Consultant v Assessor

I know we have been mostly focusing on PCI’s Digital Security Standard (DSS) version 4 for the past couple of months, working to put out some initial information on the topic for those who don’t know what questions to start with between themselves and their PCI team members.  For this week I wanted to take a break from PCI, just to give everyone a breather.  We will keep going over v4, and other PCI topics throughout 2023 (and beyond), but we can’t ignore the other topics worthy of inclusion.

Overall Thoughts

In today’s complicated realm of IT Governance, Security, and Regulations, the need for companies to bring in outside guidance has never been greater.  I am constantly having conversations with people about what they need to be aware of to keep their data protected.  Some of these conversations happen between me and my clients.  Luckily, I have been able to put of these discussions off when they come up during a formal assessment period.  This dialogue has gotten me thinking about the need to clarify the differences between my roles as a consultant and assessor.

The main differences between a consultant and an assessor

So, what is the difference between the two?  Let us discuss the two individually and see what they each have to offer you.

  • Consultants – A consultant is an independent third party that works as a subject matter expert, or SME.  The subject in which they specialize can vary across many different areas.  The key things to keep in mind regarding a consultant are:
    • Consultants are paid for their expertise/knowledge.  Consultants working in the compliance arena have expertise/knowledge of industry standards.  They are not experts on “your” environment.
    • Good communicators – The consultant should be able to help you understand the industry standard that are relevant and work with your staff to appl them to your environment through a collaborative effort.
    • End goal is to help you and their focus is on using their knowledge to assist you in achieving the goals of your company, or at the very least the engagement they were hired for at the time.
  • Assessor (Auditor) – An assessor is also an independent third party that is a SME.  The similarities of the two end there.  The assessor does exactly as their name implies, they “assess” your environment against a standard, either regulatory or industry to determine your level of compliance.
    • Assessors are experts over auditing standards, usually over multiple standards but some do specialize.
    • The assessor should have some widespread knowledge of technical architecture and business processes.
    • Probably a good communicator.  I say probably because the need to fully communicate and determine compliance is a skill that makes the engagements more enjoyable, but the requirement to properly communicate rests more heavily on the shoulders of the entity being assessed.  The company will bear the brunt of a non-compliant finding, is the reason for this.  There are plenty of people that are great communicators working as auditors, so if you happen to work with someone that is not you are not required to stay with them for any reason.
    • Most important thing to note – They are there to determine your compliance with the standard associated with the engagement.  They are NOT there to help solve issues.  Once it becomes a “fix” situation, this falls under remediation and is the role of the consultant (even if it is same person doing it outside of the assessment.)

What should you expect from a consultant?

When working with a consultant you want to make certain that you work amongst your management and effected internal staff, prior to hiring/selecting the company, and person, that you will be working with on the engagement.  Prior to signing a contract, you should get everyone internally on the same page and agree to a clearly defined area of need and focus.  Consultants tend to bill by the hour, so making sure everyone is marching in the same direction, so to speak will save money by reducing the risk that you will be changing course multiple times within the efforts.

However, you also must be open minded throughout the project and accept the notion that things may change based on feedback from your consultant.  If you are not agreeable to the idea of having to do things differently then you had originally planned, you should not have hired a consultant.  It is a waste of money to pay someone to sit back and tell you how great your ideas area and add nothing else to the conversation.  Any consultant worth the money spent on them should be able to help you grow in some fashion, otherwise they are just cashing in on your lack of understanding.

Even if you have the most technically savvy consultant you can find, do not expect them to be true miracle workers.  What I mean by that is this – If they show up and impress you with a lot of amazing ideas that you have never considered and are not capable of implementing without them, how will you support the changes once they are gone?  It is one thing to have someone that has experienced so many environments throughout their career, seen every option out there throughout their travels, and able to solve any problem they come across.  It is something entirely different to find a person that can sit down with your staff, learn your environment and business processes, and come up with solutions that are custom tailored for your needs (and on your budget).  Do not be fooled or feel pressured to take on work that is beyond your company’s capabilities (technical or financial).

