It is impressive to be technically sound and to have state-of-the-art equipment to protect your network and valuable data. But the most expensive equipment and the most sophisticated knowledge in the company isn’t enough to get you through the PCI-DSS compliance process.
You need to be as good with documentation as you are with the technical and physical aspects. In fact, the documents should be the blue print of your technology and environment. More then 45% of PCI-DSS requirements demand that you fulfill documentation requirements in the form of written policies, diagrams, guidelines, or checklists.
Producing a document that defines and explains your company and business is one of the most important parts of the PCI-DSS compliance process. The document has to match the actual environment configuration and your work practices, which is a challenge. If there is a mismatch during the audit process, it becomes a big pain.
Therefore, it is wise to start with documentation at the same time as your start setting up your environment for PCI-DSS, ideally even beforehand. However, the documentation is not just about writing the policy, procedure, roles and process. You actually have to follow it!
Mostly companies think that documenting is easy. It is common to let a third party do it for you and another approach, which I seriously dislike, is to purchase it from the Internet.
In my opinion, policy and procedures should be written and enforced by CSOs and match your environment and working style. In case of a third party, they need to work very closely with your company to be able to produce accurate documentation.
In my opinion, policies and procedures are very specific to the company and should be driven and enforced by the personnel who are involved with them on a daily basis.
From my point of view, polices and procedures are most important during the audit and the most time consuming – they are the actual hard evidence to prove that your framework is up to the mark.
Policies and procedure should be straightforward and easy to understand. Having said that, there will always be confusion and different interpretations and you have to constantly improve them. This is not rare…. it is actually normal in my experience.
Some guidelines regarding policies and procedure to keep in the mind:
- Try to cover as many areas of your company as you can.
- Define policies, process and working style in-depth.
- Define and explain how they are implemented.
- Explain your working standards and back it up with reliable resources and knowledge.
- Be open-minded and clear with your business justifications, especially if it is for a QSA.
- Try to break down policies in different documents specific to its nature, or else you will end up updating and releasing a new version of the big document all the time.
- Define roles and identify roles with their assigned duties.
Having a nice looking and well define policy and procedure document is good, but not good enough. You MUST also enforce these policies and procedure as a routine, which is what an audit is all about, to excel not only on paper but also in the real world.