Why operational processes and documentation are an essential part of PCI DSS compliance


by Anne Wood, Managing Information Security Consultant

When we work with clients tackling compliance for the first time, we generally find one of two scenarios. In the first, organisations have a comprehensive suite of documents but lack in operational processes. In the second, we see a reasonable level of operational process but a lack of formalised documentation.


Whilst on the face of it the second scenario is preferable than the first, from a risk and compliance perspective each brings its own challenges. A lack of operational process brings with it the risk of serious network vulnerabilities and poor implementation of security controls, which may be masked because the quality of documentation is high but not representative of the reality.


A lack of documentation is not a good situation either. Poor or non-existent documentation leads to poor ongoing controls management and maintenance, limited governance and poor general security awareness. As experienced and knowledgeable administration staff move on to new roles or leave the company, so too does their understanding of the organisations infrastructure and network architecture.


It is important to document policies, procedures, standards and installation and configuration baselines to ensure that processes are formalised, consistent and understood by all relevant personnel. These two scenarios are common because organisations tend to take a single approach to compliance; either starting with defining all documentation requirements, or implementing all control requirements.


Neither is necessarily wrong, but neither are particularly recommended. When working with our clients, we would encourage the adoption of the PCI SSC Prioritised Milestone Approach to compliance.


Industry best practise

The Prioritised Milestone Approach takes a risk based view of the overall standard, and aims to prioritise those controls with the greatest overall impact to security first, with validation and monitoring controls generally implemented at a later stage.


The revised approach encourages documentation to be developed alongside controls implementation thus helping to avoid either of the two scenarios described above.


The Prioritised Milestone Approach provides a strategy for delivering a layered security model that is guided by industry best practice that can be used not only to protect cardholder data and achieve compliance with PCI DSS but also to protect other core data assets critical to your organisation.


Sysnet Global Solutions’ team of specialist Cybersecurity consultants understand the importance of data protection and our staff are highly skilled in a wide range of security disciplines including PCI DSS and ISO27001.


We can also assist in designing, implementing and documenting appropriate security controls, procedures and policies, all within a holistic cybersecurity framework that takes into account all applicable standards and regulations. To learn more about our solutions or for more information about our services, please visit Consulting Services or email sales@sysnetgs.com


Webpage URL

Find out more about our PCI DSS compliance services by clicking the button below