Managing the assessor

If you find yourself in a situation where you are going through an audit or assessment, let us discuss some behavior and thoughts to make the process easier for both you and the person working to find a determination on your state of compliance.  These are some ideas that are based on previous experiences from sitting in the room as a member of internal operations and from the other side of the table as the independent third-party assessor.

Be friendly.  It seems odd to have to state this, but there have been times when the conversation can get contentious when pouring over the details of an environment and other evidence to determine if everything looks the way it should, based on a standard that is outside the control of anyone sitting at the table.  Remember that most assessors/auditors have no personal interest in the findings, other than it being their day job and reflects on their personal and professional integrity.  No assessor worth hiring will compromise their own integrity by doing something unethical, so rest assured they will produce reports that accurately reflect what they see throughout the assessment.  You may not see eye to eye on something but find a way to convey this without crossing the line and expect them to do the same.

Keep the non-assessment chatter to a minimum and away from hot button items.  By this, what I mean is don’t say things in front of your assessor that has them questioning why it was said or if they have missed something (or worse if you are hiding something).  Here are some examples I have heard over the years that caused some undue work to prove they were only said in jest:

  • Hypothetical questions – Asking an assessor during the formal engagement about some “situation where we may have done this, knowing it was not ok, but we felt we had to do it anyway.”  This will never be an acceptable conversation.  I am not advocating for you to hide things from your auditor, quite the opposite, but if it really is a true hypothetical – sit on it until after everything is wrapped up.
  • Jokes about poor security and/or business practices – Between evidence reviews it is a bad idea to make jokes about “Joe from accounting that keeps his password to the financial system written on a post-it note stuck to his monitor and what a pain it is to support him because he has admin access to the systems.”  You can probably set the over/under in under 5 minutes before Joe’s desk comes into scope and you need to pay Joe a surprise visit.  Again, even if it is a joke it is in poor taste and puts your company’s compliance in jeopardy.  Best to save these until afterwards when jokes are not going to increase risk for you (or just say them internally when the assessor is not around.)

Conclusion (What is the big take away from all of this?)

So, what have we determined?  First off, consultants and assessors are mostly the same people, from a skills perspective.  While they have a focus that is opposites of each other.  Consultants are there to augment your knowledge and help you to find manageable solutions, while Assessors focus on documenting the working details of your environment in a way to show compliance to the stated standards.  Ideally you will work with a company that has enough people among their staff to allow you to negotiate a single contract that can cover all your needs.  I know that among my team at Protiviti we have multiple clients with one person serving as a consultant and someone else working on assessments.

When looking to engage either for work to be done on your enterprise do the work ahead of time to have a clear direction and understanding of what it is you need to accomplish.  This will save you time and money, while increasing the chance of you getting a result you are happy about.  When seeking out the person you are working with look for a company with a history and track record of providing knowledgeable people that can deliver in the areas where you feel you have the most need.  Once you have decided that you need/want assistance from a third-party do your homework, both from an internal and external perspective.  Talk to people you trust about who they have worked with previously and ask for contact information.

As always, I hope this tidbit of information gives you a base to have discussions with your internal management about third-party needs within your IT and Data Privacy space.  Feel free to reach out to me directly with questions or to have a conversation via my email and/or social media information on the TBF website. 

PCI v4 – Targeted Risk Analyses (TRA)

Happy New Year 2023!!  I hope everyone had a wonderful holiday break over the past few weeks.  Now that 2023 is up and running in full swing, and we covered all the PCI v4 requirement sections, I wanted to dig a little bit into the weeds of version 4.  Today I am going to focus on the targeted risk analyses, which is a new concept in PCI.  Personally, I really feel like it is a new twist on an existing concept.  You will see why as we make our way through it.

So, what exactly is this and how is it different?

