• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
The Mistakes QSAs Make
 

The Mistakes QSAs Make

on

  • 410 views

 

Statistics

Views

Total Views
410
Views on SlideShare
410
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    The Mistakes QSAs Make The Mistakes QSAs Make Presentation Transcript

    • The Mistakes QSAs Make © Branden Williams. All rights reserved. CONFIDENTIAL Presnted by: And other ways to get a migrane Branden R. Williams, CISSP, CISM Notably: FORMER QSA
    • What to Expect?
      • Interactive Presentation
      • Candid comments from screw ups (both mine and others)
      • Tell me your story!
      © Branden Williams. All rights reserved. CONFIDENTIAL
    • Yep, some of these are boneheaded. © Branden Williams. All rights reserved. CONFIDENTIAL
    • Mistake #1 © Branden Williams. All rights reserved CONFIDENTIAL Making Up Requirements
    • Making Up Requirements © Branden Williams. All rights reserved. CONFIDENTIAL
    • Train the Trainer? © Branden Williams. All rights reserved. CONFIDENTIAL
    • Making Up Requirements
      • PCI DSS != Common Sense
        • Yep, take that both ways
        • Assessing takes a certain finesse
        • Must be learned, not taught
      • Assessor knows there is a problem
        • Tries to find a way to force a fix
      © Branden Williams. All rights reserved. CONFIDENTIAL
    • Assessors like to be Security Pros © Branden Williams. All rights reserved. CONFIDENTIAL NOT Auditors
    • Mistake #2 © Branden Williams. All rights reserved CONFIDENTIAL Disagreeing over Comp Controls
    • Disagreeing over Comp Controls © Branden Williams. All rights reserved. CONFIDENTIAL
    • Disagreeing over Comp Controls
      • Assessor tends to be more conservative
      © Branden Williams. All rights reserved. CONFIDENTIAL
    • Disagreeing over Comp Controls
      • Assessee tends to be more liberal
      © Branden Williams. All rights reserved. CONFIDENTIAL
    • Disagreeing over Comp Controls
      • Acquiring bank and QSA win
      • Who takes the risk? Self assess if you don’t like the control, but realize that controls MUST go above and beyond
      • For more info: The Art of the Compensating Control (Book/Article)
      © Branden Williams. All rights reserved. CONFIDENTIAL
    • Disagreeing over Comp Controls
      • Is it worth it to do the compensating control vs. fix?
      © Branden Williams. All rights reserved. CONFIDENTIAL
    • Mistake #3 © Branden Williams. All rights reserved CONFIDENTIAL QSA is Drunk with Power
    • QSA is Drunk with Power © Branden Williams. All rights reserved. CONFIDENTIAL
    • QSA is Drunk with Power
      • Assessors are NOT auditors
      • Or peace officers
      • Cautionary Phrases:
        • “ I’m going to fail you on this.”
        • “ I won’t pass your feeble attempt at compliance.”
        • “ I pity you.”
      © Branden Williams. All rights reserved. CONFIDENTIAL
    • QSA is Drunk with Power
      • Psychology will win
        • Play the game, work with the guy
        • He’s probably not that bad
        • PCI is complex, some assessors can only view it as rigid buckets (either yes or no)
      • How to resolve?
      © Branden Williams. All rights reserved. CONFIDENTIAL
    • QSA is Drunk with Power
      • Remember: “No Asshole Rule”
        • Do what is right
        • Don’t waste people’s time because your boss says “just push back and see what they do.”
        • Escalate if you feel you have a valid argument
        • Ultimately, make a personnel change on BOTH sides if you cannot get to a good working relationship
      © Branden Williams. All rights reserved. CONFIDENTIAL
    • Mistake #4 © Branden Williams. All rights reserved CONFIDENTIAL The Buddy of the Executive
    • The Buddy of the Executive © Branden Williams. All rights reserved. CONFIDENTIAL
    • The Buddy of the Executive
      • Consulting is a people business
      • If an executive has an agenda, assessor might make up requirements or refuse to mark items in place in order to support executive’s agenda.
      © Branden Williams. All rights reserved. CONFIDENTIAL
    • Mistake #5 © Branden Williams. All rights reserved CONFIDENTIAL The FNG
    • The FNG © Branden Williams. All rights reserved. CONFIDENTIAL
    • 3-day ground school program © Branden Williams. All rights reserved. CONFIDENTIAL
    • Imagine 3-day ground school © Branden Williams. All rights reserved. CONFIDENTIAL Oops
    • The FNG © Branden Williams. All rights reserved. CONFIDENTIAL The more prepared you are, the less of an issue this is.
    • How to prepare?
      • Ensure all documentation is updated
      • Make your own project plan/timeline if one is not provided
      • Lead meetings with authoritah!
      • When talking through requirements, answer like a QSA would
      • Go to ISA training
      © Branden Williams. All rights reserved. CONFIDENTIAL
    • Mistake #6 © Branden Williams. All rights reserved CONFIDENTIAL Focusing on Q/A not TCE
    • Focusing on Q/A not TCE © Branden Williams. All rights reserved. CONFIDENTIAL
    • Focusing on Q/A not TCE
      • Immense pressure not to end up on Remediation list
      • ROC Process is complex
        • Grading scheme was unpublished for 1.1 ROCs
        • Q/A trains assessors to be quick document writers
      • TCE gets dropped
      © Branden Williams. All rights reserved. CONFIDENTIAL
    • Mistake #7 © Branden Williams. All rights reserved CONFIDENTIAL The Threat of the Future
    • The Future Threat © Branden Williams. All rights reserved. CONFIDENTIAL
    • The Future Threat
      • Helps NOBODY
      • QSAs should ignore these threats and assessees should not threaten
      • Don’t go for the easy pass, go for an accurate pass
      © Branden Williams. All rights reserved. CONFIDENTIAL
    • Questions? © Branden Williams. All rights reserved. CONFIDENTIAL
    • General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Branden R. Williams reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Unpublished work of Branden R. Williams. © 2010 All rights reserved. This work is an unpublished work and contains confidential, proprietary and trade secret information of Branden R. Williams. Access to this work is restricted to Branden R. Williams and any employee who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected or adapted without the prior written consent of Branden R. Williams. © 2010 Branden Williams. All rights reserved. CONFIDENTIAL
    • The Mistakes QSAs Make © Branden Williams. All rights reserved. CONFIDENTIAL Branden R. Williams, CISSP, Former QSA Click to edit Master text styles [email_address] blog.brandenwilliams.com Fin.