Are You As Good At Scoping PCI As You Think? (Mobilizing The PCI Resistance, Part VII)
I'm getting ready for my BSides talk on Wednesday on "Mobilizing the PCI Resistance." And I made a slide that was designed to hint that defining the scope of PCI assessment may not always be as easy one might think.
In today's blog post, I pose some (possibly trick) questions. But before I do that, to refresh your memory, here's what are the previous postings:
- Part I: "Upset about the subjectivity and ambiguity in the PCI DSS compliance standards? My #BSides submission on the answer..."
- Part II: "The problems that management and auditors faced in 2005 and 2006 for the IT portions of SOX-404."
- Part III: "Quantifying the huge amount of wasted IT audit effort in SOX-404"
- Part IV: "What goes wrong in a bottom-up SOX-404 audit: a cautionary tale..."
- Part V: "The GAIT Vision For Solving The SOX-404 IT Scoping Problem
- Part VI: The Politics Of SOX-404 And GAIT (And Implications With PCI)
PCI Scoping Quiz: Please Show Your Work
At one time, I believed that the Cardholder Data Environment being defined by where cardholder data "enters, is transmitted, processed, stored, displayed or printed" is sufficient to inform most scoping decisions.
Gosh, was I wrong.
Don't worry if the answers don't seem immediately obvious. I'd wager I would have gotten most of these wrong last year.
Question 1: Is the Cardholder Data Environment (CDE) equivalent to the PCI Scope of Assessment?
Question 2: Is a domain controller (e.g., Windows Active Directory server) that is being relied upon by CDE applications for authentication and security services in the PCI Scope Of Assessment?
Question 3: How about a domain controller (e.g., Windows Active Directory server) that is not relied upon by any CDE applications?
Question 4: Is a network attached stapler that happens to be on the same network segment as a CDE system component always also in the CDE?
Question 5: Does it matter if a workstation that a customer service representative uses a thin- or thick-client?
Question 6: When should it be acceptable that if a virtualization hypervisor hosting a production application in the CDE be also able to host another VM without it being part of the CDE, as well?
Question 7: If you have a domain controller that is not in the CDE, but in the scope of PCI assessment, is a print server on the same network segment as that domain controller also in the scope of PCI assessment?
Bonus Exercise: For each of the questions where you answered "in scope of the PCI assessment," describe a strategy to contain the scope, such that systems connected to that system are not in scope. (See Michelle Klinger's great post on the "PCI Contagion Dilemma.")
(Image courtesy: Flickr: Zeligfilm)
The Answers And My Goal
The answers for all of the questions is actually, "It depends." But just as problematic is the fact that people could arbitrarily disagree with your answer, with little ability to defend its validity. The trick is being able to state, "Yes, it depends, but on what does it depend upon?"
Also, generating a consensus on scoping conclusions takes a lot of time. Prior to creating a structured method with agreed upon definitions, the Scoping SIG required over 40 hours to come to a scoping conclusion for one scenario.
With the proposed guidance under development, our team was able to generate a consensus on 15 scoping conclusions in less than 2 hours.
We believe there are three things needed to aid the scoping effort, and be able to defend your answers, so that another person can follow your reasoning. Even if they don't agree with your scoping conclusion, at least they can scrutinize your assumptions.
My goal is to have the PCI Scoping SIG deliver;
- Define and deliver the following, in a manner that clarifies and supports the spirit and intent of protecting cardholder data:
- Scoping principles and definitions (should be 200 words or less)
- A structured scoping methodology (should be a decision tree, with fewer than 30 boxes)
- A library of scoping scenarios demonstrating its usage for educational and clarification purposes (should be about 30 pages)
- Create useful tools and guidance that will assist in the scoping effort for both merchants and QSAs.
Interested?