WEBVTT

00:00:00.379 --> 00:00:03.379
Every DSS requirement, as I've talked about already,

00:00:03.379 --> 00:00:06.379
has got the last requirement of the requirements says,

00:00:06.379 --> 00:00:09.379
oh, and keep ahold of the documentation that nobody ever reads,

00:00:09.379 --> 00:00:10.379
apart from your assessor.

00:00:10.379 --> 00:00:10.834
Right.

00:00:10.834 --> 00:00:16.713
Well, and what they've done in this sort of current version of the DSS,

00:00:16.713 --> 00:00:18.379
since about the version 3,

00:00:18.379 --> 00:00:23.179
is they've taken that last sort of sub-number of the major number of the

00:00:23.179 --> 00:00:26.046
12 requirements and said here is the policy catchall,

00:00:26.046 --> 00:00:26.379
right?

00:00:26.379 --> 00:00:30.046
Have policies and procedures that describe all these

00:00:30.046 --> 00:00:32.379
requirements that we've just been harping on,

00:00:32.379 --> 00:00:35.004
and make sure that they're adequately documented,

00:00:35.004 --> 00:00:35.379
right?

00:00:35.379 --> 00:00:38.379
Rather than kind of interleaving the policies throughout,

00:00:38.379 --> 00:00:40.951
and then you have to go kind of pick them out from various

00:00:40.951 --> 00:00:43.379
requirements that have all been kind of pulled to the end.

00:00:43.379 --> 00:00:43.579
Right.

00:00:43.579 --> 00:00:45.379
So as an assessor, you're looking at those policies.

00:00:45.379 --> 00:00:46.379
Do you read them?

00:00:46.379 --> 00:00:46.879
Yes.

00:00:46.879 --> 00:00:47.379
Okay.

00:00:47.379 --> 00:00:50.379
And what about a policy statement like this?

00:00:50.379 --> 00:00:53.379
My policy is to comply with PCI DSS.

00:00:53.379 --> 00:00:54.379
Does that work for you?

00:00:54.379 --> 00:00:54.879
No.

00:00:54.879 --> 00:00:55.379
Why?

00:00:55.379 --> 00:00:59.379
Well, because I want to know how your organization is doing it.

00:00:59.379 --> 00:01:01.379
Okay.

00:01:01.379 --> 00:01:02.743
If you want to say,

00:01:02.743 --> 00:01:05.743
as your sort of introductory sentence in a particular policy section,

00:01:05.743 --> 00:01:10.808
is my goal is to comply with PCI DSS with respect to

00:01:10.808 --> 00:01:15.963
firewalls and networking devices, and then here is how I do it,

00:01:15.963 --> 00:01:16.379
okay.

00:01:16.379 --> 00:01:23.379
I see people subbing policies off the internet for PCI DSS compliant policies.

00:01:23.379 --> 00:01:24.379
Any good?

00:01:24.379 --> 00:01:33.379
I think there's a range of them from probably okay to unspeakably terrible.

00:01:33.379 --> 00:01:36.379
I would say, in any case, even if there was a really,

00:01:36.379 --> 00:01:39.935
really great policy on the internet that you could purchase or

00:01:39.935 --> 00:01:44.379
download or torrent or however you acquire it,

00:01:44.379 --> 00:01:45.879
in all cases,

00:01:45.879 --> 00:01:54.379
if you are unwilling to modify it to suit what your organization does,

00:01:54.379 --> 00:01:56.379
then it's a mismatch, right?

00:01:56.379 --> 00:01:58.379
Or in one circumstance I saw,

00:01:58.379 --> 00:02:01.379
or even do a search and replace to put your name into the policy.

00:02:01.379 --> 00:02:05.379
I mean, if you can even do that, that's the tell, right?

00:02:05.379 --> 00:02:13.713
Or if you describe like CISOs or other roles within the

00:02:13.713 --> 00:02:16.379
organization that you clearly don't have,

00:02:16.379 --> 00:02:19.522
that's a pretty obvious tell that you downloaded this and

00:02:19.522 --> 00:02:22.379
didn't actually give it a look-see.

00:02:22.379 --> 00:02:24.779
But even if it's great, right,

00:02:24.779 --> 00:02:27.379
if it doesn't describe what your organization actually does,

00:02:27.379 --> 00:02:31.379
then you're kind of missing the point.

00:02:31.379 --> 00:02:33.379
Because, and it's a long time, as I said,

00:02:33.379 --> 00:02:36.379
it's a long time since I've actually been an assessor,

00:02:36.379 --> 00:02:38.601
but I think it says you have to look at the policy and

00:02:38.601 --> 00:02:40.379
then ask people if they know about it.

00:02:40.379 --> 00:02:41.129
Is that right?

00:02:41.129 --> 00:02:41.379
Yeah.

00:02:41.379 --> 00:02:42.379
What's your testing procedure for policy?

00:02:42.379 --> 00:02:43.379
There is that, right?

