The 6P Cube
The scope of the Cube approach within this project is PCI however this framework can be expanded to other areas of compliancy including ISO27001 and CoBIT.
It has also been beneficial to PMO functions when identifying stakeholders.
The success of the approach is dependent on accurately defining and documenting the scope of the environment. GRC3D has developed a number of techniques in this regard; all systems (people, processes and technology) that are involved in the storage, processing or transmission of PCI branded cardholder data are considered to be in scope of the cardholder data protection compliance programme.
Once the scope is defined, systems (people, processes and technology) are split into environments; this breakdown varies from one organisation to another. The next step is to prioritize the effort to help stakeholders understand where they can act to reduce risk earlier in the process. No single milestone in the approach will provide comprehensive security but following its guidelines will help stakeholders to expedite the process of securing cardholder data.
The Approach provides a roadmap of security and compliance activities based on risk associated with storing, processing, and/or transmitting cardholder data. The roadmap helps to prioritise efforts to achieve compliance, establish milestones, lower the risk of cardholder data breaches sooner in the compliance process, and help acquirers objectively measure compliance activities and risk reduction by merchants, service providers, and others.
More details will be provided upon request.