In this article, I want to describe the basic steps in preparing for a security audit. Most often it is an audit of compliance with security standards of the ISO (27 ***) or PCI DSS series, or compliance with GDPR compliance requirements.
My experience in information security is 12 years. During this time, I have completed projects with dozens of companies from the USA, Britain, China, Russia, Ukraine and European countries. Clients were both large processing centers and banks, as well as IT companies of various specializations. The implementation results were assessed by PWC (Hongkong), VISA (USA), Deloitte (UKR) and successfully confirmed compliance with the requirements, which can be seen in the letters of recommendation on the website and reviews on the Linkedin profile .
I hope that my experience in conducting audits, consulting and supervising projects to bring companies into compliance with the PCI DSS , VISA & MASTERCARD Security standard will help me in simple words to convey useful information to readers.
I would like to express the accumulated experience and knowledge, observations and comments in this article using the example of preparation for an audit of compliance with the PCI DSS standard. Everything stated in this article may differ significantly from the opinions of other auditors and consultants, the official position of the PCI Security Standards Council and other sources. I am not suggesting that you strictly follow everything that will be discussed. This is just information for you to make your own decisions. I hope it will be useful to the readers.
So where does the audit begin and how does the audit work?
It all starts not even with signing a contract for an audit or pre-audit. It all starts with the decision of the company (usually a director or manager) about the need to undergo an audit.
: , , ( , ) () - . « » , , , . , . , – , , , . , , – . .
- , . . , , , . , , . ( , ) , ( ) .
, «» , , . , , . ( ), . , , , . , , , , , . , – . , . , . « » , , . , , , . , .
, , , . , . , , .
– , . , , ., .
, ( , PCI DSS -). . , , PCI DSS. , . . – , . .
, , . PCI DSS 3.2.1 PCI DSS 4.0.
, . , - ( , 1-3).
1
2
3
, , , , . .
, :
.
, , .
.
.
.
.
.
, , -, PCI DSS . , . :
.
PCI DSS .
.
.
: , , , .
, , , . : , - , . , , . - .
, , , , , ( ). , , . , , , . , . , , .
.
1. . , , PCI DSS, .
, , . , , . , .
2. , . , , , , , ( , ). , . . . , . .
3. , . , . . . , . , « » .
4. - . PCI DSS . – . , . , .
(ASV) IP¨C28C 4 . – , . .
5. :
, , .
.
.
, , .
6. . , , , . , , , .
, . – - .
7. . , . , , . . .¨C32C
. , . , , . ( ) . , . … .
PMBok, , . , . , .
, . . , . , , SCRUM, . .
, , , , , , . , . , . , . .
, , . , , . , , - . , , . , , – . , - , – .
, , , . , , ( ), . , 10 35% .
, , . , , , , , . , , . . . , – . , , .
. . . , , , , «» . , . , , , . , . , .
In general, I can say that preparing a company for an audit for compliance with the PCI DSS standard (as well as any other) requires clear planning, perseverance and endurance. And also the ability to balance between the documented requirements of the standard and their implementation in such a way that they have minimal impact on the working processes in the company, while increasing their real safety.
If you have any questions, you can always ask them by writing to me by mail .