In a recent article — In Legal First, Data-Breach Suit Targets Auditor — Kim Zetter reported that PCI auditor Savvis Inc is being sued because it had certified CardSystems Solutions as being PCI compliant just 3 months before 263,000 card numbers were stolen from their system, and nearly 40 million numbers were compromised. Is Savvis to blame? Does CardSystems Solutions have some responsibility to maintain a PCI compliant state “after the audit”? These are tough questions that, in my view, belong in the Boardroom rather than the Courtroom.
PCI DSS is very prescriptive for best practice IT security. Auditors definitely need to be more exacting and tougher when evaluating a company’s adherence to the specification. But an audit is a point-in-time event that says “as of today” your security level and change and control processes are at an acceptable state. If Savvis did a poor job of auditing CardSystems and issued a PCI certificate when that company was not really compliant, Savvis is at fault for issuing the certificate. But what about the many companies who are compliant with PCI DSS with a point-in-time audit only to be breached a month later? The auditor is not at fault in these cases, the company is. The stated intent of PCI DSS is to “maintain” a compliant state and not just “achieve” a compliant state.
Maintaining a PCI compliant state is not easy, but it is doable and it is worth it. It is, in large part, an attitude of being committed to maintaining ongoing security best practices. Doing so delivers continuous compliance as a free byproduct. Making best practice security a daily rigor needs to be elevated to the Boardroom. Far too many company are putting all their eggs in “passing the audit” project rather than improving their daily security posture. More tone-at-the-top is needed to provide the oversight, funding and support to allow security, compliance and operations teams to get it done and get it done right.
Tripwire provides a continuous compliance solution for the 80 configuration control requirements of PCI DSS. Rather than just detecting when critical, high-risk files change, or rather than periodically assessing the compliance status of high-risk files, Tripwire monitors them in real-time and, if they ever change, for any reason, Tripwire immediately and automatically retests them to determine if they are still in a compliant state, according to PCI requirements and according to specific customer security policy. Alerts are immediately issues when any high-risk file drifts from a secure state and full remediation instructions are provided to allow the file to quickly be restored to a secure state. That is a long-winded way of saying that Tripwire automatically alerts on every high-risk change as it happens and where it happens, and provides the information needed to correct the problem.
Bad change happens most often in an hour or less. It is no longer acceptable to be alerted days, weeks or, as often happens, months later. Tripwire alerts on bad change at the speed of change.