One of the most important and often neglected tasks you should first consider is the project documentation. Any aspect of work that requires resource, time and effort, demands to be treated as a project in itself. Failure to follow this simple advice may lead to serious complications and worse – repercussions for your PCI compliance programme. PCI requires a serious amount of commitment and cannot be treated as business as usual.
To start, you should ensure an appropriately qualified project manager is assigned the task of overseeing the PCI programme. As any project manager will tell you, all the requirements of a project need to be assimilated and transposed in to a single document. This document is known as the Project Initiation Document (PID)30 and can be used throughout the entire PCI compliance programme to ensure delivery of the original objective – PCI compliance. One of the most effective ways to ascertain all the pertinent information relating to the project is by hosting a project initiation workshop. This workshop will be essential in providing clear understanding for the basis of the project, and should provide a detailed breakdown of the individual activities and resource requirements; including a definition of the deliverables and the success/quality criteria for a project to complete successfully.
The workshop should be attended by the PCI sponsor, the PCI team, the project manager, the security officer and other relevant IT staff who will be involved in confirming the scope of the PCI compliance (target environment) and the boundaries for the PCI compliance work.
The workshop objectives and therefore activities, should be discussed and agreed, some of these topics include (but are not limited to):
- The generic approach, as outlined in this guide.
- Confirm the objectives and terms of reference for the assignment.
- Confirm the boundary of the PCI compliance target environment and, where appropriate, the interface to third party service providers.
- Confirm the roles and responsibilities of people within the entity in relation to their responsibilities for security.
- Confirm the degree of management visibility of the work that the study will require including reporting requirements.
- Gain agreement on who should be interviewed and about what as part of the assignment, and whether or not workshops could be used to streamline the information gathering, stimulate discussion and raise awareness of the security improvement initiative.
- Confirm that a security improvement plan will be used throughout the lifecycle of the project to track, monitor and ensure the project is on target to achieve its objective – PCI compliance.
Following the workshop, the PID should be created:
1 A Project Initiation Document (PID), based on OGC, Department for Business Skills and Innovation31, PRINCE 2 or APM32 principles should form the basis of the control and execution of the project. The detail should be agreed between the PCI team and the project manager; and should contain:
a. Define the objectives of the project work.
b. Define the terms of reference and scope of the project work, in meeting the above objectives.
c. Define the management structure, entity and associated responsibilities.
d. Describe the proposed approach.
e. Roles and responsibilities.
f. Project plan, including key tasks and delivery dates.
g. Interview list.
h. Description of deliverables.
j. Any assumptions or dependencies.
k. Specify deliverables.
l. Identify assumptions and risks to the project.
m. Identify constraints to the project.
n. Identify project and quality management mechanisms.
2 Also at the scoping stage, it is necessary to set out what the draft Security Improvement Plan (SIP) should look like and what it should contain. The SIP should be based on good examples (again freely available) and will be critical in contributing to the overall control and execution of the project (including during the project lifecycle and beyond). The SIP detail should also be agreed between the project sponsor, the project manager and the security officer and is the one document that will provide a continuous monitoring facility, during and after completion of the PCI implementation programme.
The SIP should look to contain at least the following components:
- ‘No.’ – Unique identification number.
- ‘Relevant Section in PCI DSS’ – the unique control reference within the Standard; this column may also contain the reference of the meeting where the action was raised (e.g. Project Update Meeting 1 – PUM #1).
- ‘Description of Action’ – description of work required.
- ‘Owner’ – the party responsible for initiating work communicating progress back to the ISF.
- ‘Due date’ – the target date for completion of the security improvement action; and
- ‘Status’ – the current status of the action; one of complete, in progress, pending, cancelled.
These aspects should be described to a level of detail that will enable your PCI team and participating staff involved in each activity, to effectively carry out their tasks, and should enable those who have responsibility for quality assurance to understand what is required of them and by when.
30 Project Initiation Document examples can be sought from many different sources: www.ogc.gov.uk/documentation_and_templates_project_initiation_document_pid.asp. www.berr.gov.uk/aboutus/corporate/projectcentre/pmtemplates/page12526.html.