Re: PCI DSS Review - 40 Hours?

[Hugh Burley <Hburley () TRU CA>]

Hi Dan,
 
I think I would take the approach of doing what you can in 40 hours.
Some of my initial work involved identifying transaction levels, which
SAQ is most likely to apply, and running through the SAQ to identify
where the University is or is not compliant. I used the CoBit 4.1 CMM as
a tool for assigning a level of maturity for the specific PCI line items
rather than a simple yes/no response. The goal of this exercise is to
begin raising awareness for your executives about the risks and expected
costs/effort of reaching compliance.  This will also provide an initial
tool for measuring and prioritizing ongoing activity in meeting
compliance requirements.  
 
The first response from your executive will be that you cannot possibly
be correct in your assessment.  They will also be overwhelmed by the
amount of detail and projected cost involved. In my experience, if you
are persistent in presenting the best facts you can within your limited
capability, the executive will recommend an external PCI assessment.
This assessment will likely validate what you will have been reporting
and may provide some options for reducing scope that you did not
consider.  
 
In the intervening time you will hopefully be able to address some
basic compliance requirements and mature the University's information
security program.
 
Regards,
 
 
 
Hugh Burley
Thompson Rivers University
ITS - Senior Technology Coordinator
Information Security Officer
CISSP, CIPP/C, CISA
Security, Privacy, Audit
BCCOL - 222D
250-852-6351
 
> > > Dan Sarazen <dsarazen () BRANDEIS EDU> 4/24/12 9:21 am >>>

Hi All,

I’ve been asked to conduct a PCI DSS review in 40 hours. Anyone think
that’s responsibly doable? 

Also, does anyone have a PCI DSS Audit plan? 

Many Thanks!

Dan Sarazen
Senior IT Auditor
The Boston Consortium for Higher Education
Brandeis University, Mailstop 110
Phone: 781-736-8703
Cell: 781-296-4444
Fax: 781-736-8706