Home > Ask the Security Channel Experts > PCI DSS Compliance Questions & Answers > Avoiding conflicts of interest in PCI security assessments
Ask The Security Channel Expert: Questions & Answers
EMAIL THIS

Avoiding conflicts of interest in PCI security assessments

Retired Expert - John Kindervag EXPERT RESPONSE FROM: Retired Expert - John Kindervag

Pose a Question
Other Security Channel Categories
Meet all Security Channel Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 11 June 2007
I recently became a qualified assessor. Previously, I conducted scans for my customers and fixed vulnerabilities that would prevent them from passing a QSA-conducted scan. Is it acceptable for me to fix the problems I find in the scans I find as their QSA? I'm thinking it might be better to have a separation of duties here.

>
EXPERT RESPONSE

Section 2.2 of the PCI Validation Requirements for Qualified Security Assessors (QSA) v. 1.1 calls for "auditor independence" within the QSA program precisely to avoid the type of conflict of interest that you are worried about. In discussing this issues with others in the industry, it is generally accepted that policies be put into place that mandate a separation of duties between QSA Auditors and QSAs, or other individuals within a QSA certified company who provide remediation support.

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


RELATED CONTENT
PCI DSS Compliance
How to ensure PCI-compliant firewall configurations
PCI DSS compliance: All or nothing?
Vulnerability mitigation for PCI compliance
Value-adds for PCI auditors

Regulatory Compliance Services
How will the planned changes in PCI-DSS affect the channel?
What are your regulatory compliance requirements for email security?
Payment Card Industry Data Security Standard (PCI-DSS)
How to Sell Regulatory Compliance Services
PCI Compliance Guide for Service Providers
Five myths of PCI compliance
Myth 1: PCI is hard
Myth 3: Encryption is scary
Myth 2: PCI will make us secure
Myth 5: Project X will make me compliant

More resources
How to prepare for network penetration testing services
An introduction to penetration testing and its legal implications for VARs and consultants

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary



Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
Browse our Expert Advice

HomeNewsTopicsITKnowledge ExchangeTipsAsk the ExpertsMultimediaWhite PapersBlogsEvents
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2006 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts