Listen to learn the steps you can take to create a mature compliance program in your organization.
Large organizations are often faced with complex, wide-ranging challenges related to standards and regulations they need to meet.
Wes Shattler (CISSP, CISA, CRISC, CGEIT, CDPSE), Vice President, Assurance and Testing at FIS, and Chelsea Lopez (CIA, CISA, CISSP, CRISC, PCI-ISA), Enterprise Risk Director at FIS, sat down with Host and Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA) at PCI Community Meeting North America to discuss:
Resources:
Download our Guide to PCI Compliance! - https://www.securitymetrics.com/lp/pci/pci-guide
Download our Guide to HIPAA Compliance! - https://www.securitymetrics.com/lp/hipaa/hipaa-guide
[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.
Hello, and welcome to another SecurityMetrics podcast. My name is Jen Stone. I'm one of the principal security analysts here at SecurityMetrics, and I'm extremely excited about where we are today.
We're recording here at the PCI community meeting, for North America in Portland, Oregon. And with me today, I'm welcome to this podcast. Please tell, the audience a little bit about yourselves, and and then we'll launch into the topic.
Thanks, Jen. I'm Wes Shattler with FIS. I've been with FIS now for twenty seven years, based out of Orlando, Florida. I'm a lifelong Floridian resident Floridian.
And so I've been a resident there all my life. And, the, with the company, I started out as a developer, conversion analyst. So I started learning how to code things, how to do programmatic issues, and just basically taking care of things from a programmatic standpoint. After a while, I got into the governance and risk area.
And so Interesting.
I, around two thousand and six, they had something come up called PCI. Mhmm. And somebody said, who would like to learn how to do a PCI framework? And I did the very first PCI assessment we did at FIS back in two thousand and six. So So, been in this role now, leading the, assurance and testing for about ten years.
That's a lot of experience in that area.
Well, welcome. And Chelsea? Hi, Jen. Yes. Thank you. My name is Chelsea Lopez.
I'm also with FIS.
I am a risk director overseeing our PCI compliance program globally.
At FIS, our PCI program covers more than seventy assessments a year seventy PCI DSS assessments a year. So very versed in how we maintain that compliance year round and not, not just doing individual sprints.
Mhmm.
Additionally, we are assessed against the other standards within within PCI. So, So, overall, we have about a hundred and twenty reports a year that we work with, QSAs on.
And I That's a lot. Yes. Yes. It is it is mind blowing when we talk about it.
I had come into this role, starting with FIS about ten years ago in the internal audit.
And then there was a position that had opened up, to be in our operate operational risks team.
Mhmm.
So we were really liaisons between the business and then risk the the formal risk management program and our third party auditors.
So I worked in that, got to work with individual business units, and then a position opened up on Wes' team to go and work for the pro with the program globally.
So I moved over into that role. So, very excited to be here and, love talking about it at PCI.
Well, welcome. And and I'm really excited about this conversation for a couple of reasons. First of all, there were a few very specific, people that the council wanted to have talked and really elevate the message of what you're already talking about. You know, you're here.
You're gonna be on stage and and, communicating this message. But the piece that that really stood out to me was having a mature program that that reaches across, like you said, not just PCI, but some other things. How do you take a, a mature cybersecurity program and then, assess PCI against it? It's kind of the the overarching thing that we were talking about earlier.
Yeah. So I'll jump in from a PCI perspective and then ask Wes to, add how we've been able to do that with the other frameworks.
So from PCI perspective, because we have so many assessments a year, and we work with multiple QSA firms, we cannot have it cannot be up to what who we're working with to be their preference. So we don't really allow QSA preference on how we manage our assessments.
We are monitoring compliance year round. So it's a twelve month program. We are looking for our quarterly scans from first quarter.
We have scheduled in when the penetration test must be done. We have a ninety day window that we give to our pen testing team for when they have to have application pen tests and then our network pen tests done.
So we aren't getting things just in time for that compliance sprint up the hill to get to, a rock.
We also work very closely in monitoring how our controls are going. So we've taken PCI, this one framework, I'm really gonna say, and turned it into a sustainable program where we're where you have metrics. We are reporting on those on a weekly basis up to leadership so they know how we're doing.
Right.
It feeds into FIS's overall sustainability program. Okay. And so I I'm always we're very much complimented from our risk officers on how they don't worry about PCI because they know that we're monitoring it and we're raising the flag early if there's an issue.
