC) it’s a huge relief to be able to introduce myself as a ‘recovering QSA’.  As a friend of mine the pointed out, the taint of being a QSA is not something that washes off easily, it sticks with you in insidious ways, bubbling to the surface when you least expect it.  I make it sound worse than it really is, but I do find myself slipping into the mindset of “this is how you’d meet with a compliance requirement” sometimes when what I really want to say is “this is how you’d make your company more secure”.  After four years, it’s a hard habit to break.

Because of my experience as a QSA, I’ve had several people ask me for help picking out their next QSAC recently.  They want to know which company they should go with, what they should expect from the process and how to get to their Report on Compliance (RoC) as painlessly as possible.  For companies who are approaching PCI Compliance for the first time, it’s a scary proposition, because they’re painfully aware of how much they don’t know about what’s going to happen and what’s going to be required of them in the assessment.  For companies who’ve been through it before, they’re often feeling pretty smug in having last year’s RoC and underestimate the difference the QSA’s experience and understanding of the rules can make.  Companies who’ve been through the process many times understand that the specific QSA they get for their assessment is often more important than the company he or she works for.  Remember, you’re going to be assessed by that person and the company processes behind them are less important to you than their ability to understand your company.

Let’s get something out of the way:  if you simply want someone who can come in and check a bunch of boxes without understanding your infrastructure, go with the lowest bidder, someone who guarantees they’ll come in and assess your entire company in two days and phone the rest of their assessment in.  Seriously, if you’re not looking for a partner to give you advice in how to secure your environment and you just want a piece of paper with little or no increase in security, find someone who will give it to you.  Don’t look for an experienced QSA, look for one who’s relatively new to the job, one who can be bullied or fooled into agreeing with your assertions without verifying them.  We all know companies who operate on this business model exist and it’s not worth wasting your time and money if you are looking for check box compliance.  I’ve had too much experience with companies who could care less about securing their infrastructure and simply want to do the least amount of work possible to make the assessor go away.  If your company fits into that category, it’s less of a headache if everyone agrees to accept this premise and moves on. 

If you’re looking to get more out of an assessment than just a piece of paper though, you have a number of things to start considering.  How important is compliance to you versus how important is security to you?  Are your goals and your company’s goals the same?  Are you going to use the assessment to help you get funding for projects you know you need (and if not, why not)?  Is this your first assessment or have you been through several before?  Are you interested in having an on-going relationship with the QSAC and the QSA or do you want to get through this project and move on to your next headache?

It’s very important that your goals and the company goals are the same, and if they’re not, it’s even more important that you understand where they diverge and how you can use that stress to your advantage.  When the security department reports to the CFO or to a part of the organization that’s more concerned with how much money is being spent than how effective security measures are, your goals will probably be far different.  Learn to use the QSA in order to close that gap, use them as an appeal to authority.  “I know you don’t want to spend the money, but we won’t pass our assessment if we don’t” is a very powerful statement in many businesses.

Very few people conflate security and compliance at this point in time, at least that’s my hope.  But compliance can be a useful tool in getting the security tools you need in order to fulfill your commitment as a security professional to your company.  If you’re concerned with getting complaint more than you are about being secure, go back to the earlier point of simply getting the cheapest check box QSAC you can.  On the other hand, if you’re looking to be more secure when the process is complete, try to use compliance as a crowbar to pry funding from management.  Think a lot about that as you’re looking for a QSA, about how you can use the PCI DSS requirements to support your argument for new tools or additional headcount.  Your QSA can help a lot in this process, especially if his initial report comes back, especially if you both understand what you need and how it will help secure your company.  Most good QSA’s are also security professionals and get excited when you approach them as such instead of treating them like the enemy.  If you can frame the argument for a security control as a way to meet several compliance measures, your budget has a much greater chance of getting approved.

The first time you go through a PCI assessment is painful, no matter how well you think you understand the PCI DSS requirements and how to implement them.  And in many cases, the second assessment isn’t a lot easier, since it’s been 8-12 months since your previous assessment and you’ve let a number of the requirements slip without realizing it.  Look at the 2011 Verizon PCI Report and you’ll realize that this is exactly what happens to far to many companies.  Year over year numbers around maintaining compliance are actually a bit depressing when you read into them; you’d hope that getting controls in place were the hard part, but really, it’s the  maintenance of controls that is the hard part for most companies to do.  It makes sense in some ways, since it’s easier to concentrate on getting a IDS or log management solution set up than it is to monitor it on a daily basis.  Let this thought sink in as you’re looking for a QSA:  just because you were compliant last year doesn’t mean your teams have properly maintained the tools over time.

All too often, the goal of companies is to get the assessor in and out as quickly and painlessly as possible.  But is this really a good use of the resources you have at your disposal?  While compliance seems like a once a year exercise, it’s really a year round commitment; it’s just that you’re compliance is going to be assessed once a year.  The assessment represents a point in time view of your work, but in the long run, you’re going to be judged by what you do when the QSA isn’t there much more than you’ll be judged by what you do while she’s on-site.  If you have a QSA that you understand and can work with, it helps to have a relationship that you can use to call them up when you have a question.  Most QSA’s get to see a dozen or more different environments a year and asking them how other companies meet with a requirement can help steer you in the right direction to be more secure or save money.  If your QSA is a security professional first, they may be able to tell you how to meet a compliance requirement with a non-traditional technology. This may not be something you’re interested in, but using your QSA as a
trusted adviser rather than an enemy of the state can make maintaining
compliance easier throughout the year and passing your next assessment
much easier.  It may cost you slightly more in the short term but can have a long term return on investment.

These are all things you should be considering before you ever start talking to a QSAC and interviewing QSA’s.  Know what you want to get out of the relationship with them and it will make the process much clearer, or at least give you something to base your decisions upon along the way.  When you’re just looking for the piece of paper, go cheap and save your money for what really matters to you.  But if you want to use compliance as a means to becoming more secure, it’s going to change your whole process and how you’re going to frame questions when you interview your QSA before the choose one.  You are planning to interview a number of QSA’s, not just accept the one the company sends you after all, aren’t you?

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

2 responses so far

2 Responses to “Think about what you want from your QSA/QSAC”

  1. Olin Hydeon 18 Oct 2011 at 8:35 am

    Are you aware of any QSAC or QSA’s that are using machine learning approaches to detect security vulnerabilities? See: http://www.slideshare.net/ai-one/machine-learning-for-cyber-security-public-version-11-oct-11

  2. Sampaton 20 Oct 2011 at 8:46 am

    I totally agree with your comments and am happy that I have other QSA who has similar views. Un-fortunately I came to know about you and your blogs only after you left last firm and could not work with you. Any ways I am happy to follow your blog and podcasts, keep writing and sharing your views.

%d bloggers like this: