Review by Todd Kendall

A few years ago, I had completed a Report on Compliance (ROC) as a Qualified Security Assessor (QSA) based on the Payment Card Industry Data Security Standard (PCI-DSS) and was performing a final read out for a customer, when they showed me a framed copy of the cover letter of my report on the wall. The Chief Compliance Officer told me that this single piece of paper had cost the organization over a million dollars and thousands of man hours. Of course, the engagement was nowhere near the cost he quoted, but, after thinking about it a bit, I realized the preparation, project plans, hardware, software, implementation, testing, segmentation, scope definition, and everything else the customer had done to comply with the standard had led to that moment and that one document.

While I had always felt my documentation was up to par, it wasn’t until that moment that I truly realized the gravity of my reporting. It is necessary to capture not only the efforts I go through to assess the organization appropriately, but also illustrate a consistency and thoroughness that ensures I have captured the efforts the organization had gone through to prove their overall compliance. But, let’s face it, who truly enjoys documentation and how do we ensure consistent, efficient, and repeatable results that can withstand multiple and various types of reviews without the need to completely re-write the report?

I’ve seen many approaches over the years as an Information Security professional ranging from the copy-and-paste from old reports approach (probably still the most prevalent), word templates, and when I was lucky an in-house developed PHP or AJAX report deliverable generators. The problem with these approaches varied. Lack of sanitation when copying and pasting can lead to embarrassment or even lawsuits, word templates aren’t as efficient as we’d like, and code changes to the in-house application are either infrequent or it becomes obsolete over a short period of time because of numerous reporting requirements. Taking these factors into account I began to wonder if there was a solution out there that could address what I had seen over the years and remain flexible enough to keep up with the changing reporting requirements I had, from one engagement to the next? While still relatively young in its maturity, I have hope for the Dradis Framework and wanted to find out more. This interview is the result.