So the I find this very interesting because you keep coming back to risk. And it sounds like your program is is very much risk based, which is, the concept of doing, risk analysis is even more baked into four point o than it was in into to the earlier versions. Tell me a little bit more about the relationship between risk and and PCI in your from your perspective.
Wes, do you mind taking that piece?
That that's one of the things that we look at at FIS. We have a program of control testing and risk analysis so that the other team that works with me, control testing team, they perform regular risk analysis and assessments of the various products that we do, and their information then feeds into Chelsea's program with PCI.
So the key to us is that, you know, it's not just a project. Right? This is a program that we've developed. We overlap between our our different, programs that we have. And so evidence that we get in a controlled testing assessment or a SOC report or an ISO set twenty seven thousand one assessment, we can then leverage that assessment, the collateral from different programs across to the PCI environment, making it even stronger because we have multiple entities that are doing the same kind of reviews, but they're leveraging the work between the different programs.
Very interesting. So a lot of our listeners are probably thinking, this seems like a very, very mature program and at a different state than what a lot of small merchants are. And and so when we look at a maturity model, is that, is that something you're familiar with, the different maturity model levels? And because I think that a lot of the the, the merchants that we talk to are really at that that base, you know, just getting their feet wet and and may not even have performed a risk assessment yet. And so, I I'm looking at, you know, how do we kind of tie this to what that what that level of maturity would be?
We actually in our presentation tomorrow, we'll be talking through the the maturity levels.
And we go from the initial level of nothing defined and what is this Mhmm. Through an optimized program. So we talk through what those steps look like. Now what I wanna say is, and understanding, we didn't get here overnight.
We have this has been a lot of years in the work works and a lot of effort between, I'm gonna say, myself and my peers that report up through us of us actually saying we are going to do an evidence repository, and we're feeding things in there as we're getting it. We have gotten I'm I'm gonna jump through because we still are at that maturity level. Yeah. But we have gotten so much buy in from our business and operational partners that they are feeding in things early.
So then they have it in there and say, oh, yeah. You need it for SOC. There here it is. You need it for PCI.
Here it is.
But we did not start this way.
And ten years ago, we were, I would say, really at that initial level Mhmm.
Of treating everything individually.
And, oh, I have this, you know, I have the SOC audit that's coming up, but I just got done with PCI.
And having to have my peer in my peer that does our SOC audits go in, give them a list, and and essentially get the like, this is the first time I've ever heard it.
We that took a couple of years to get beyond that. And then we were really in a different we were kind of getting into a repeatable process where, where people could we could repeat success, and we could repeat success on the from a PCI standpoint. And then separately, we could repeat a success from a MSOC standpoint. But we did not have that coordination between the two.
Oh.
I would say from an operational side, that was a big push in not just from risk management. And and risk management at FIS is is includes cybersecurity and information security. So we're we treat it as risk, but it wasn't just coming out of the risk organization. It was really bought in by operations saying we're hitting audit fatigue.
We're having to provide the same thing multiple times. Can you guys figure out a way to share the information? Because I shouldn't be having to give it to Chelsea and then to Scott Mhmm. And then to Sean.
You guys all work together. You can work it out. Right.
And it just it it comes from trying to lessen that fatigue.
The key to a good maturity program is planning. Right? And that's what Chelsea does very well with the program is that she knows what's going to come up. She doesn't wait until ninety days before an assessment's due.
And let me just grab everything together. She's got regular checklists that she does every quarter. Mhmm. She requires things.
She's asking for the collateral that she's going to need. She's checking to make sure that all the, boxes are being checked as it were. So I think the key there is the planning it appropriately. Even smaller merchants can plan.
They may not have a Right.
A large risk based program like we do today, but planning it out and knowing what's coming up next, making sure that things are in place as you go along through the year and not waiting until the annual assessment comes due.
So I like how you put that, you know, looking at the operational team. They have jobs to do. And and as a third party coming into a lot of different organizations, I see in some cases where the team that's trying to, you know, deal with the compliance or even the risk team and compliance teams will not have the best relationship with the operational team. It's almost always because, like you said, they're being repeatedly asked for things, and it makes it hard for them to to do their day to day while supplying these things over and over again. And so you said it took you about ten years. So how did you start out? How did you start?
So one of my strengths is winning over others.
We've done the Clifton CliftonStrengths test, and so I have woo in the built in. Okay.
Woo means winning over others. Okay. I have spent a tremendous amount of time building relationships come easy, and some are more difficult.
