For planning compliance with the Payment Card Industry Data Security Standard (PCI DSS), the PCI Security Standards Council (SSC) supplies a document that provides excellent foundational advice for both overall cybersecurity, and PCI DSS compliance. Organizations may already be aware of it, but regardless, it is a useful resource. And, it is interesting to read with Continuous Controls Monitoring (CCM) in mind.
The document lists 10 Recommendations for best practices which are useful, not just for PCI DSS compliance, but for overall security and compliance with organizational policies as well as frameworks and regulations to which the entity is subject. The best practices place a strong emphasis on ongoing, continuous compliance. That is, for organizations “to protect themselves and their customers from potential losses or damages resulting from a data breach, they must strive for ways to maintain a continuous state of compliance throughout the year rather than simply seeking point-in-time validation.”
While the immediate goal may be to attain a compliant Report on Compliance (ROC), that immediate goal, and the longer-term viability of the security program, are aided by establishing a program around continuous compliance and the ability to measure it.
Here are the SSC’s 10 Best Practices for Maintaining PCI DSS Compliance:
- Develop and Maintain a Sustainable Security Program
- Develop Program, Policy, and Procedures
- Develop Performance Metrics to Measure Success
- Assign Ownership for Coordinating Security Activities
- Emphasize Security and Risk Management to Attain and Maintain Compliance
- Continuously Monitor Security Controls
- Detect and Respond to Security Control Failures
- Maintain Security Awareness
- Monitoring Compliance of Third-Party Service Providers
- Evolve the Compliance Program to Address Changes
Some detail around the 10
The first recommendation, “Develop and Maintain a Sustainable Security Program” is short, but notes that, “Any cardholder data not deemed critical to business functions should be removed from the environment in accordance with the organization’s data-retention policies… In addition, organizations should evaluate business and operating procedures for alternatives to retaining cardholder data.” Outsourcing the processing of cardholder data to entities that specialize in this work is an option that many organizations take. When that is not a viable option, minimizing the amount of data collected, and securely deleting it as specified in the organization’s data retention policy is the next best option.
“Develop Program, Policy, and Procedures” is the second recommendation. Along with developing and maintaining these documents, accountability must be assigned “to ensure the organization's sustainable compliance.” Additionally, PCI DSS v4.0 has a requirement under each of the twelve principal requirements stating that “Roles and responsibilities for performing activities” for each principal requirement “are documented, assigned, and understood.” If this role does not already exist, something for organizations to consider would be designating a “compliance champion” for each business unit. The compliance champions could work with their management to assume accountability for the control compliance for assets and staff assigned to the business unit.
“Develop Performance Metrics to Measure Success” follows. This recommendation includes “Implementation metrics” (which measure the degree to which a control has been implemented, and are usually described as percentages), and “Efficiency and Effectiveness Measures” (which evaluate attributes such as completeness, consistency, and timeliness). These metrics show if a control has been implemented over the expected range of the organization’s assets, if it has been implemented consistently, and is being executed when expected. These metrics play a key role in assessing compliance in a continuous way.
Measurement of implementation metrics and effectiveness metrics for completeness and consistency are core components of DataBee for CCM. For example, in the case of Asset Management, users can see if assets in scope for PCI DSS are flagged as being in scope correctly, if the asset owner is accurate, and if other data points such as physical location are present. The ability to see continuously refreshed data on a CCM dashboard, as opposed to having to create a point in time report, or have the knowledge to access this data through a product specific portal, makes it practical for teams to see accurate metrics in an efficient way.
The fourth recommendation is to “Assign Ownership for Coordinating Security Activities.” An “individual responsible for compliance (a Compliance Manager)” is the main point of this recommendation. However, the recommendation notes that Compliance Manager should be “given adequate funding and resources… and granted the proper authority to effectively organize and allocate such resources.” The effective organization of resources could include delegating tasks throughout the organization to managers over units within the larger organization. This recommendation ends by noting that the organization must ensure that “the goals and objectives of its compliance program are consistently achieved despite changes in program ownership (i.e., employee turnover, change of management, organization merger, re-organization, etc.). Best practices include proper knowledge transfer, documentation of existing controls and the associated responsible individual(s) or team(s).”
Using the DataBee for CCM dashboards to assign accountability for assets and staff to the appropriate business units helps with this recommendation.