00:02:43.379 --> 00:02:46.824
If the policy says here's what we do for cryptographic key management,

00:02:46.824 --> 00:02:48.713
or here's what we do for network firewall devices,

00:02:48.713 --> 00:02:53.379
or here's what we do for change management,

00:02:53.379 --> 00:02:55.665
and then what people describe to me when I say tell me

00:02:55.665 --> 00:02:58.197
about your change management process, show me some tickets,

00:02:58.197 --> 00:03:03.561
show me some of the process flow, and if those don't add up,

00:03:03.561 --> 00:03:06.379
then I've got a finding where I say something's not right here.

00:03:06.379 --> 00:03:12.004
Either the procedure is wrong, right, or what you're actually doing is wrong,

00:03:12.004 --> 00:03:14.379
right, or maybe both, right?

00:03:14.379 --> 00:03:18.379
And my experience of looking at data compromise is

00:03:18.379 --> 00:03:23.379
is that people just didn't have, they didn't even know the policy was there.

00:03:23.379 --> 00:03:25.197
So the policy might be an okay, but they weren't actually doing it,

00:03:25.197 --> 00:03:27.379
or the two things just never matched up.

00:03:27.379 --> 00:03:32.379
And when I've been managing any infrastructure,

00:03:32.379 --> 00:03:32.754
anything,

00:03:32.754 --> 00:03:37.665
I'm trying to get to the capability and maturity model at least level 3 where

00:03:37.665 --> 00:03:41.379
people actually know what they're doing and it's repeatable.

00:03:41.379 --> 00:03:44.379
If I want to change to a firewall done, it's always done the same way.

00:03:44.379 --> 00:03:47.379
And you could only do that by having policies and procedures.

00:03:47.379 --> 00:03:48.379
I know it sounds really dull and boring,

00:03:48.379 --> 00:03:50.779
but it gives you that quality of management,

00:03:50.779 --> 00:03:51.379
doesn't it?

00:03:51.379 --> 00:03:51.879
Right.

00:03:51.879 --> 00:03:56.379
Well, I mean dull and boring is, I think,

00:03:56.379 --> 00:03:59.808
actually preferable to terrifying and unknown,

00:03:59.808 --> 00:04:01.490
right, which is the alternative, right,

00:04:01.490 --> 00:04:03.046
when you don't have meaningful procedures,

00:04:03.046 --> 00:04:03.379
right?

00:04:03.379 --> 00:04:06.379
And like, did this thing actually happen?

00:04:06.379 --> 00:04:07.379
Did somebody do their job?

00:04:07.379 --> 00:04:10.379
Are we wildly unprotected on the internet?

00:04:10.379 --> 00:04:11.879
I don't know.

00:04:11.879 --> 00:04:14.379
That's not a good situation.

00:04:14.379 --> 00:04:16.379
And you said that it was interesting,

00:04:16.379 --> 00:04:20.379
because all the policy used to be stuck in 12 at the end of the DSS,

00:04:20.379 --> 00:04:23.379
and the SSC move them to the end of every major one.

00:04:23.379 --> 00:04:26.379
And we're not going to talk about policies for every single 12 requirements.

00:04:26.379 --> 00:04:29.379
I thought we'd covered it in requirement 1.

00:04:29.379 --> 00:04:32.197
One of the reasons was that if you look at a report on

00:04:32.197 --> 00:04:34.379
compliance or if you look at any organization,

00:04:34.379 --> 00:04:39.046
I think requirement 1 is always done brilliantly because it's the first one,

00:04:39.046 --> 00:04:39.379
right?

00:04:39.379 --> 00:04:41.979
And requirement 8, 9, and by the time you get to requirement 12,

00:04:41.979 --> 00:04:44.629
people have lost the will to live, and often assessors have lost,

00:04:44.629 --> 00:04:46.879
if you've got six days to do an assessment,

00:04:46.879 --> 00:04:49.379
you've got the last half day to do a requirement 12,

00:04:49.379 --> 00:04:50.379
so it sort of got overlooked.

00:04:50.379 --> 00:04:53.504
And so I know from people on the SSC that one of the

00:04:53.504 --> 00:04:56.834
reasons for moving the policies into each requirement was

00:04:56.834 --> 00:04:59.824
at least that when the QSA was, you know,

00:04:59.824 --> 00:05:01.379
when they had their head in firewalls,

00:05:01.379 --> 00:05:04.379
they'd look at the firewall policies rather than get to the end and go,

00:05:04.379 --> 00:05:05.379
oh, I need to look at your policies now.

00:05:05.379 --> 00:05:05.754
Now,

00:05:05.754 --> 00:05:09.093
I know some QSAs would have actually more sense and did the

00:05:09.093 --> 00:05:10.379
firewall policies with the firewalls,

00:05:10.379 --> 00:05:11.379
but it was very obvious that some people said,

00:05:11.379 --> 00:05:13.379
okay, let's get to the end.

00:05:13.379 --> 00:05:14.379
Oh, I need your whole stack of policies.

00:05:14.379 --> 00:05:16.379
Let me take the policies away, tick, tick, tick.

00:05:16.379 --> 00:05:17.379
Right, right.

00:05:17.379 --> 00:05:17.879
No,

00:05:17.879 --> 00:05:22.879
that's very much the potential concern there and the reason for sort of

00:05:22.879 --> 00:05:29.379
spreading that throughout the requirements as they've done.