PCI gap and business process flow
CASE STUDY |
A large, multinational corporation approached RSM with a number of complex challenges. While they maintain a significant U.S. operating and information technology (IT) presence (including several large U.S. data centers), international staff traditionally managed U.S. IT and security. While this presented some cost advantages and theoretical consistency of the process, the client decided to hire several dedicated U.S. managers. This decision aimed to create a more hands-on management presence in the United States and better visibility into security processes around Payment Card Industry (PCI) compliance.
Management soon realized the new employees required a significant amount of time to get up to speed with the company’s environment.
RSM was engaged to perform a PCI gap assessment. Before coming on-site, we helped the client define engagement goals, reviewed high-level engagement activities with key personnel and established time frames.
Once on-site, RSM documented the PCI business process and supporting technologies and documented the ways cardholder data (CHD) were introduced into the environment. This allowed us to:
- Identify data elements used when storing, processing or transmitting CHD
- Identify where CHD was stored, processed or transmitted
- Map PCI processes to supporting technical infrastructure
RSM analyzed the environment against PCI requirements and assessed systems that store, process or transmit CHD, documented the existing controls used to protect CHD and identified gaps against the PCI Data Security Standard requirements.
RSM consultants simply identified control gaps as they related to PCI compliance. Many auditors could have left the client with a simple yes-no checklist and an overall compliance percentage. With all gap assessments, we provide a detailed remediation road map based on the PCI prioritized approach. Beyond that, we provided expanded recommendations that U.S. management could apply to the organization as a whole, not just the PCI environment.
While not the intent of the engagement, discovering that the IT managers were still within their first 90 days of employment, the PCI Qualified Security Assessor shifted the approach of the PCI gap assessment methodology from a question-and-answer session to a partnered network exploration. This approach started by scrutinizing the network diagrams so that they were as accurate as possible and then interviewed the architect to find out the why behind the build.
As the engagement continued, the PCI gap analysis was applied to the entire network architecture. The result is that, within 48 hours, the new IT personnel and the director had a greater confidence in their understanding of the workings of the network environment. This was accomplished by exploring the network, interviewing the architects and maintainers, reviewing policies, documentation and vendors. While there is value gained in the fact that within two days they were up to speed on the network interworking, more important, we identified many areas of deficiency.
While exploring the network, we were also able to apply grading criteria at a medium granularity of detail. Policies were examined so that they reflect the correct intent of the organization, and, simultaneously, procedures analyzed to help ensure they meet the letter of the policy. Concurrently, the network architecture and protocols were checked to ensure they do not subvert the security needs within the organization.
This exercise will help U.S. personnel emphasize that the most value to the corporation is in prevention, not recovery. This approach has equipped decision-makers and policymakers in U.S. management positions to make informed strategic information security progress. RSM added value by going beyond identifying problems to point the client toward solutions.