It is impressive to be technically sound and to have state-of-the-art equipment to protect your network and valuable data. But even the most expensive equipment and the most sophisticated knowledge in the company isn’t enough to get you through the PCI-DSS compliance process.
Why is documentation so important in PCI DSS?
You need to be as good with documentation as you are with the technical and physical aspects. In fact, the documents should be the blue print of your technology and environment. More than 45% of PCI-DSS requirements demand that you fulfill documentation requirements in the form of written policies, diagrams, guidelines, or checklists.
Producing a document that defines and explains your company and business is one of the most important parts of the PCI-DSS compliance process. The document has to match the actual environment configuration and your work practices, which is a challenge. If there is a mismatch during the audit process, it becomes a big pain. Therefore, it is wise to start with documentation at the same time as your start setting up your environment for PCI-DSS, ideally even beforehand. However, the documentation is not just about writing the policy, procedure, roles and process. You actually have to follow it!
Policies and procedures are very specific to the company and should be driven and enforced by the personnel who are involved with them on a daily basis. In case of getting help from a third party, they need to work very closely with your company to be able to produce accurate documentation. Further, make sure that the documentation match your environment and working style. Polices and procedures are most important during the audit and the most time consuming – they are the actual hard evidence to prove that your framework is up to the mark.
Policies and procedures should be straightforward and easy to understand. Having said that, there will always be confusion and different interpretations and you have to constantly improve them. This is not rare…. it is actually very normal.
Some guidelines regarding policies and procedures to keep in the mind
- Try to cover as many areas of your company as you can.
- Define policies, process and working style in-depth.
- Define and explain how they are implemented.
- Explain your working standards and back it up with reliable resources and knowledge.
- Be open-minded and clear with your business justifications, especially if it is for a QSA.
- Try to break down policies in different documents specific to its nature, or else you will end up updating and releasing a new version of the big document all the time.
- Define roles and identify roles with their assigned duties.
Having a nice looking and well define policy and procedure document is good, but not good enough. You MUST also enforce these policies and procedure as a routine, which is what an audit is all about, to excel not only on paper but also in the real world.