Coming from several large corporations that needed to attest to PCI DSS compliance annually, as well as being a QSA in a few former lives, I’ve seen my fair share of the post-audit slump. You know what I’m talking about; it’s the, “Wow! We completed our audit! Let’s take the next 11 months off to focus on other business needs and we’ll ramp back up during month 11.” Sure, you may not word it exactly like that; but more often than not, that’s exactly what happens.
There are a couple major problems with “taking a break” after an audit. Firstly, in the case of PCI DSS, there are daily requirements to meet: log review being the frontrunner. On more than one occasion I’ve assessed a company several years in a row and usually between the first and second year the company’s had trouble proving they do daily log review – especially if they’re not really setting up alerts around it. The more humorous ones are the SIEM/SOC folks who have a daily digest sent to a folder in their mailbox. I’ll show up on year two and find 300-something unread emails.
The other major issue with relaxing after an audit comes down to the fact that these audits are certifications for a point in time. Again referencing PCI DSS, when a company receives their certification – all that’s saying is that, on “that day” (or during the time the audit was performed) the company was found to be compliant. Building on the previous scenario with log review, if the company doesn’t review logs, then the day after they receive their Report on Compliance (ROC) they’re technically not compliant any longer. We’ve seen this play out in several breaches over the years: $COMPANY has a compliant ROC, breach occurs, the PCI Council sends in their forensic team (at significant cost to the company), and the company was found to be not compliant at the time of the breach. Before the breach? Yes! During the breach? No.
Companies that must adhere to regulatory compliance would be better off sticking in a mindset that PCI DSS is a lifestyle change – quite similar to somebody who’s trying to lose weight or become more physically fit. If you were to work tremendously hard for a year in the gym and eat properly, there’s a good chance you would reach a realistic goal set for yourself. If after you reached that goal you decided to only go to the gym twice a week and eat fast food five times a week for the next 11 months, you probably wouldn’t be in the same shape. The same principle applies with compliance after an audit.
Building checklists for departments, and for time periods (weekly, monthly, quarterly, annually) lets you break up the tasks into chunks, rather than spending month 11 in a whirlwind of screaming and worrying. Sitting down with each department, and building those checklists, also gets those departments invested in the process, rather than seeing it as a hindrance to their core activities one month a year.
There needs to be buy-in from the top-down in the organization. The folks at the top really need to understand how critical compliance is to their business. When performing the audit, it will become apparent how “bought-in” the executives are. Without sufficient spending, attention, and delegated authority, security and compliance will fail. Without top-down buy-in, nobody in the company will make compliance a priority, dooming the audit to fail. So make sure that there is a champion in the executive ranks who understands why this is important. Spend the time to explain, to be available to discuss, and to build the business case for why this is a year long activity, not just a one month freakout.
Game plan on how to sustain the model
One recommendation I’ve given to several companies that seems to help quite a bit is to have a monthly check-in with the core group of folks involved in the audit. A quick run through of a checklist on what should be done by the end of the month and getting a status (red, yellow, green). If there are roadblocks, talk about them as a group and what can be done to overcome. Checking in quarterly with your auditor can also go a long way – there may be something that slipped through the cracks that the auditor can remind you about completing and/or fixing.
Compliance, like security, is an ongoing exercise. Pentests and audits are point-in-time. But compliance and security happen year round. If you don’t pay attention all year, you may pass a pentest 6 months from now. But you may have been breached for 5 of those months. Same for compliance. You may pass an audit 6 months from now, but if that breach happens, and you can’t document all 6 of those months, your cyber insurance may not pay out, your customers might leave, and your PCI compliance status may be retroactively retracted. Not fun. Ongoing. Simple word. Lots of work.