The Security Standards Council (SSC) of PCI reminded us today that a scope statement still requires validation. A scope should be reduced only after a thorough assessment of controls.
Secure treatment of data (e.g. hashing) could reduce the number of systems that are kept within scope but this needs to be assessed and verified. Another example is an entity that claims it has no wireless. This claim must be tested and they must have a regular process and control capability (wireless scanner) to manage risk going forward. Assessors will look for supporting documentation before they can allow scope to change. When scope is done properly it generates confidence on exactly where to look based on tests and evidence.
This is not to say that it is easy. A major retail executive once told me his company had no need for antivirus on their point of sale devices. Why? He believed his systems had no viruses, therefore he saw no need for antivirus. I had to convince him that he should be taking the opposite approach. Use of antivirus would confirm the lack of viruses. An absence of empirical data, let alone awareness of helpdesk and incident reports, did not register with this executive. This is a fine case of why risk is something that can not always be left to intuition alone or to market forces. Many actors operate with trust or hope rather than a complete or reasonable data set. A month after installing antivirus the executive was extremely thankful — he soon found a clear path to reduce point of sale outages and thus his operating costs were significantly reduced.
The steps to take after hearing “no” and “out of scope” are illustrated nicely in the SSC Wireless Guidelines decision tree: