PCI Compliance Tip – Creating Evidence

Today we’re going to tackle a consistent issue we see with companies trying to meet and maintain PCI compliance, creating evidence. When we talk about creating evidence for compliance purposes, we’re really talking about all the different ways you are proving that you are compliant. For example, it’s great that you tell me as an assessor that you are practicing your incident response plan annually. But if I don’t see any of evidence of that process, it makes me skeptical at best and at worst prevents me from being able to find enough evidence to mark that requirement as compliant.

So the basic premise of this is just to write something down when you complete actions or processes related to your security and/or compliance posture. This can take many forms depending on your current business processes and what tools are available to you. Many organizations choose to use a ticketing system for most of there documentation requirements. This makes a lot of sense as most of these systems have date/timestamps built-in, comment fields, the ability to route to other individuals, the ability to add people for approval, and long-term storage with advanced search capabilities.

But a ticketing system may not make sense in all cases. Simple memos are a great way to accomplish this as well, particularly for requirements that revolve around meetings. One example might be the semi-annual requirement to perform a firewall review. It’s not enough to simply have a documented procedure that you follow, but you must also have some sort of evidence that the review occurred and the outcome of the review. So a memo might include the date of the review, the attendees, the scope of the review (which firewalls, which ACLs), and the actions taken following the review.

Using these pieces of evidence, you can track your compliance status more easily throughout the year and turn over a solid set of documentation that will make it easier for your assessor to see and evaluate your compliance status. This will help take some of the mystery out of your own internal processes as well, helping you make meaningful improvements to your security program over time. And of course, any time you make an assessor’s life easier with solid documentation, it gives them more confidence that you are being upfront and honest in your commitment to security.

In combination with our previous tip highlighting some important but overlooked best practices for documentation, you should have some straightforward ways to make your path to compliance and security easier. We’ll continue adding new tips we encounter, but if you think we’ve missed something or have any of your own tips for maintaining compliance, let us know on Twitter or directly here.