Any of you QSA folks out there can tell me where can I get an audit procedure with "high" "medium" "low" risk ratings? On our last (also the first) audit we got from our QSA Auditor the non compliances with these ratings. We're not working with this QSA :p any longer, and I'd like to get the source of where he got this ratings from. :confused:
In a few months we'll have to do another ROC, plus another audit :eek: for another subsidiary. For this other one, we've done an internal self assessment. I need to prioritize our ramp up/remediation plans to get ready for these audits. I have no idea where the previous QSA got the ratings for each section of the audit procedure from. I only have the rated gaps, and it's based on the 1.0 version. Any ideas? We haven't selected the new QSA yet .

To be honest, I suspect any such ratings were probably made up according to your site/environment and hopefully included an assessment of the bang for buck out of fixing various issues/gaps, and ease of implementation/resolution etc.

Lyal

For our PCI compliance assessments, we have two "ratings" we issue for findings.


Relative Risk
Resolution Level of Difficulty


For these two ratings, we use a high, medium and low ranking. We define these rankings as follows.


Relative Risk is a subjective evaluation of the severity of the concern and the potential impact on the operations. Items rated as “High” are considered to be of immediate concern and could cause significant operational issues if not addressed in a timely manner. Items rated as “Medium” may also cause operational issues and do not require immediate attention, but should be addressed as soon as possible. Items rated as “Low” could escalate into operational issues, but can be addressed through the normal course of conducting business. It should be noted that relative risk is not indicative of a security risk unless explicitly stated in the detailed finding and recommendation.

Resolution Level of Difficulty is a subjective evaluation of the estimated level of difficulty to resolve the concern based on our experience and potential cost. Items rated as “High” are considered to be difficult to resolve and/or will require a significant amount of planning and management involvement/oversight in order to obtain resolution. Items rated as “Medium” are not as difficult to resolve and/or do not require a significant amount of planning, but may be time-consuming to resolve. Items rated as “Low” are items that are not complex and/or require significant amounts of planning and time to resolve.


For our PCI assessments, any issues related to PCI DSS compliance are to be rated with a Relative Risk level of 'High'.

I hope this helps you to understand what your QSA might have been trying to tell you.

Thanks folks, this helps. We do have an internal rating system.

Cheers :)