10 Things you can do to pass a PCI-DSS Audit – lesson 10

A full blown security and ICT audit for your business is a full hands on deck process.   You need to make sure that all of the business requirements are in place well and truly before you call in the auditor.   Problems arise for any business when they start to accept payment in the form of credit card and PayPal.   The moment you start receiving those types of payments then your security and compliance requirements escalate substantially.

Furthermore, If you are gathering clients information especially personal information, social security or tax file numbers then you need to be sure that the information is safe.    Your compliance requirements also have to be in place if your business audit is to be successful.

How do you go ahead and make sure that you will pass a compliance audit.

Be selective about the auditor – don’t pick the first available.

Just like any profession there are good and bad in the auditing profession.   Some are just there to make money others are there because they care about what they do and they care about their clients.   To get a good auditor means you have to do a little leg work.   You have to check references, you have to talk to their clients and you have to make sure that they are the best you can afford.

Without the background checks you are exposing your self to not only a failed security audit if it is a PCI-DSS or any other type.   A failed audit translates to a large loss of money for your business.

Do a Pre audit assessment

If You do not know what a security audit is going to entail then you need to find out.   You need to make sure that not only the people involved in the process know what they have to do but you also need to ensure that board and management are also included in the planning and the execution of the audit itself.

You need to make sure that all components and requirements are in place before you call in the auditor, the internal planning and testing is critical to a successful audit.

Get a Pre audit checklist

To make sure that you are including everything in your pre audit process you need some level of documentation to ensure that you do not miss anything.   This is a basic Pre-audit checklist.

By making sure that your business will succeed with an audit you need to know what the audit will focus on.   The audit process is an in-depth look at how you do business, where you do business and what protection you have in place to secure your business and it’s critical information.

Document, documentation and more documents

Most businesses do not understand the actual documentation that is  required to pass a compliance audit.

Everything has to be documented.   You have to document processes, procedures, policies.   You have to document your disaster recovery and business continuity plan.   You have to document all of the working components of your business.   This includes full documentation of your ICT infrastructure and how everything is set up.   That alone is huge.

Do not assume (makes an ass out of u and me)

To pass a compliance audit your business needs to know what is going to happen.   The whole process is intrusive, there is no hiding from the process.   On top of that everyone in the business needs to understand what is going to happen, what they are going to look at and why they are involved.   It is not just a management process, although this will be the priority focus to start.

If the management team do not understand what is being audited and why then the audit will result in a failed grade.   Being a whole of business process, the culture and resilience of the business will come into play.   Make the exercise FUN, different and get everyone involved and you will be surprised how much the business will improve as well as become more compliant.

Centralise your data and information

This is critical for any small and medium business and not for profit organisation.   If your data is all over the business, there are two problems, one is it is hard to find and two it is hard to protect.

Your data should be centralised into the least number of places as possible.   Internal working data, cloud based services, off site storage and road warrior information needs to be reduces in locations to facilitate better protection of the information.   Once centrally located, accessibility and confidentiality can be enforced through better audit practices and reporting systems.

Separate your network and it’s segments

Most small and medium businesses and not for profit organisations have a flat network.   That is to say all of the computers, laptops, smart devices and server are all on the same network.   Once inside you defences you have very little segmentation protection.

If you separate your management systems, you main work systems, your wireless / VPN and your front facing server systems into separate networks you have more control and better security over the main network.   By separating main access to hard wired systems and all other access to separate networks you have better control and reporting systems in place.   A compromised system can not affect other components of the business.

Technology is only one component of your business security

There is no single widget that will protect your business.   Although the sales hype will tell you that they can.   Protecting your business is a framework of the following components – technology, sustainability, management and compliance.

All four components have to work as a cohesive unit to protect your business.   There is no one panacea that will save your business from every eventuality, but if each individual area does its part then you will be more secure.     It always reminds me of my Navy days, all systems, units and crew working to complete the task.   Solutions to the tasks depends on what components will be used and in what way.

Don’t trust the first provider you come across

Like any other endeavour, you need to look around for the best auditor for your business.   This is not usually price related.   An compliance audit can take from 5 – 60 days to complete so you also need to make sure that you can work with them over an extended period of time.

You also need to check their credentials, a full blown PCI audit needs to be signed off by an approved auditor so it is no point investing in the audit process when the auditor cannot give you the required authorisation at the end.

It’s just never finished

The problem with PCI audits is that they have to be completed regularly.   You need to make sure that once you achieve the required level of compliance you can stay there.   To stay there repeat the first nine processes.   Almost like the shampoo instructions rinse and repeat.

The complete process for compliance is a long drawn out involvement by all people in the business.   The investment in time and money is substantial but it is vital to ensure that your business is doing everything that it can to protect your clients vital information.