The way we shop for groceries has changed because of the unusual circumstances the world is in today. Instead of spending as much time physically in the store selecting our own items, we now have the option to order online and arrange for a time to pick them up, or better yet, have them delivered. Of course, there may be a few items you’d prefer to go in and see in person, like fresh produce. Similarly, because of the state of the world today, the way security assessments are performed has also had to change.
Prior to 2020, it was common that independent assessors would spend a sometimes-significant portion of their time at a client’s site. Being physically present is even a requirement for some standards like the Payment Card Industry Data Security Standard (PCI DSS). Why is it necessary to spend time on site when conducting an assessment? There are a few meaningful reasons. A primary one can be explained by sharing an example from when my wife was a child. When she wanted to go out to play, her mother would often ask her if her room was clean. To which she would reply, “Yes.” Then came the dreaded follow up question: “Is it your clean or my clean?”
Having worked to deliver security improvements for both merchants and service providers, I can relate with others in those roles. Although a client may be doing their best to improve their organization’s security, progress can be influenced positively or negatively by an organization’s culture. Having an independent assessor look over the situation is likely to provide a beneficial and more accurate level of confidence that a security control has been appropriately implemented. Expanding upon this example, it is the reason that people choose (or should choose) to visit a dentist to have their teeth checked rather than do their own dental exam.
So sure, an independent review can add value, but is there a need to be physically present for such an assessment? This is easily answered by the age-old adage, “A picture is worth a thousand words.” It is well established that people communicate more succinctly and effectively through body language and visual cues. Therefore, despite innovations in video and audio technologies, being physically present allows for more accurate and rapid communication.
Physical presence also facilitates positive relationships through personal interaction, like giving people recognition where their efforts are paying off. It offers opportunities to provide insightful customer service by informally pointing out weaknesses in architecture and sharing guidance on getting it right. Being physically present also aids in the ability of an assessor to pick up on company culture and situational context. For example, if you are getting a team overview of an application’s security in a room with a couple of developers and the project manager says something about its security functionality that doesn’t seem quite right, you might observe a developer or two give physical, contextual clues that the project manager doesn’t understand how it really works. That context is likely to be missed over a voice or video call.
In fact, assessors on site visits frequently find risks that employees may not have recognized…things that add value to the organization but would be difficult to discover through a planned video walk-through. After all, the unknown cannot be foreseen.
Unintended situations assessors may have seen on site visits include:
- Mobile credit card collection devices sitting out unattended
- Non-approved remote access software running on a server room console
- Unknown physical connections to a router
- A main server rack receiving power from a cheap power strip hanging from the ceiling
- An unlocked, uninventoried telecom closet with water damage
- A live network jack on the outside of a building
Finding things of which a client may be unaware can be of tremendous benefit to the client’s organization; otherwise, the issues would remain as unknown risks to their business and customers.
So, if we can agree that onsite assessments add value, how much time onsite is enough? To answer this, the PCI Security Standards Council (PCI SSC) has published guidance each month since March 2020 regarding conducting PCI assessments remotely. In March of 2020 the PCI SSC indicated that conducting assessments remotely was due to exceptional circumstances temporarily preventing travel and stated,
“While onsite assessments are always expected, in this unique circumstance, individual health and safety must be considered when making decisions regarding onsite assessments.”
Troy Leach, “Remote Assessments and the Coronavirus”, March 11, 2020
The PCI SSC has also acknowledged that global travel advisories and restrictions may not allow assessors to conduct assessments at an entity’s physical location. To that end, it was suggested that assessor companies may consider engaging qualified local assessor resources to assist in annual Payment Card Industry security control validation efforts.
Rather than report on the rest of the guidance chronologically, I’ve summarized it into four main data points:
- Thoroughness: Remote assessments must be performed with the same rigor and integrity as an onsite assessment. This means that remote security control validation must provide the same level of assurance that controls are properly implemented to meet PCI DSS requirements as if the assessor was onsite.
- Security: Remote assessments must not require the violation of a PCI security requirement or introduce unnecessary additional risk. For example, only highly secure methods should be used for remotely viewing operations activities and receiving and reviewing evidence. In 2020, it is probable that both assessor companies and assessed entities have collaboration portals or tools available to facilitate the highly secure sharing of sensitive information.
- Quality: As part of their assessment workpapers, assessors must retain evidence of remote validation and clearly document statements about how the work was performed in the Report on Compliance (ROC), such as why onsite testing was not performed. And, per data point number 1, how the remote testing provided an equivalent level of assurance as onsite testing.
- Exceptions: Finalized assessments completed with the appropriate rigor should be submitted to the PCI SSC as they always have been. However, in April of 2020 the PCI SSC clarified,
“Where a requirement cannot be assessed onsite or remotely, the assessor should document the requirement as “not tested” in the corresponding report.” It was also stated, “Please note that the PCI SSC cannot accept submissions that include any “not tested” requirements.”
Emma Sutcliffe, “Additional Remote Assessment Considerations During COVID-19”, April 28, 2020
To address this, the PCI Security Standards Council indicated that they are exploring options such as grace periods or extensions for certain aspects of PCI compliance, so keep in mind, additional guidance from them may be forthcoming.
What increases the likelihood of an assessment being successful? Two things come to mind: focus and communication.
The first comes from my experience taking tests at a university. Maybe it’s just because I am the first person from my family to attend one, but like enjoying the sun’s warm rays on a beach, I soaked in the whole academic experience. Participating in classes, studying, taking tests to get good grades and most of all learning—was what I was there for. It was shocking to me how many students skipped class, didn’t study, and would show up late for tests they had paid perfectly good money to try to pass. Like many college students, it’s unfortunate when companies aren’t prepared to participate or aren’t actively engaged when assessment activities begin.
Of course, once an assessment is lined up and kicked off, what would one think is the number one reason an assessment goes well? A company culture that embeds security into its day to day operations, possibly? That is important, but in my experience, the number one reason an assessment is successful is sufficient communication—from all parties. Just like any relationship, open communication and collaboration can make or break an assessment. Where both assessors and entity personnel hold common values for helping the organization to quickly identify issues and correct them…evidence appears, questions are answered, and guidance is given. It’s a kind of magic.
Considering the complexity of conditions in the world today, we could all use a little more magic and little less stress in our lives. It has been said that in times of crisis, communication should increase, and that principle holds true for remote assessments as well. Ideally, assessors and entity personnel will work together to identify which testing activities can be performed remotely with integrity. In some cases, controls requiring onsite validation may be postponed. In other cases, collaboration may yield new ways to validate security controls are in place. In any case, assessor organizations and entities are going to benefit from enhanced, frequent communication and collaboration.
Here are a few points to ponder:
- External assessors can add value by helping organizations identify opportunities for improvement.
- Being onsite lends itself to understanding the nuances of how security is a part of a company’s culture and can lead to new discoveries, but a remote assessment is better than no assessment.
- Whether an assessment is conducted onsite or remotely, both assessors and entity personnel share a responsibility to provide that controls are thoroughly reviewed.
- Additional guidance from the PCI Security Standards Council is likely as conditions around the world continue to change.
- A successful assessment is conducted with mutual respect and significant collaboration.
In conclusion, it is worth it to have someone come in and make sure your ‘room’ meets industry standards. Just make sure that good communications practices are paramount from the beginning of the relationship. That said, I hope to see you on an assessment sometime in the future; but for now, you’ll have to excuse me, I’ve just been notified my groceries are ready for pickup.
Disclosure: Falan Memmott is a Qualified Security Assessor for AT&T.