The Mistakes QSAs Make ©  Branden Williams. All rights reserved. CONFIDENTIAL Presnted by: And other ways to get a migrane...
What to Expect? <ul><li>Interactive Presentation </li></ul><ul><li>Candid comments from screw ups (both mine and others) <...
Yep, some of these are boneheaded. ©  Branden Williams. All rights reserved. CONFIDENTIAL
Mistake #1 ©  Branden Williams. All rights reserved  CONFIDENTIAL Making Up Requirements
Making Up Requirements ©  Branden Williams. All rights reserved. CONFIDENTIAL
Train the Trainer? ©  Branden Williams. All rights reserved. CONFIDENTIAL
Making Up Requirements  <ul><li>PCI DSS != Common Sense </li></ul><ul><ul><li>Yep, take that both ways </li></ul></ul><ul>...
Assessors like to be Security Pros ©  Branden Williams. All rights reserved. CONFIDENTIAL NOT Auditors
Mistake #2 ©  Branden Williams. All rights reserved  CONFIDENTIAL Disagreeing over Comp Controls
Disagreeing over Comp Controls ©  Branden Williams. All rights reserved. CONFIDENTIAL
Disagreeing over Comp Controls <ul><li>Assessor tends to be more conservative </li></ul>©  Branden Williams. All rights re...
Disagreeing over Comp Controls <ul><li>Assessee tends to be more liberal </li></ul>©  Branden Williams. All rights reserve...
Disagreeing over Comp Controls <ul><li>Acquiring bank and QSA win </li></ul><ul><li>Who takes the risk?  Self assess if yo...
Disagreeing over Comp Controls <ul><li>Is it worth it to do the compensating control vs. fix? </li></ul>©  Branden William...
Mistake #3 ©  Branden Williams. All rights reserved  CONFIDENTIAL QSA is Drunk with Power
QSA is Drunk with Power ©  Branden Williams. All rights reserved. CONFIDENTIAL
QSA is Drunk with Power <ul><li>Assessors are NOT auditors </li></ul><ul><li>Or peace officers </li></ul><ul><li>Cautionar...
QSA is Drunk with Power <ul><li>Psychology will win </li></ul><ul><ul><li>Play the game, work with the guy </li></ul></ul>...
QSA is Drunk with Power <ul><li>Remember: “No Asshole Rule” </li></ul><ul><ul><li>Do what is right </li></ul></ul><ul><ul>...
Mistake #4 ©  Branden Williams. All rights reserved  CONFIDENTIAL The Buddy of the Executive
The Buddy of the Executive ©  Branden Williams. All rights reserved. CONFIDENTIAL
The Buddy of the Executive <ul><li>Consulting is a people business </li></ul><ul><li>If an executive has an agenda, assess...
Mistake #5 ©  Branden Williams. All rights reserved  CONFIDENTIAL The FNG
The FNG ©  Branden Williams. All rights reserved. CONFIDENTIAL
3-day ground school program ©  Branden Williams. All rights reserved. CONFIDENTIAL
Imagine 3-day ground school ©  Branden Williams. All rights reserved. CONFIDENTIAL Oops
The FNG ©  Branden Williams. All rights reserved. CONFIDENTIAL The more prepared you are,  the less of an issue this is.
How to prepare? <ul><li>Ensure all documentation is updated </li></ul><ul><li>Make your own project plan/timeline if one i...
Mistake #6 ©  Branden Williams. All rights reserved  CONFIDENTIAL Focusing on Q/A not TCE
Focusing on Q/A not TCE ©  Branden Williams. All rights reserved. CONFIDENTIAL
Focusing on Q/A not TCE <ul><li>Immense pressure not to end up on Remediation list </li></ul><ul><li>ROC Process is comple...
Mistake #7 ©  Branden Williams. All rights reserved  CONFIDENTIAL The Threat of the Future
The Future Threat ©  Branden Williams. All rights reserved. CONFIDENTIAL
The Future Threat <ul><li>Helps NOBODY </li></ul><ul><li>QSAs should ignore these threats and assessees should not threate...
Questions? ©  Branden Williams. All rights reserved. CONFIDENTIAL
General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or ...
The Mistakes QSAs Make ©  Branden Williams. All rights reserved. CONFIDENTIAL Branden R. Williams, CISSP, Former QSA Click...
Upcoming SlideShare
Loading in …5
×