And I will not lie. They're we've had some some crotchety old old developers that have been developing since the sixties that was like, you're the new kid on the block. What do you have to do? Yeah. I have spent time getting to know them Mhmm. And explaining what I need and explaining what I don't need.
Mhmm.
And so to the point where I've built that relationship. So when they get a request, if it's not coming from me, they will ask me, is this legitimate, and what do I provide? It could be something outside of PCI.
Mhmm.
Could be for some other some other group, but I'll tell them, yes. It's legitimate. This is what they're asking relationship building.
Okay.
And I would also say, showing that benefit and that, you know, we're not just turning things over and and walking away.
I have, in the past, been known to throw things on people's calendars that if there's something there's a deliverable every ninety days Mhmm.
It slips our mind.
Yeah.
And we all know we get busy doing what is the fire burning closest to us. Yeah. And so, I have I still have things on my calendar that I had put there in twenty fourteen on when scans were gonna come in. So I knew, okay. The Norcross scan just ran.
Make sure Ken has it. And if it's if it's make sure it's like, what the results are. If it's passing, we know we're good. And if it was a failure, then I'm following up to say, what are we doing?
How quick are we getting the tickets to resolve this? Mhmm. I still know I get it once a month. I'll have a scan pop up.
And I'm like, I could probably remove that at this point, but it's just ingrained, and I know it's on their calendar. Right.
So building out those calendar things that, you know, it's not necessarily my responsibility. Mhmm. Nor is it something that I, you know, I should ultimately be worried about twenty four you know, three hundred sixty five days a year. Mhmm.
But if I have set those reminders to ask the question, it makes sure that we don't drop it. And I've got to the group the team that we have. They know it's coming. So, there's things that have just become ingrained that they know, oh, it's coming up to the fifteenth of the month.
I need to make sure I have x. But it's that extra reminder on the calendar to remind them, let me make sure I have it so it does not fall off. And we aren't we don't lose that that, you know, that time frame. Because a lot of things are period based.
Mhmm.
And if we don't get something done in that time frame, we can't you can't recreate it. No. You can't go back three months. So it's making sure that we have those, those flags.
Right. And we've taught them the value of us working ahead like this. So they understand that if we miss something, then their certification will be in jeopardy.
Mhmm.
And so it's the important to them that we say we're doing this for your clients. Your clients want to see your PCI certification, so therefore Right. Let's make sure that we stay on track, that we keep you abreast of all the things you need to know about. We'll do the the heavy lifting. We'll make sure that things are managed with the QSA, but the business operations team understands the importance of them staying on that track and keeping the schedule.
Right. I and I think that there's a lot of value to what you said earlier where you said it's not necessarily your responsibility. But what I'm hearing from you is just because you're not the ultimate accountable person doesn't mean you don't contribute to the success of something happening.
Correct.
And so, but it's hard to get there.
It it has been very hard to get there. Yes. We've had to have a lot of buy in from the operations team. We've had to have a lot of discussions about this is the importance of your certification.
We've even had some clients who have talked to operations along the way and said, I need this certification. I need it now and if you can't give it to me then then we're gonna have an issue. So I think sometimes that pressure on the operations team that they've seen that from their clients that's okay, now we need to listen to our risk management team a little more. We need to help, you know, them when they need collateral, when they have questions raised, and so it's made it much easier from us as a risk management department.
So helping the operations team know the value of something to other people, how their work affects other people. Yes.
You find that to be a successful Yes.
Because they now see what the, the QSA requests that they put in. Mhmm. That gives them the opportunity then to go back to focusing on their operational side because they're also sharing that same information with us, the importance of operations. We can't miss our service level agreements. And so therefore, you know, anything they can do to shift the, the work to us, they're willing to do as long as we're, running from a risk management standpoint and helping them to get their certifications, keep the compliance level up.
Okay. So, as we talked about earlier, it starts with planning, but, just the planning isn't isn't enough to create that mature process. One of the things that I've seen in the more mature organizations is that when there is a gap or a question or or a place of conflict, rather than letting that escalate into a negative thing, they they have already built in processes that they use those moments to improve what they have going on. Is that something that that you've seen as well? Improvement of process, the like the OODA loop or or how do you take what you have and improve that?
I I would say it's an ongoing process. I mean, we have, regular, forums that we bring together all the stakeholders. Mhmm. And I think that the discussions are important. So, Chelsea runs a a monthly forum just to bring all the stakeholders together and say these are the key things we need to be on the lookout for. These are changes that are coming in PCI four point zero. These are, things that we may have had an issue with in recent transactions.
