
	Home > Ask the Security Channel Experts > PCI DSS Compliance Questions & Answers > Avoiding conflicts of interest in PCI security assessments

Ask The Security Channel Expert: Questions & Answers

EMAIL THIS

Avoiding conflicts of interest in PCI security assessments

EXPERT RESPONSE FROM: Retired Expert - John Kindervag

		Pose a Question

		Other Security Channel Categories

		Meet all Security Channel Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 11 June 2007
I recently became a qualified assessor. Previously, I conducted scans for my customers and fixed vulnerabilities that would prevent them from passing a QSA-conducted scan. Is it acceptable for me to fix the problems I find in the scans I find as their QSA? I'm thinking it might be better to have a separation of duties here.

Section 2.2 of the PCI Validation Requirements for Qualified Security Assessors (QSA) v. 1.1 calls for "auditor independence" within the QSA program precisely to avoid the type of conflict of interest that you are worried about. In discussing this issues with others in the industry, it is generally accepted that policies be put into place that mandate a separation of duties between QSA Auditors and QSAs, or other individuals within a QSA certified company who provide remediation support.

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	PCI DSS Compliance
	How to ensure PCI-compliant firewall configurations
	PCI DSS compliance: All or nothing?
	Vulnerability mitigation for PCI compliance
	Value-adds for PCI auditors

Regulatory Compliance

Red Flags Rules compliance: Are your customers informed?

PCI compliance guide: A resource for solution providers

PCI DSS pre-assessment services: Prelude to a QSA

The impact of PCI compliance on the channel

Compliance drives opportunities for security integrators

How to turn the HIPAA compliance changes into opportunities

Data protection services offer revenue for security solution providers

Agiliance and McAfee partner for better governance, risk and compliance services

SonicWall announces partnership with Western NRG

Building a framework-based compliance program

More resources

How to prepare for network penetration testing services

An introduction to penetration testing and its legal implications for VARs and consultants

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

SEARCH

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 2006 - 2009, TechTarget \| Read our Privacy Policy