PCI QSA Review

Description

Cornwall Council request quotations for the following : The QSA will be responsible for the following: • PCI DSS Scope Definition: Review the already identified system components, people and processes that store, process, or transmit cardholder data (CHD) and define the complete PCI DSS scope for the Council. • Readiness Assessment: Conduct a thorough assessment of the Council's current information security controls and practices against the requirements of PCI DSS v4.0. This assessment should include: Review of relevant policies, procedures, documentation and programs to include the methods for monitoring and management of third-party service providers. • Review recently updated internal PCI awareness training materials • Evaluation of network security controls, including segmentation and firewalls. • Review the data flow diagrams • Assessment of system and application security, including vulnerability management and patching. • Analysis of data security controls, including encryption and access controls. • Review of logging, monitoring and testing practices including unauthorised Wi-Fi networks. • Assessment of incident response and business continuity plans. • Identify areas where it is appropriate to use sampling whilst ensuring it is representative of the overall scope and complexity of the CDE • • Gap Analysis: Based on the readiness assessment, identify any gaps or deficiencies in the Council's current controls that prevent compliance with PCI DSS. The gap analysis should provide a clear and actionable roadmap for remediation, including: Prioritization of identified gaps based on severity and risk. • Estimation of resources and costs required for remediation. • Recommendations for specific corrective actions and timelines. • • PCI DSS Report of Compliance (ROC) Assistance: Provide guidance and support to the Council's internal team in completing the applicable report for the assessment. This includes: Explaining the requirements of each ROC section. • Assisting with data gathering and evidence collection. • Reviewing and validating completed ROC for accuracy and completeness. • Information Classification: CONTROLLED PCI DSS Audit Methodology: Develop a repeatable and sustainable approach for future annual PCI DSS audits by the Council's PCI Internal Security Assessors (ISAs). This includes: Documenting the audit methodology, including roles and responsibilities, procedures, and timelines. Providing training and knowledge transfer to the Council's ISAs on PCI DSS audit best practices. Developing audit templates and tools to simplify future audits. Deliverables The QSA will provide the following deliverables: • A detailed report of the readiness assessment findings, including identified gaps and recommendations for remediation. • A prioritised gap analysis report with estimated costs and timelines for remediation efforts. • Completed and validated PCI DSS ROC. • Documented PCI DSS audit methodology and training materials for the Council's ISAs.