Wednesday, October 20, 2010

Is it an Audit or Assessment?

From time-to-time I see or hear someone getting bent out of shape because another person makes a reference to "PCI audit." Many times the reference is made within a heated debate about the validity of something and this obvious total lack of education opens the door for incorporating into the debate the heredity of the poor sole that mentioned "audit." Well I beg to differ -- it is an audit, not an assessment.

The basis for this mislabeling of the audit process is the title the PCI SSC gave to the auditors -- Qualified Security Assessor (QSA). But as happens often in business, titles do not always match the role.

One of these poor misguided people tried to explain it to me this way: "Assessors do not make judgments as to the validity of something, they are simply documenting and reporting their findings to the PCI SSC whereas auditors make judgments." But QSAs are judging pass or fail for each line item in the PCI DSS or PA-DSS specification and once everything passes based on their opinion, they write up a ROC for PCI SSC's final approval. Based on this definition, QSAs are performing audits.

Then you have the definitions found on 

Assessment deals with assessing or appraising the value of something. Audit, on the other hand, deals with official examination, inspection or verification of something. Based on these definitions, the Assessor is doing an audit as well.

I know that most people don't care what the "A" in QSA stands for and they care even less whether it's called an audit or assessment. I'm only writing this so I can easily reference my position when someone brings in my heredity into a heated debate.

Friday, October 8, 2010

Can Never Be Too Safe

This is totally off topic but very funny. Put this in the random thoughts category: