Becoming an Internal Security Assessor (ISA)
Have you ever thought of becoming a PCI ISA, an Internal Security Assessor? Several times clients have asked me if they should become an ISA. The PCI SSC ISA program is to educate members of your staff to take on expanded duties related to your PCI compliance. The PCI SSC maintains the PCI professional program, PCIP, that provides an understanding of the PCI DSS and how to operate in the PCI ecosystem. The ISA takes the education and experience further, to what is like QSA training. Having an ISA on your staff will improve the quality and reliability of your PCI program. An ISA will also enhance the consistency of your self-assessments. The ISA serves as your in-house PCI resource who can answer questions, specify policy, and help prepare your organization for their annual PCI compliance activities.
Small organizations may not benefit from an ISA due to the cost of sponsorship, getting the training and subsequent testing. Like a QSA, the ISA must periodically re-certify which involves training and testing. QSAs like myself must take training and testing annually to re-certify as an assessor. And, in a similar manner, the ISA must re-certify annually through rigorous training and testing.
The similarities between QSA and ISA do not stop there. As a QSA, I am required to work for a QSAC, a QSA Company, in my case SecureTrust. The QSAC sponsors my annual training, testing, and bonding insurance. In the initial steps, the company the potential ISA works for must become a sponsoring organization which serves the same role as the QSAC. The Sponsoring company submits an attestation signed by an appropriate senior level member to the PCI SSC. The agreement (which goes on for pages) has BOLD text in some cases that specifies specific terms, but the intent is the same. The sponsoring company is backing the ISA candidate. The ISA qualification is tied to that sponsoring company. The ISA can only perform assessment activities for that sponsoring company and if the ISA leaves, the qualification immediately terminates.
Any full-time employee can become an ISA, but the PCI SSC has some ISA qualification requirements. The ISA must complete PCI DSS training and pass the examination at the end. The ISA must read and agree to the PCI SSC Code of Professional Responsibility just like I must as a QSA, and the ISA must accept the ISA Attestation.
The PCI SSC does have some recommended experience due to the highly technical nature of the role. While it is the same qualifications that I as a QSA are required to hold for performance of my role, in the case of the ISA it is recommended. I think you can get a good idea of the previous knowledge and capabilities the person must possess to be an ISA from the list below; the list was pulled directly from the ISA qualification requirements found on the PCI SSC website:
- Sufficient information security knowledge and experience to conduct technically complex
security assessments; - Emphasis on internal information systems and security audit work as a Sponsor Company
employee; - Strong understanding of payment processes, related systems, and PCI DSS;
- Annual information systems audit training to support applicable continuing professional
education requirements (for example, 20 hours of such training annually and 120 hours of such
training over the immediately preceding rolling three-year period); and - The following additional qualifications:
- University or undergraduate degree;
- Five years of applicable work experience;
- One year of experience performing information security audits similar to QSA Assessments, three separate such audits, or other equivalent as determined by the Sponsor Company;
- Demonstrated expertise in at least three relevant areas including network security, application security and consultancy, and system integration; and
- One or more of the following industry-recognized professional certifications (possessing one certification from each list is recommended, but not required):List A – Information Security
- Certified Information System Security Professional (CISSP)
- Certified Information Security Manager (CISM)List B – Audit
- Certified Information Systems Auditor (CISA)
- GIAC Systems and Network Auditor (GSNA)
- Certified ISO 27001, Lead Auditor, Internal Auditor
- International Register of Certificated Auditors (IRCA)
- Information Security Management System (ISMS) Auditor
Having an ISA on your staff can be a real boost to your PCI compliance posture. A member of the team who can help bridge the gap between the internal organization and the external PCI assessor can be invaluable. In the PCI ecosystem, the most fundamental understanding is the scope of the environment. It sets the playing field for the assessment and focuses resources where they are best applied to protect payment card data. Having a member of your staff who can speak the same language as the QSA and understands the scope of your environment, and the people/processes behind it, has the potential to both shorten and bring in a compliant assessment.
Drew Cathey has been a member of the SecureTrust team for 5 years and has been in IT for 35 years. Coming from a background in telecommunications IT operations, he has held positions in engineering, project management and IT security. Drew holds degrees in biology, engineering and an MBA in Information Technology management along with PMP, CISSP, CISA and QSA certifications. He resides in St. Petersburg, FL with his two children and enjoys running, bicycling and tennis.