The Mistakes QSAs Make

698 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
698
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

The Mistakes QSAs Make

  1. 1. The Mistakes QSAs Make © Branden Williams. All rights reserved. CONFIDENTIAL Presnted by: And other ways to get a migrane Branden R. Williams, CISSP, CISM Notably: FORMER QSA
  2. 2. What to Expect? <ul><li>Interactive Presentation </li></ul><ul><li>Candid comments from screw ups (both mine and others) </li></ul><ul><li>Tell me your story! </li></ul>© Branden Williams. All rights reserved. CONFIDENTIAL
  3. 3. Yep, some of these are boneheaded. © Branden Williams. All rights reserved. CONFIDENTIAL
  4. 4. Mistake #1 © Branden Williams. All rights reserved CONFIDENTIAL Making Up Requirements
  5. 5. Making Up Requirements © Branden Williams. All rights reserved. CONFIDENTIAL
  6. 6. Train the Trainer? © Branden Williams. All rights reserved. CONFIDENTIAL
  7. 7. Making Up Requirements <ul><li>PCI DSS != Common Sense </li></ul><ul><ul><li>Yep, take that both ways </li></ul></ul><ul><ul><li>Assessing takes a certain finesse </li></ul></ul><ul><ul><li>Must be learned, not taught </li></ul></ul><ul><li>Assessor knows there is a problem </li></ul><ul><ul><li>Tries to find a way to force a fix </li></ul></ul>© Branden Williams. All rights reserved. CONFIDENTIAL
  8. 8. Assessors like to be Security Pros © Branden Williams. All rights reserved. CONFIDENTIAL NOT Auditors
  9. 9. Mistake #2 © Branden Williams. All rights reserved CONFIDENTIAL Disagreeing over Comp Controls
  10. 10. Disagreeing over Comp Controls © Branden Williams. All rights reserved. CONFIDENTIAL
  11. 11. Disagreeing over Comp Controls <ul><li>Assessor tends to be more conservative </li></ul>© Branden Williams. All rights reserved. CONFIDENTIAL
  12. 12. Disagreeing over Comp Controls <ul><li>Assessee tends to be more liberal </li></ul>© Branden Williams. All rights reserved. CONFIDENTIAL
  13. 13. Disagreeing over Comp Controls <ul><li>Acquiring bank and QSA win </li></ul><ul><li>Who takes the risk? Self assess if you don’t like the control, but realize that controls MUST go above and beyond </li></ul><ul><li>For more info: The Art of the Compensating Control (Book/Article) </li></ul>© Branden Williams. All rights reserved. CONFIDENTIAL
  14. 14. Disagreeing over Comp Controls <ul><li>Is it worth it to do the compensating control vs. fix? </li></ul>© Branden Williams. All rights reserved. CONFIDENTIAL
  15. 15. Mistake #3 © Branden Williams. All rights reserved CONFIDENTIAL QSA is Drunk with Power
  16. 16. QSA is Drunk with Power © Branden Williams. All rights reserved. CONFIDENTIAL
  17. 17. QSA is Drunk with Power <ul><li>Assessors are NOT auditors </li></ul><ul><li>Or peace officers </li></ul><ul><li>Cautionary Phrases: </li></ul><ul><ul><li>“ I’m going to fail you on this.” </li></ul></ul><ul><ul><li>“ I won’t pass your feeble attempt at compliance.” </li></ul></ul><ul><ul><li>“ I pity you.” </li></ul></ul>© Branden Williams. All rights reserved. CONFIDENTIAL
  18. 18. QSA is Drunk with Power <ul><li>Psychology will win </li></ul><ul><ul><li>Play the game, work with the guy </li></ul></ul><ul><ul><li>He’s probably not that bad </li></ul></ul><ul><ul><li>PCI is complex, some assessors can only view it as rigid buckets (either yes or no) </li></ul></ul><ul><li>How to resolve? </li></ul>© Branden Williams. All rights reserved. CONFIDENTIAL
