Sunday, April 22, 2007

Don't Let PCI turn into FISMA

When I attended the San Jose OWASP meeting a week ago Bernie Weidel gave a briefing on PCI compliance related to Web Application Security.

During his presentation he talked about how to get involved with setting/influencing the PCI standards themselves. I made a remark that even if we all got together and weakened the standard as part of the PCI governance process, the Card providers (Visa, MasterCard, etc) would simply revert to their own standards. Bernie looked shocked that a security person would recommend weakening a standard. To a large extent I stand by my remark and perhaps it can best be explained in relation to FISMA.

Much has been written on the flaws in the FISMA approach which focuses too much on paperwork-level compliance and not enough of effectiveness of controls, and leeway to implement appropriate controls for a given environment. Richard Bejtlich even has an outline of how things could be improved.

In light of complaints about FISMA I think we can learn what to do and not to do with respect to PCI. The folks over at Ambersail even asked "What would you change?"

For me - the biggest things I'd change would be related to flexibility in implementation of a security program - and much more explicit linking of the PCI standard and the auditing guidelines. Nothing is more frustrating than trying to implement a proper security program, and having to constantly go to one's auditor and explain a new set of controls being explored, have them turn around and get clarification from Visa, and finally get back to you about whether Visa approves.

Just like in the FISMA case where folks spend a lot more time documenting than they do an actual security processes, PCI has the possibility of failing this way.

I work for a rather large financial services firm. It is in our best interests financially to exceed PCI security requirements in almost all cases. If I do this and create my own documentation, controls, etc. around achieving a level of security I consider appropriate, each new regulation and standard that comes out is simply more overhead for me. It doesn't add to my security, it just forces me to fill out more audit documentation, spend more time and money on auditors, without adding anything to my bottom line from a security perspective.

Unified/universal standards are often the solution to this problem, so that I can pass one audit, and provide those details in the same format to all of my partners to demonstrate compliance with their security requirements. What I don't need are multiple overlapping standards that cost me extra money without improving my security.

You can argue that most merchants and processors aren't going to comply without a stronger standard with lots of mandatory audits and control points. And you may be right. But from the seat I'm in more mandatory audits simply costs me money that I could better spend on improving my security, not on auditors and paperwork.

More on how companies use weaker standards and federal standards to weaken state-by-state approaches in a later post.


Peter said...

Ugh. FISMA, yeah, I remember FISMA. Can't say that I miss it much. Then again, we never scored very well. But then again, management never really listened to us very often. :-/

Peter said...

Oh, yeah, I finally just put two and two together. Rich Bejtlich is the guy who wrote The Tao of Network Security Monitoring. It's a pretty good book. He's also a FreeBSD geek, which I respect. :-)