Whatever it might be, she's bringing the entire group together and opening that up. What do you have questions on? Where do you see concerns? How can we keep this communication going?
So, yeah, I'll just add on that. So we do that. We have we have a weekly reporting and a weekly we do a half hour discussion of everything that's in flight, so of of of our program, and walk through where we are and are there common challenges.
And and a lot of times we'll run through where it's like the theme of the week with with what's going on, and how again, the that ultimate responsibility and accountability is on our operational partners. But how can we lessen that burden on them and how can we add efficiency?
So one area that we we do a lot of is, again, I'm gonna focus on our penetration testing with the amount, with the number of assessments that we have in a given year. Mhmm.
And having more than five hundred individual applications in scope for PCI That's a lot.
There is a lot of penetration testing, and then our network and network testing.
And then as a service provider, we are, subject to doing segmentate we we have segmented network. So having those segmentation tests done every hundred and eighty days. Mhmm.
So we rather than having individual business units trying to reach out to our penetration testing team, we meet with them once a week also to talk through what's going on, what findings they if they have some common findings that we need to be communicating out to, the operational teams around the globe. Mhmm. But also making sure we're getting things done within the prescribed time frames and are not and trying to lessen that burden on our operational teams. So once they get a vulnerability, we can't just we vulnerabilities don't get remediated overnight for the most part. They're going to take coordination between our service delivery team, our technology teams, and the developers actually coding the change.
And so we're trying to build in those runways. Right.
So we do our weekly forum. We do have a monthly town hall, and we contribute to the overall risk sustainability program.
So we actually give PCI updates biweekly on those meetings Oh, okay.
Of where we are, what challenges we're seeing.
And we it's it's attended by our chief risk officer, by our leadership, within the risk management and IT areas. So they're hearing firsthand what challenges we're facing, and we're able to get, the right resources allocated as needed.
So communication is a big key there.
Yes. It is.
Not just the planning, but also communicating, what's being what's being done and when and why.
And and what we're expecting, you know, things that are coming up. It it's we don't want anything to be a surprise. So, if we're planning ahead, communicating with our teams, communicating with the operational, business, then things go much smoother along the way.
So I'll bet we have a lot of customer or excuse me. I'll bet we have a lot of, listeners who are, thinking this sounds great. I would love to have this.
But having having been part of developing this for for quite a few years, what are the things they need to be aware of that that could stop their progress in developing it? Where are there some gotchas or some difficulties?
There's always the challenge of buy in, and I'm gonna say and it's buy in at every level. Mhmm. So we may have buy in at the at, you know, at our at our leadership level. And, and generally, we get the buy in there, and it's how we trickle that down Mhmm.
And and get buy in along the way where people and and we're gonna go down to, you know, down to the lower level employees, and and they may still be managers or directors. So they are not, you know, they're not brand new, but they have a lot of pressure coming from different areas and how we're able to work. We've it's that's one of the biggest challenges is those that competition for resources. Mhmm. So how do we balance what we wanna do from a revenue or from a growth perspective Mhmm. Versus what we wanna do from an efficiency standpoint of reducing the pressure from compliance?
And I don't know that we've ever I don't I still that's a regular that's a regular kind of balancing act. So we haven't I will say we haven't totally figured that out. It's just a matter of, of having to help work through prioritizations.
And and that probably comes back again to the communication piece you were talking about.
Yeah. Yes.
It does.
The other thing that we do very well, and I would say any any organization can do this.
So it doesn't matter I would say it doesn't matter where you are on the maturity scale. We also celebrate our wins. Oh. So when we get through an assessment, and I like I've said, we have a lot.
We send out congratulations to the team, and we send that all the way up to our executive leadership team that had who who's respond who has team members responsible in that. Mhmm. So we're celebrating. We've achieved compliance for the year. We have met our obligations, with our clients.
And thank you. And we will get senior level people that are replying back to that email and saying great job, team. And I think those congratulations go a long way.
So, you know, there's a lot of pressure when things are going bad, but we're able to celebrate when we've achieved success.
Excellent.
One of the the questions I get asked is, are there tools out there that we can use? Because sometimes people wanna kinda shortcut or even augment communication with tools. And I'm wondering, is there are tools important? Is there, you know, tools that support these types of, planning and and, communication? Or do you think that's less critical?
So we don't use any extraordinary tools to do this. Right? We're using normal communications tools, normal communications tools, Teams meetings, Slack channels, emails, things like that.
We we run a lot of spreadsheets, Excel spreadsheets, SharePoints, things to collaborate and bring data together Mhmm.
