I just sat through another security audit. To many, it’s about as much fun as a visit to the dentist. Here’s the thing, it has to be done so you might as well try to enjoy it. I enjoy the debates between the Qualified Security Assessor (QSA) and my ornery system administrator and thought I’d share an example.
This time, the battle was about whether a remote workstation that is connected to the cardholder data environment (CDE) via Citrix is considered in scope and therefore subject to PCI DSS requirement 1.4:
Install personal firewall software on any mobile and/or employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization’s network.
The QSA’s argument was that the workstation is connected to the CDE so it’s in scope and must utilize a personal firewall. The system administrator’s argument was that the workstation is connected to a Citrix server, not to the CDE itself, and is therefore not in scope.
Riveting! I say this based solely on the conviction with which each was making his points and counterpoints because frankly, the actual points and counterpoints were quite boring. There were stern looks of “the world will end if you don’t believe me,” frowns of “you’ve got to be kidding,” and several sighs of “my six-year old knows more about security than you do.” I should have gotten it on video. Next time.
The QSA dealt the final blow by pulling out his trump card – “that’s not what Visa thinks.” End of debate. Of course, as the executive on the project, I was going to side with the QSA no matter who won. You need to pick your battles and this just wasn’t a significant issue in the big picture. The system administrator should be running a personal firewall anyway and he knew it, he was just being ornery!
I did, however, assure myself by doing some research. This blog post is by a self-declared PCI expert that chose to remain anonymous, but it makes good sense to me and supports the position my QSA just took.
This was just one of dozens of debates we had, all in the name of protecting cardholder data!