Where data security decision making is concerned, the PCI DSS and HIPAA regulatory requirements are more striking for what they leave unsaid than for what they say. They do tell you what an auditor would look for in determining the level of your systems’ data security. However, the security checklists don’t enable you to figure out your actual level of security yourself, leaving you to guess whether your pre-audit documentation supports the claims you submit.
But somebody other than you has to be able to determine your level of data security – and if you’re audited, somebody will. The purpose of this article is to help you document and quantify what you’re thinking about prior to an encounter with an auditor, so that you and the auditor can reach a similar conclusion about your actual levels of security.