  19. 19. QSA is Drunk with Power <ul><li>Remember: “No Asshole Rule” </li></ul><ul><ul><li>Do what is right </li></ul></ul><ul><ul><li>Don’t waste people’s time because your boss says “just push back and see what they do.” </li></ul></ul><ul><ul><li>Escalate if you feel you have a valid argument </li></ul></ul><ul><ul><li>Ultimately, make a personnel change on BOTH sides if you cannot get to a good working relationship </li></ul></ul>© Branden Williams. All rights reserved. CONFIDENTIAL
  20. 20. Mistake #4 © Branden Williams. All rights reserved CONFIDENTIAL The Buddy of the Executive
  21. 21. The Buddy of the Executive © Branden Williams. All rights reserved. CONFIDENTIAL
  22. 22. The Buddy of the Executive <ul><li>Consulting is a people business </li></ul><ul><li>If an executive has an agenda, assessor might make up requirements or refuse to mark items in place in order to support executive’s agenda. </li></ul>© Branden Williams. All rights reserved. CONFIDENTIAL
  23. 23. Mistake #5 © Branden Williams. All rights reserved CONFIDENTIAL The FNG
  24. 24. The FNG © Branden Williams. All rights reserved. CONFIDENTIAL
  25. 25. 3-day ground school program © Branden Williams. All rights reserved. CONFIDENTIAL
  26. 26. Imagine 3-day ground school © Branden Williams. All rights reserved. CONFIDENTIAL Oops
  27. 27. The FNG © Branden Williams. All rights reserved. CONFIDENTIAL The more prepared you are, the less of an issue this is.
  28. 28. How to prepare? <ul><li>Ensure all documentation is updated </li></ul><ul><li>Make your own project plan/timeline if one is not provided </li></ul><ul><li>Lead meetings with authoritah! </li></ul><ul><li>When talking through requirements, answer like a QSA would </li></ul><ul><li>Go to ISA training </li></ul>© Branden Williams. All rights reserved. CONFIDENTIAL
  29. 29. Mistake #6 © Branden Williams. All rights reserved CONFIDENTIAL Focusing on Q/A not TCE
  30. 30. Focusing on Q/A not TCE © Branden Williams. All rights reserved. CONFIDENTIAL
  31. 31. Focusing on Q/A not TCE <ul><li>Immense pressure not to end up on Remediation list </li></ul><ul><li>ROC Process is complex </li></ul><ul><ul><li>Grading scheme was unpublished for 1.1 ROCs </li></ul></ul><ul><ul><li>Q/A trains assessors to be quick document writers </li></ul></ul><ul><li>TCE gets dropped </li></ul>© Branden Williams. All rights reserved. CONFIDENTIAL
  32. 32. Mistake #7 © Branden Williams. All rights reserved CONFIDENTIAL The Threat of the Future
  33. 33. The Future Threat © Branden Williams. All rights reserved. CONFIDENTIAL
  34. 34. The Future Threat <ul><li>Helps NOBODY </li></ul><ul><li>QSAs should ignore these threats and assessees should not threaten </li></ul><ul><li>Don’t go for the easy pass, go for an accurate pass </li></ul>© Branden Williams. All rights reserved. CONFIDENTIAL
  35. 35. Questions? © Branden Williams. All rights reserved. CONFIDENTIAL
  36. 36. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Branden R. Williams reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Unpublished work of Branden R. Williams. © 2010 All rights reserved. This work is an unpublished work and contains confidential, proprietary and trade secret information of Branden R. Williams. Access to this work is restricted to Branden R. Williams and any employee who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected or adapted without the prior written consent of Branden R. Williams. © 2010 Branden Williams. All rights reserved. CONFIDENTIAL
  37. 37. The Mistakes QSAs Make © Branden Williams. All rights reserved. CONFIDENTIAL Branden R. Williams, CISSP, Former QSA Click to edit Master text styles [email_address] blog.brandenwilliams.com Fin.

×