What is a Critical Security Control Failure?
Critical security control failure. It's a whole lot of words. What does this mean? How does this apply to your organization? Well, we here at Schellman are well aware of these requirements. Stay tuned.
Hello, I am Sully Perella, manager at Schellman, and for service providers, there is a requirement regarding critical security control failures. The idea behind this is that there are a number of controls within your environment that
- Identify if malware has been installed
- If firewalls are correctly functioning
- The logging within your systems
All of these controls and many more throughout the standard identify when systems are behaving erratically, either because of general failures or because of an intrusion. The requirement around critical security control failures is meant to identify when each of these items ceases to work (the critical security control failure). Based on that, how does the organization know that this stopped working? How does your organization respond to it? And the triage that goes on afterward.
By having a set process to respond to critical security control failures, your organization can have much more assurance that it will know when the security controls in place cease to function, how your organization is going to respond, and how to prevent it from recurring in the future.
The value of a refined, critical security control failure process cannot be understated. A lot of organizations tied this to incident response, but there are some succinct differences. Do you have questions about how this applies to your organization or which controls would apply? Reach out to us, we'd love to talk.
About Sully Perella
Sully Perella is a Senior Manager at Schellman who leads the PIN and P2PE service lines. His focus also includes the Software Security Framework and 3-Domain Secure services. Having previously served as a networking, switching, computer systems, and cryptological operations technician in the Air Force, Sully now maintains multiple certifications within the payments space. Active within the payments community, he helps draft new payments standards and speaks globally on payment security.