Much of my work circles around PCI DSS, and it was interesting to see an announcement from the SSC this week for yet another programme. This time, a select few that are priviliged to be in the right place at the right time, can register as QIRs – Qualified Integrator and Resellers for PA-DSS validated applications.
So now, the PCI SSC manage QSA, PA-QSA, ISA, ASV, PPTP, PTS, PFI and QIR programmes. My big sticking point with these are simply availability. The SSC can train no more than about 60 at a time and this leads to a situation where certified entities all charge a premium because of demand, use junior resource to improve profit margins, and drop customer projects mid-flow as all of a sudden, there are better things to do and more money to be made elsewhere.
I can't help but think that the PCI SSC is profiteering – there's a standard for pretty much everything now, and whilst it does need solid guidance and integrity, any security professional that knows what they're doing would pretty much take care of this anyway. The Code of Ethics associated with ISC(2) and ISSA-UK membership, for example, can carry a hefty personal liability if things go wrong. It's as if the PCI SSC has a distrust of the security community and has to put us through a registration process, just so it has the money to put everyone else through the same registration process.
The word process pretty much hits the nail on the head. All auditing work that I do under these standards must follow a documented process. Even if that process is wrong and introduces serious security vulnerabilities into an organisation, it must be followed or I lose my license.
If everyone follows the same documented process, then guess what? Criminals will know the gaps. Criminals will know what to go for and criminals will soon put any of these standards to shame.