The Governance Risk and Compliance (GRC) team for our Fortune 500 retail client is chartered with protecting all aspects of data security. In preparation for twice-yearly PCI audits, the GRC team was tasked with collecting attestation information at touchpoints across the organization from firewalls to cash registers.
The constantly changing and increasingly complex demands of manual information gathering was an organizational pain-point, and the GRC team saw an opportunity to automate the collection of evidence from applications subject to PCI audits. This would speed the process, reducing the strain on application and tool teams, increasing confidence that the company was within standard, and decreasing the potential for financial penalties.
The GRC team had strong project management and SME capabilities but lacked the engineering bandwidth internally to execute the initiative. The retailer engaged the Kalles Group to tap their seasoned PCI compliance practice, deep expertise in multiple development languages, familiarity with many security systems, and high-horsepower engineering capacity. The challenge was to complete this project in the few weeks between PCI audits.
This was no simple undertaking. To make the biggest impact in the shortest amount of time, the Kalles Group needed to define a process to prioritize the amount of financial risk for each system, define the level of complexity of automation, and determine the amount of buy-in from each internal team. Since all the work would need to be done in a short time frame, the project required rapid deployment that would not interrupt preparation for the next audit.
The Kalles Group defined artifact collection details for each system, prioritized system automation sequences, determined applicable CIS benchmarks per system and mapped these benchmarks to controls. Next, the team researched methods for audit, remediation, and then scripted the automation of evidence collection for audit purposes, documenting findings and nuances along the way.
When systems running older software threatened to slow momentum, the Kalles Group team researched deep into obscure legacy versions of software documentation in order to discover ways to connect systems. The Kalles Group team provided essential talent with expertise in a myriad of languages and systems, including Java, Python, Ruby (Chef Inspec), PowerShell, and custom APIs.
The end product was a GRC-owned database repository for evidence collection, separate from the audit system of record. In order to bring areas at risk back into compliance, the team added scripts that would flag compliance anomalies and alert tool owners to the steps required to become compliant.
The work for twice-yearly PCI audits is significantly reduced, and tool team owners were able to return to focusing on improving systems, adding features, and moving the business forward. Alerting and analytics built atop the database connected the true owners to compliance tasks and empowered them to take the steps to remain in compliance. Scripts developed by the Kalles Group team were written to be easily adopted and maintained by the eventual owners. The entire organization benefited with reduced risk, the elimination of busy-work, and the establishment of a more natural workflow for nearly all teams across the company.
“The Kalles Group was a huge help in bringing momentum to an existing vision that was a skunkworks project with legs. The Kalles Group’s approach is highly agile, running define, build, design, and run stages in parallel. With a compressed timeframe, this allows us to learn lessons quickly that might take quarters or years to learn in a waterfall setting.”