CCSS Level 3 Requirements
CCSS Level 3 requirements for this aspect is provided below.
The Level 3 requirements provide a subtle change in the wording from Level 2. Note that for Level 2 compliance a security assessment is required but for Level 3 compliance an audit is required.
What’s the difference between an assessment and an audit?
In our opinion, an audit is a process conducted by a third-party who is outside of the organization that reviews evidence collected from the entity being audited and verifies their compliance to a standard or policy. While there are audits that are undertaken by internal auditors (called an internal audits),CCSS requires a third-party audit, which we have defined as completely independent of the assessed entity.
An assessment process reviews the evidence provided and reaches a conclusion regarding the state of the entity at that point in time, in readiness for compliance to a standard or policy. While PCI DSS uses the term “assessment” it is more akin to the traditional meaning of audit as it is an external third-party audit to validate compliance against a standard. For the purposes of this article, we are not talking about this type of assessment.
For example, you may have heard of a “readiness assessment for audit”. This is where a person(s) internal or external to the organization, can review the environment that will be audited and determine what will be compliant and what will not. Then a remediation plan is generally created so the organization can implement changes to reach compliance.
CCSS for Level 3 provides a required frequency for audits which is at a minimum on a yearly basis. It should be noted that CCSS does not require an audit to be conducted if there are any significant changes to the CCSS in-scope environment.