QSA’s are friendly… As long as you pick the right one… (Part 1)

It’s that time again. Yes, time to find this year’s auditor.  You’d think that after 10 years of contacting, meeting with, planning and doing in-depth level 1 audits for multiple customers per year, for ZZ Servers a managed private cloud provider for PCI & HIPAA businesses, finding a Qualified Security Assessor (QSA) to work with would be easy.  Maybe it would be especially easy because, before ZZ, I was a PCI QSA doing the level 1 audits/code reviews/penetration tests myself!

Unique views:

But  no, because in a best practice for not only security but also business means we need to not stay with the same provider year after year, but work with multiple providers over the years so we do not get compliant in testing with the same people every year and are able to have new and unique views of our systems.

So every year I visit the PCI Security Standards website (https:/www.pcisecuritystandards.org/assessors_and_solutions/qualified_security_assessors) to look for a few different QSAs to bid on our project.  This is actually a wonderful search engine provided by the PCI Security Standards Console (SSC).  The Console produces the PCI Security Standards and was created by the major credit card vendors Visa, Master Card, American Express, JCB, Discover to provide “a global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.”  

Find the QSA

Using the PCI QSA search tool I’m able to browse the 170 USA based QSAs that I may want to have bid on my job.  At least I have this from the SSC!  When it comes to penetration testing or application code review or heaven forbid a forensic engineer or incident response company there are no search engines and google or your friend’s network is your only solution!  But that problem is for a future post, for now, let’s continue with the joys of finding a QSA!

With the PCI SSC QSA search form, I have the 170 potential firms as well as the prior firms I worked with that I’d like to give an opportunity to bid on this year.  I would like to submit a full request for quote (RFQ) to each of the 170 and see which have the best services, understanding of my business, and meet all of my business requirements while being affordable.  However, that is not possible because of how the world actually works.

But the process:

When working with a consulting or auditing firm the process of engaging them for work usually follows the following process:

  • Create a set of requirements for the project
  • Create a set of requirements for vendors
  • Identify vendors or service providers who can provide service
  • Contact and wait for response
  • Response is usually a meeting request for them to scope the job to properly bid on the work
  • Scoping meeting usually lasting an hour (sometimes more) detailing the environment and requirements for the project and vendor
  • Wait for quotes
  • Follow up with vendors for quotes
  • Have additional meetings to gather more details (penetration tests, code review, policy review…)
  • Receive responses from a small subset of the contacted vendors
  • Review responses and determine vendor to work with

Even with a well-documented environment, I have learned from experience that engaging a new firm will usually still require at least an hour to help them digest what the job scope is to be able to properly scope the job.

The downselect…

Knowing that I can’t contact all 170 QSAs and I end up usually selecting 5 or 6 figuring a few days of my life is worth the company and customers we serve.  The sad thing is that one or two of them won’t even respond but that still gives me enough to get a good idea of who can best understand my business and best audit the environment.

Maybe I should back up and explain that auditing to submit the report is never my intent when looking to find a partner who audits what I’ve built or run.  #PROTIP: If you build your environment to be audited then an audit is a partnership with an external entity to validate you are doing what you say you are doing.  If you document everything properly and specifically reference the audit requirements in your change control and other provided document inventories then an audit is nothing more than reviewing the book of changes from the last audit til now!