A practical guide to implementation
Author: Steve Wright
Publisher: IT Governance Publishing (2008)
Price: ~£40, US$80 or €50 from IT Governance
If you are an experienced information security professional or project manager tasked with your first PCI DSS implementation, this book (coupled with PCI DSS itself and various other sources of guidance) will be a worthwhile starting point and companion on your journey to compliance. It is good value and easy to read, providing many pragmatic tips.
Scope and objective
This short book is intended to be a practical guide, giving implementation advice and tips on the Payment Card Industry Data Security Standard (PCI DSS). It supplements PCI DSS and as such is not intended to be a totally comprehensive guide but rather a useful adjunct to other relevant information sources.
The book is aimed at those tasked with implementing PCI DSS - project managers, executives and security officers. The brevity would suit busy managers or senior consultants with significant experience of information security and/or project management but this is no tutorial for students and junior consultants coming to PCI DSS, information security and project management for the first time.
Steve Wright is a senior consultant with experience in information security architecture and governance, including of course PCI DSS plus ISO27k, ISO 20000, PAS99, BS25999, PAS 77, Tickit and ISO 13335, CRAMM, COBRA, OGC M_o_R, and ISF’s IRAM. He works for the risk advisory practice at PriceWaterhouse Coopers and manages the security management practice for Siemens Insight. Steve has undertaken information security projects for UK government agencies and global corporations, and lectures on information risk management. He is the director for the British Computer Society Information Security Examination Board’s Management of Risk course. Read more on Steve’s website www.ISO27002.info.
The main chapters intersperse outline summaries of the PCI DSS requirements with bullet-point tips on how best to interpret and apply those requirements in practice. The latter read like succinct personal notes a PCI DSS project manager might keep from assignment-to-assignment as he/she builds experience, and as such are interesting prompts for information security or project managers new to PCI DSS.
Content, utility & value
Chapter-by-chapter, the guide steps through the ‘typical’ PCI DSS implementation process from initial planning to post-completion maintenance but the nine main chapters are rather brief (e.g. just 900 words in Chapter 1 “Establishing the PCI Project” and around 500 in Chapter 3 “Review the Information Security Policy”). There are numerous numbered or bullet-point lists providing just the essentials without a huge amount of context or explanation - readers are generally assumed to be competent information security and/or project management specialists who will appreciate Steve’s hints.
Chapter 10 compares and contrasts the requirements of PCI DSS with those of ISO/IEC 27001 and 27002 (ISO27k). The author makes the point that ISO27k emphasizes the management systems aspect of information security which are deliberately flexible, allowing all types of organizations to develop their own security requirements based on risk analysis whereas PCI DSS is more prescriptive and narrowly focused on financial services and merchant organizations. While the imperative for in-scope organizations to comply with PCI DSS is likely to be a strong driver and reason for limiting the scope of the project, it is worthwhile treating the PCI DSS controls as an integral part of a full-scope Information Security Management System based on ISO27k since the standards are complementary and mutually supporting.
A simple implementation project checklist and skeletal project plan in two of the appendices could be used as basic starting points for project planners. The short bibliography references offline and online sources (including this website!), unfortunately without stating why readers might find them useful and without citing them fully in the main text although there is also a separate appendix with annotated references to general sources of advice and PCI DSS-related products.
|Home > Books > PCI DSS >||
Copyright © 2012 IsecT Ltd.