It’s still messy at this time, but if it is important enough to you, then sometimes it can be obtained. PCI DSS auditors can’t accept liability shifting onto them, and cybersecurity insurance underwriters are getting more savvy on current standards and can often twist auditor arms enough to carve out exceptions and still obtain the audit certification. Then put them in a locked cage match with the PCI DSS auditors and accept the result when they walk out. My go-to has been to convince the insurance underwriters first of the primacy of SANS, NIST, Microsoft and so on. The only PCI DSS requirement I couldn’t quickly align to NIST and others has been the 90 day expiration. This approach will also take care of the response user patrakov gave ("NIST is an American institute, and we are a Japanese company, we have our own standards that differ, and must follow them"), once it gets to the insurance underwriters talking it over on how to divvy up the risk and amend their policies if necessary. You have to get out ahead of the business risk though for this to work: you need to properly socialize the delay this puts on the deal "while auditors and insurers sort out the risk". Usually it is someone not in auditing and insurance underwriting blithely following outdated policies written in the Stone Age that still need updating, and most are grateful for the updated clarification. push it to the point of asking more than one of their own auditors, though. If they don't back off on their own, their auditors and/or insurance underwriter makes them back off. This gets them to switch off their demand. pushes back after you say, "we're not prepared to reduce our security", ask them in a friendly way to hold an N-way meeting between their auditors and insurance underwriter, and your auditors and insurance underwriter. Tip for those in settings with compliance reviews and cybersecurity insurance: get your PCI DSS, SOX, and other auditors, and cybersecurity insurance underwriter on board with these standards as well, with written statements. After pointing to the NIST standards (and two other references) saying that that reduced security and saying "we're not prepared to reduce our security".
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |