A big thanks to Andy Barratt - Managing Director, Europe and QSA, Coalfire for his contribution to this newsletter.
“Any darn fool can make something complex; it takes a genius to make something simple.”― Peter Seeger
If you are the glorious knight responsible for getting your company up to mandatory compliance levels (and keep it there), you could potentially feel desperate facing this enormous and tedious undertaking. This is especially true for service providers, large and complex organizations. The ROC (Report On Compliance) quest could well be compared to the one for the Holy Grail, an endless day, a money- and time-consuming black hole. This sounds quite pessimistic — but it is realistic. The quest is so time-, effort- and money-consuming that organizations decide to give up and accept the risk of non-compliance.
And what could we say about the army of QSAs (Qualified Security Assessors), required to validate compliance of such environments? How could they effectively take responsibility, execute their mission with the expected quality without having to live, sleep and eat with their customers? And what relevance could we possibly expect from a several-hundred page ROC?
Definitely in complex environments, the usual "ONE ROC approach" just doesn't work. It's long, if not endless and tedious, and leads to unmanageable projects, poor outcomes, and lots of frustration. It requires an army of QSAs and a mountain of evidence. Not surprising that in such conditions, compliance projects do not serve security. On the contrary, they can often initiate a negative security cycle, as there is definitely no incentive to compliance.
The ROC-Fission approach
In physics, fission is the act of splitting a nucleus of an atom into nuclei of lighter atoms. "ROC-fissioning" is the name I give to the act of splitting the object of a ROC, defined by the PCI scope, into smaller objects (parts of the scope). Each part being more manageable nearly independent of each other and associated to its own ROC (nuclei).
Is this approach validated by PCIco?
Although not specifically advertised by PCIco, the payment brands and the acquirers, "ROC-Fissioning" is definitely approved/supported and encouraged. The topic was even at the heart of a major presentation and discussion at the latest PCI Community meeting. To Andy Barratt (above-mentioned contributor to this article), splitting the ROCs was the ONLY way for large organizations to reach compliance. Andy also mentioned one of his customers having up to 16 different ROCs (nuclei).
What are the pre-requisites?
This approach requires that:
- The global CDE scope be documented
- Each portion ROC(nuclei) be clearly documented in terms of the scope/ object of the assessment and what is excluded from it (from the original scope).
- The object of the ROC (nuclei) be firewall-off/segregated from the rest of the scope.
- Acquirer agreement be received
How to achieve ROC-Fission?
Most of the large service providers uses this approach to segregate their services. One Service = One specific ROC allowing them to deliver to their customers the ROC associated to the service offered. But there is a panel of other ways to ROC-fission the complexity of an assessment by:
- Payment channels
- Assets managed by different entities
- Business units
- Network subnets
What are the benefits?
In the same way than the fission releases energy, "ROC-fissioning" releases the burden associated to complex compliance projects.
Here are some of the benefits:
- Manageable audits, better preparation, better outcome
- Reduce the audit efforts and time while increasing the quality
- Reach compliance faster and therefore send a positive message to customers and acquirers
- Moderate/limit the size of ROCs
- Break down the cost of compliance
- Reduce the size of the QSA army
- Get the right stakeholder involved and therefore get them more accountable and interested
- Limited impact in case of breach. With one ROC, the complete organization compliance is impacted. With multiple ROCs (nuclei), the compliance impact is limited to the ROCs associated to the breach.
Are there cons to this approach?
Andy doesn't see any cons to this approach. Of course, it requires more audits but this is not a bad thing. As mentioned above the efforts, cost and time associated to each audit are drastically reduced for a better and faster outcome.
- Were you aware of this approach?
- Do you already follow it?
- Will you follow it?
- Have you read our previous newsletter: PCI 30 seconds newsletter #37 - And PCI said "Get Pen-tested"!