A framework to replace PCI?

There has been much commentary this past week about the limited enhancements in the upcoming PCI-DSS 2.0 framework. Martin McKeay wrote a post, How would I write a framework to replace PCI? where he talks about three key principles: (1) Everything flows from policy, (2) Keep it simple, and (3) Concentrate on results, not technologies.

I see it differently. The key principles of the SANS Twenty Critical Security Controls for Effective Cyber Defense make more sense and provide the basis for the Cymbel Approach:

  • Offense must inform defense – knowledge of actual attacks that have compromised systems provides an essential foundation for on which to construct effective defenses.
  • Work from a prioritized baseline of information security measures and controls
  • Most controls must be automated – there is no way for an organization to cost effectively defend itself with manual controls
  • Measure the effectiveness of controls – Automated techniques, where possible, should be used to measure the effectiveness of deployed controls.

Furthermore, regarding policies – you cannot start the process with policies without establishing context first. Therefore we start our processes with Visibility. You can read more about this on the Cymbel Services page.

Should PCI assessors also sell remediation products?

A few days ago, Rich Mogull at Securosis raised the issue, should PCI assessment firms sell the products needed to remediate the gaps their assessors find? Rich posed this question in light of Trustwave’s acquisition of yet another company, Breach, that sells products that are used to meet PCI regulatory requirements.

Rich, of course, was very diplomatic, but considering the level of ambiguity in the PCI regulations, the temptation for collusion between assessors and consultants who implement PCI controls cannot be ignored.

Rich is careful to point out that Trustwave is not doing anything unlawful or even unethical since the PCI Council “shows no interest in controlling conflicts of interest…”

Just as the big accounting firms were forced divest their consulting arms, companies should not be able to perform PCI assessments and provide remediation products and services. Let me point out that not all assessors do remediation. And let me also point out that Cymbel is not an assessor and provides products and services which are used to meet PCI regulations.