At first glance most of you see this and think to yourselves, “I already do risk assessments, so I am good.”  That line of thought would be a fast pass (don’t sue me Disney) to non-compliance.  This new process is not the same thing as the current risk assessment you are required to do on an annual basis.  Let’s look at the change in terminology and discuss what that means for you.  The annual risk assessment is now a targeted risk analysis.  An assessment is a form of judgement.  To perform an assessment, you need a set of prescriptive controls, or standards (like PCI) that can be used as a guide to measure against.  In the end, a summary finding, or judgement, can be issues on if the control requirements were met.  This is how PCI works under version 3.2.1.  They say, “passwords need to be at least 7 characters” and your environment password settings are judged against that required standard and found compliant or lacking (non-compliant).  How does this relate to the TRA?  Directly it doesn’t (unless it does for you specifically, but more on that later), but is just an example of what an assessment is in its purest form.

Ok, so that is an assessment.  What is an analysis?  My favorite way to answer this question, as it pertains to PCI is from the 2nd listing at dictionary.com: “this process as a method of studying the nature of something or of determining its essential features and their relations”.  Looking at the nature of the risk for a specific system to better understand the “essential features and their relations”.  What are the risks to this system and let’s track them, dig into them, and determine the true likelihood and impact of a compromise.  In a nutshell, you are now going to look at potential attack vector points through the microscope of “How, what, when, WHO, and how bad” to determine individual system/environment threat appetite. 

Ok, so there is a difference.  What do I do with this information?

Great question internet user!  In PCI v4, the TRA is the gatekeeper for doing a customized approach for any of your controls.  To use the customized approach, it requires that the entity being assessed has performed a TRA for EVERY control addressed by a method of compliance that is outside of the standard control language/requirements.  With the change of approach for PCI coming in version 4 (meeting security objectives over just meeting the standard – for you TTRPG gamers it is RAI v RAW), the ability to document and justify why security in place is sufficient for PCI compliance is required.  Any (all) TRAs in use within the entity must be developed, tested, and implemented prior to the start of your annual PCI assessment.  On top of that, the QSA that works with you to develop the TRAs within your environment CANNOT be the one performing your assessment (checks and balances).  My advice would be to take that aspect seriously and engage a secondary QSA-C for development of the TRAs from the one doing your assessment, if you can find one doing this level of work. 

There are also some situations where the TRA can be used to determine how often security reviews need to take place.  It is no longer a default to do everything on an annual basis, instead companies are expected to understand their risk in enough detail to make the judgement call on how often these take place.  Sometimes, due to system isolation and lack of modifications (or system delicacy) you may not feel it is needed to do security reviews more than every couple of years.  Other systems, due to sensitive nature of the work being done and possibly high turnover of the workforce with access to the data, you may need to do some formal review process quarterly – or monthly.  I know this was written vaguely, but I want you to be aware of this so a conversation with your QSA of choice can take place, not influence you in any specific direction.

Conclusion

On initial glance the TRA looks to be less work than the current risk assessment being conducted for v.3.2.1.  This, however, isn’t the case.  To do a proper job, with sufficient environmental coverage, requires you to start with the current risk assessment process most likely as a way of identifying the area in need of the TRA.  There isn’t a requirement for a risk assessment to be conducted for the identification of areas needing a targeted risk analysis.  You can just use them when your security team opts for the customized approach, or as a justification method for modifications to some of the PCI annual reviews (FYI – this would also be considered a customized approach process).  However, which ever path you take the TRA is going to require that extensive knowledge in the areas of risk analysis, your environmental factors (technical, process, human factors), and possibly threat modeling and custom security control creation.  These are all the areas utilized when using the targeted risk analysis in your toolbox to assist with achieving compliance, and overall security.

As always, thank you for taking the time to read my thoughts on this.  I know we could go much deeper into the topic, and I would love to provide any details that interest you on this (or any other topic).  If you already have a trusted security expert in your organization and/or as a third-party consultant, reach out to them and seek a better understanding of this process ahead of the implementation of PCI v4 in your environment as the assessed against standard.  Most companies won’t (and shouldn’t) use customized approaches during their assessment.  That is something for the truly mature security programs, but that doesn’t mean you shouldn’t talk it over with your relevant sources and make the determination that is best for you and your company.

Feel free to reach out to me directly with questions or to have a conversation via my email and/or social media information on the TBF website.

Cheers – Shawn!