It's absolutely right to always gather appropriate PCI DSS-related documentation in the event of an audit. The kind of management perspective that says otherwise is all about doing the least amount possible to make the auditor go away. The reality is security professionals need to do the right thing and plan for the worst-case scenario, consistently -- that means every day.
In this case, the right process is to gather appropriate documentation as a common part of security operations. If it's necessary to gather a bunch of documentation to substantiate practices that should be in place anyway (which is most of PCI DSS), then something is wrong.
In today's security environment, security managers will always be scrutinized. The executive suite will always wonder what's happening with all that money in the security budget. They want substantiation of what it is that the security team does, and why. Gathering the documentation when an audit is happening puts the security team behind the curve and in turn makes the value of information security less apparent
Requires Free Membership to View
SearchMidmarketSecurity.com members gain immediate and unlimited access to breaking SMB industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchMidmarketSecurity.com today!
Michael S. Mimoso, Editorial Director
to management, so I suggest making documentation a part of everyday activities. Yes, it's a hassle, but no more of a hassle than having to manufacture data to substantiate what's been done the night before an audit. This was first published in February 2009