But even though PCI audits are old hat, every year it's the same drill: Employees scramble to gather up the required PCI audit documentation, then work long hours to produce required evidentiary artifacts like log samples and access reports. After that, they try to squeeze in last-minute updates to problem areas and refresh required documentation like network diagrams and media inventories.
This has some negative consequences. Not only does the last-minute scramble generally not help to achieve successful PCI compliance validation, but it also slows the assessment process, making it more expensive and burdensome.
It doesn't need to be this way. Since PCI audits have a comparatively precise standard and tightly bounded evidence requirements, it's possible to streamline next year's audit simply by thinking ahead while you're working on this year's. By implementing a few simple strategies, you can also relieve much of the overhead associated with PCI compliance reporting.
Strategy 1: Adopt a PCI audit management framework
The most important step is to make sure you have a framework to collect meta-information about the PCI audit process. This is where you will record key pieces of information about the audit (so what you've gathered carries over from year to year), as well as links to critical documentation (so you know where it's stored).
There are a few ways to do this. You can use an audit management system (AMS) if your organization has already invested in one (e.g., Thomson Reuters' Accelus or Compliance 360). If you don't have an AMS (as is probably the case), you can leverage spreadsheets, access databases or use content management systems like Sharepoint or Drupal. Even a well-organized directory structure can fit the bill in a pinch. The goal is simple: Have a place where you can record the inputs, outputs and other information from this year's PCI audit to support future ones.
Strategy 2: Record inputs, outputs, owners and a playbook
Once you have a framework within which you can record PCI audit information, start making use of it. Record information about what specific pieces of evidence auditors ask for, what artifacts you supply in response to these requests and who was able to acquire this information, such as subject matter experts (SMEs).
Most importantly, ask SMEs to record how they obtained pieces of evidence. If they run a report, have them write down the type of report and the process they followed to create it. You'll very likely follow the same process next year (although it's important to remember that staff and areas of responsibility can change), so make sure future personnel have all the data they need to reproduce the effort.
Strategy 3: Automate evidence collection
Obviously, having a playbook and a place for that playbook to live are useful first steps, but if possible, automate evidence collection. For example, if you need to collect security log information for a certain number of days from one or more servers, engage the SMEs to create a script to automate that process.
Store that script along with other audit-related information and processes. The goal here is to minimize the amount of overhead required for future efforts and to ensure output consistency.
Strategy 4: Avoid 'auditor-only' documentation
When supplying documentation (e.g., network diagrams, lists of personnel with access to cardholder data, process documentation for data handling, media inventories, and the like), avoid single-use documents that are specifically crafted to support the PCI audit. Why? Because having an "auditor-use-only" document practically guarantees that the document will be stale when the next cycle comes around.
Where possible, try to adapt a "living" document (i.e., one that's reliably updated and useful for some other purpose) to address audit needs. Chances are this document will be more useful if it's kept updated between cycles.
Strategy 5: Keep updating
The final step is to keep information current. Each time you go through an assessment cycle, refine your documentation to increase its accuracy. Update process documents based on environmental changes and try to increase the automation level when you can. The point of having a PCI audit playbook is not so you can create it once and then never update it. The goal is to leverage the work already done in the past, so make sure information gathering is additive. Each year should be an opportunity to not only respond to the current audit but also to prepare for the next one as well.
You'd be surprised just how much effort these few simple steps will save when you go through an assessment cycle. By planning ahead, capturing useful information about the audit process and tracking your responses, you can cut down significantly on the reactive fire drill that can occur during a PCI assessment. It's well worth the few extra hours this year to save yourself ten times that effort when the cycle comes around again.
Ed Moyle is a founding partner at New Hampshire-based information security and compliance consulting firm SecurityCurve. Moyle previously worked as a senior manager with Computer Task Group Inc.'s global security practice, and prior to that served as a vice president and information security officer at Merrill Lynch Investment Managers.