If there’s one word that comes up a lot when we talk about compliance, it’s audit. Everyone’s thinking about that looming PCI 2015 audit, when they’ll be judged on their compliance with the new PCI 3.0 regulations. After that, their thoughts will turn to their 2016 audit and so on. This makes sense – audits are a big deal. But here’s something else that’s important: staying compliant between audits.
Let’s talk cars for a minute. If you drove around with the speedometer, gas gauge or other warning lights covered up one day, you’d be operating at a disadvantage. Now imagine that you only saw that information when you serviced your car at the dealer or went in for an oil change. Given that you drive your car every day, seeing that critical data just a few times a year could put you and your car at risk.
Well, it’s not all that different when it comes to managing your infrastructure between audits. Think of it this way — hackers are well aware that audits only occur once or twice a year. They count on you relaxing between audits and that’s when they make their move. There’s another benefit here too: staying on top of compliance throughout the year will also reduce that pre-audit panic during crunch time, because you’ll already be in good shape.
The following four practices should help you stay aligned with compliance standards day in and day out – the IT version of being a safe driver.
Lead with security.
We’ve said before that security should always lead compliance. Remember, meeting compliance regulations alone does not keep you safe; your organization needs to respond to the daily changes of the security landscape and not just a regulatory institution. By focusing on security and developing a program built to safeguard against all threats, you will already be ahead of the compliance game.
Monitor now, monitor tomorrow and then monitor some more.
We know that constant monitoring can be time consuming and costly – but it’s still more enjoyable than a breach. Daily log reviews can spot abnormalities and deal with them before they become problems; patching monthly can mean the difference between a small leak that’s easily corrected and a brand-destroying disaster. Monthly vulnerability scans will go far toward preventing attacks as well. Also consider reviewing access on a quarterly basis. Do your users have the privilege appropriate to their function? Reviewing access can reduce your compliance scope and help ensure data integrity.
Check in with your provider.
Since you ultimately have the final responsibility for your compliance, it’s important to practice clear communication with your provider. Ask if they’ve moved beyond PCI 2.0 compliance and are current with (or transitioning to) PCI 3.0. Be sure any new threats or changes are addressed in your agreements, and that you’re clear on who’s handling what responsibility. Even if everything looked good at your last audit, a lot can change over the course of a year. Be sure you still have visibility into your provider’s security controls and practices.
Stay current on standards and security threats.
Attack methods and trends can change dramatically in a short period of time. Just as PCI regularly updates their recommendations based on evolving industry events, your team should stay informed on new threats and patterns in cybercrime. Stay proactive and adjust your controls accordingly based on the latest industry knowledge.
With all of the compliance work you’ve been doing this year, you might have hoped to take a vacation from anything related to PCI for a while. But when you think of all the effort you’ve put in, it’d be a shame to let it go to waste after your 2015 audit – so keep your controls up to date throughout the year, and you’ll stay strong and protected between audits.