From SecureState QSAs
Below are 5 tips from SecureState QSAs to prepare for your organization’s upcoming audit:
1. Document a formal scoping of networks –
Prior to QSAs arriving for the assessment, determine and document the scope of your networks. PCI 3.0 also requires the validation of any network segmentation.
2. Review the 2014 Attack Vector Report –
Test your networks against these top 5 attack vectors and make changes beforehand to save time and allow your QSA to focus on bigger issues during penetration testing.
3. Expand your Vendor Management Program –
An effective VMP should outline and document your third party vendors, identify gaps, and provide documentation on compliance. New to PCI 3.0 is a requirement that the VMP include discussion of what vendors are responsible for, versus what organizations themselves must handle.
4. Document your 2014-2015 training and education –
Identify all training, education, and awareness programs that employees attended in 2014 and provide a detailed plan for continual training throughout 2015. The more experience and exposure to possible threats and vulnerabilities, the better your organization can defend against attacks. While this has been consistently required in PCI, it is still a key component that companies are often missing.
5. Assess current Point of Sale (PoS) equipment –
Map all of your utilized points of sale and review data logs for suspicious activity such as large amounts of data being received or sent. Doing this ahead of time will give your QSAs more time to assess these issues in detail.