- It clarifies the delegation of responsibility for assets and staff to the business unit’s management.
- Furthermore, it would help drive the effective achievement of objectives of the compliance program during transitions in the Compliance Manager role.
- Delegation of control compliance to the business unit’s management would enable them to continue with their tasks while a new Compliance Manager is hired and during the time needed for the Compliance Manager to adjust to their role.
“Emphasize Security and Risk Management to Attain and Maintain Compliance,” the fifth recommendation asserts that “PCI DSS provides a minimum set of security requirements for protecting payment card account data…,” and that “Compliance with industry standards or regulations does not inherently equate to better security.”
This point cannot be emphasized highly enough: “A more effective approach is to focus on building a culture of security and protecting an organization’s information assets and IT infrastructure and allow compliance to be achieved as a consequence.” The ongoing measurement of control implementation by CCM supports a culture of security. Organizations can use the information provided by DataBee for CCM to not only enable continuous reporting, but through it to support continuous remediation of control failures.
The next recommendation, “Continuously Monitor Security Controls,” describes how “the use of automation in both security management and security-control monitoring can provide a tremendous benefit to organizations in terms of simplifying monitoring processes, enhancing continuous monitoring capabilities, and minimizing costs while improving the reliability of security controls and security-related information.”
Ongoing monitoring of data that is frequently refreshed can be a core component for ongoing compliance. Ultimately, implementing a continuous controls monitoring program will help reduce extra workload as the PCI DSS assessment date approaches. DataBee for CCM is a tool that supports the necessary continuous monitoring.
The seventh recommendation, “Detect and Respond to Security Control Failures,” applies to two situations:
- controls which have failed, but with no detectable consequences, and
- control failures that escalate to security incidents.
PCI SSC notes that, “The longer it takes to detect and respond to a failure, the higher the risk and potential cost of remediation.” Continuous monitoring can help the organization to reduce the time it takes to detect a failed control.
Recommendation eight, “Maintain Security Awareness” speaks to the need to train the workforce, especially regarding how to respond to social engineering. Security training, both for the staff in general and role-based training for specific teams, is one of the requirements that DataBee for CCM reports on through its dashboards.
Recommendation nine is “Monitoring Compliance of Third-Party Service Providers,” and ten is “Evolve the Compliance Program to Address Changes.” A robust compliance program that is in place throughout the year can be more capable of evolving and adapting to change than an assessment focused program that allows controls to drift out of compliance between assessments. Continuous monitoring is key for combating compliance drift once an assessment has been completed.
After the ten recommendations, the main body of the document concludes with a section about the “Commitment to Maintaining Compliance.” Two of the key actions for maintaining continuous compliance are, “Assigning responsibility for ensuring the achievement of their security goals and holding those with responsibility accountable,” and “Developing tools, techniques, and metrics for tracking the performance and sustainability of security activities.” DataBee for CCM enables both these tasks.
The main theme of the “Best Practices for Maintaining PCI DSS Compliance” is that continuous compliance with PCI DSS that is maintained throughout the year is the goal. Ultimately, this helps improve the overall security posture of the organization. Making the required compliance activities business as usual tasks that are continuous throughout the year can also help with the specific goal of achieving a compliant result for a PCI DSS assessment when it comes due.
How DataBee for CCM fits in
We envisioned and realized DataBee for CCM as a fantastic fit for an evolving compliance program. Using the DataBee dashboards, with their continuously updated information that can be accessible to everyone who needs to see it, help free up time for GRC and other teams to focus on the evolution of the cybersecurity program. Given the rapid change in the cyber-threat landscape, and the frequent changes in security controls and regulatory requirements, turning report creation over to CCM to give time back to your people for higher value work is a win for your organization.
DataBee for CCM helps by providing consistent data to all teams, GRC, executive management, business management, IT, etc., so that everyone is working from the same information. This helps to delegate control compliance, and clearly identify accountable and responsible parties. Furthermore, DataBee for CCM shows executives, GRC, business managers and others content for multiple controls, from many different tools, through a single interface (as opposed to GRC needing to create multiple reports, or business managers and others having to create their own, possibly erroneous, reports). Additional dashboards can be created to report on other controls that are in scope for PCI DSS, such as secure configuration, business continuity, and monitoring the compliance of third-party service providers. Any control for which data is available to create useful dashboard content is a candidate for a DataBee for CCM dashboard.