Bring our collateral into a common repository.
So, you know, normal tools like that are used and that's the way we communicate and collaborate with our teams. We're we're not going out and buying an expensive tool that, you know, requires us to to go in and, build new, formats and things like that.
So those are are basically the standard things we're using. Chelsea, do you have anything else that you use?
No. Really. I mean, we manage through spreadsheets and SharePoint sites. And I know that in this in this day and age, it shocks people. But the challenges that we run into is, a, tooling is very expensive.
Yeah.
Just the initial purchase, plus then we have to have the staff to keep it going and that maintenance program, and how we do configurations and stuff.
So it's just it's worked for us for many years, and and it's I mean, we you go it's that balancing act. But, yeah, I mean, Excel and SharePoint and and buy in from the people that have been that have been doing this for a while that, you know, if somebody new comes in, we say, here is our process, and this is what we follow. So we have some documentation on our processes that we'll share and what the expectation is.
So we're managing it really that way.
So I'm I'm fascinated a little bit by the the broad spectrum of of things that you have to or choose to, assess against or be compliant with. Sometimes I'll run into groups that say, well, our PCI policies, procedures, security tools, that's all over here. It's separate from our other security and compliance programs. And and I just wonder, is that been your experience? Do you need to separate them out like that?
From our standpoint, we want everybody at the table together. Chelsea and her counterparts sit together. We we meet. We talk about challenges they're having.
Sometimes of challenge that Chelsea is having, maybe something that somebody else has already solved, or Chelsea may have a solution for someone else. There are cases where Chelsea says I I need to get something from the business and somebody says, I'm doing assessment of that group next week, I can get that document for you. So by combining the teams together and the way we work our assurance and testing, we're we're bringing all the different aspects of these groups together so they can work together to solve the the issues that come up.
Yeah. And I'd just like to add on that. We we do collaborate a lot.
My program is really an oversight function, but I have a peer that does our risk assessments and our control testing.
So when we were talking through, the one of the PCI requirements is that we have to do quarterly validations of select controls and make sure that those are operating effectively.
I have actually been able to lean on my peer that does the control testing team. They are testing those five areas for us every quarter producing a report.
And, and so if there are noncompliance areas, they're recording it, and we're working through those remediation items, but it feeds directly into the PCI program overall.
And we've done that also with ISO, with my my peer that's that runs our ISO program. If they're going to a site or they identify something, they will flag my team and say, hey. We saw this this thing. This is questionable.
Are you aware of it? And so we're able to look at saying getting having more I'm gonna say more boots on the ground, but with we all have you know, we we're looking at things a little differently, but we've also done the control mappings between those where I will see something and say, hey. I think this is one of the ISO controls you need to worry about.
And so we are we are taking things not, again, not as siloed or treating them as separate.
Mhmm.
We come back to our overall security policies and where we may need to, where we wanna make sure we share that information.
Excellent. Well, I I really appreciate you you coming and talking to me today. I know that there is a lot of people who probably are thinking, well, how do I increase the maturity of my program? How do I get more, cross communication across the different groups? Is there any kind of last pieces of advice that you could give, people as they develop that?
I would say I will have you, Wes. We our our within within Wes's org I guess I'll take the first part. Within Wes's, leader Wes's org, there's five of us with all with five different areas of of, concern that we work on.
Right.
And we collaborate weekly. We share information.
If there's a new policy, we're publishing it out and saying, hey. You might need to look at this. Mhmm.
And also with our our operational business partners. So we have relationships, with different groups, and and so we're able to leverage each other's network.
Okay.
So I would say that's one area. Wes Wes does this beyond just what our team does and is, helping evangelize our messages out within the organization. So I know you do some more.
Sure. And and I think it goes back to the planning aspect of it. Right? Maturity doesn't just happen.
It does it's not a matter of time. It's a matter of getting to where you want to be. And if you don't have a plan of where you want to go, then you're not gonna reach it. So we plan it, we communicate, we collaborate.
That's the key for the maturity program that we've been able to reach is that bringing the right resources together, talking about where we wanna go, and making sure that we have a plan to get there.
Alright. Thank you so much. This is a lot of valuable information and I really appreciate your time.
Thank you, Jen. We've enjoyed it.
Yep. Absolutely. Thank you.
Thanks for watching. To watch more episodes of SecurityMetrics podcast, click on the box on the left. If you prefer to listen to this podcast, it's available on all your favorite podcast platforms. See you on the slopes.
.svg)
