Security Training for Beginners | Cyber Security Training | Get into Cyber

What is the most overlooked position when getting into the Cyber Security field? As promised in my last video I'll break it down.

Let's talk about being a "Security Auditor"

Fortunately and unfortunately one of the biggest drivers for information security is compliance driven.

Fortunately compliance forces companies and organizations to comply with certain standards around their security implementation. Unfortunately, many companies are only spending money because of compliance. Compliance absolutely does not equal security, but it is still the reason that companies are spending proactive money to protect their digital assets.

There are various types of security frameworks that companies must comply to, but for this particular post I'm going to talk about one that I have been working in and out of for years, which is PCI compliance. PCI stands for Payment Card Industry, meaning credit/debit cards.

The PCI framework was set in place to protect consumers from having their credit card information go into the wrong hands. PCI standards for compliance are developed and managed by the PCI Security Standards Council.

Any business that takes a certain amount of credit cards must comply to PCI standards. There are 4 levels of merchants, which are determined by the amount of credit card transactions per year. Today I'm just going to talk about Level 1 merchants.

Level 1 merchants (processing over 6 million transactions) each year must have a RoC (Report on Compliance) sign off from a PCI-QSA which is someone who has been certified as an auditor from the PCI Council. These RoC reports have over 300 security requirements that must be met by the business. At a high level, these include 12 major requirements for things such as firewalls, passwords, encryption, antivirus, physical protection requirements, vulnerability scans, penetration testing, and others.

A third party QSA is the only person that can sign off on a RoC for the business. QSAs are in extremely high demand. They do not have to be extremely technical, but they must know how to use their resources to gather documentation and evidence that the company is meeting standards.

Many merchants that I have worked with over the years do not understand the PCI security requirements. It is the QSAs job to explain the requirements as effectively as possible to the business.

However, often times there are PCI GAP assessments conducted prior to an actual QSA doing their assessment. This assessment can be done by anyone who understands the PCI requirements and is able to help the business understand how well their infrastructure aligns with being compliant. It costs much less to have the business work with someone to do a GAP assessment to help them align with compliance before a QSA does the actual assessment.

It doesn't cost a penny to learn the requirements. Reach out for questions!

#cybersecurity #infosec #security