It's absolutely right to always gather appropriate PCI DSS-related documentation in the event of an audit. The...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
kind of management perspective that says otherwise is all about doing the least amount possible to make the auditor go away. The reality is security professionals need to do the right thing and plan for the worst-case scenario, consistently -- that means every day.
In this case, the right process is to gather appropriate documentation as a common part of security operations. If it's necessary to gather a bunch of documentation to substantiate practices that should be in place anyway (which is most of PCI DSS), then something is wrong.
In today's security environment, security managers will always be scrutinized. The executive suite will always wonder what's happening with all that money in the security budget. They want substantiation of what it is that the security team does, and why. Gathering the documentation when an audit is happening puts the security team behind the curve and in turn makes the value of information security less apparent to management, so I suggest making documentation a part of everyday activities. Yes, it's a hassle, but no more of a hassle than having to manufacture data to substantiate what's been done the night before an audit.