For the past three years I’ve been covering the RSA conference, the question of “How compliant are you?” has been an ongoing issue. Like never being 100 percent secure, it’s rare to be 100 percent compliant. That’s because compliance, like security, is a moving target.
It is for this reason that Bob Russo (@bobrussopci), General Manager of the PCI Security Standards Council, is lobbying members to create a security lifecycle to help organizations from falling out of compliance.
For so many, compliance means getting your annual report on compliance and then not doing anything for a year. That kind of behavior isn’t going to help you stay compliant. To be successfully compliant and to catch data breaches, you need to live and breathe the security principles and make it part of your daily routine. That means integrating it with your daily security routine, and not making it a daily compliance routine, said Russo.
Russo advises the following procedures you can do on a regular basis to maintain security and compliance:
- Measuring and monitoring
- Utilizing data leak prevention methodologies
- Getting rid of data you don’t need (Russo’s motto: “If you don’t need it, don’t store it”)
- Replacing default passwords
- Utilizing technologies to cut attack surface such as point-to-point encryption and tokenization.
You don’t want to be in a situation where somebody has to call you and tell you you’ve been breached. If that happens, it’ll probably be 3-4 months after the breach has happened. And we all know that digging through that data is a royal pain. If you’re monitoring it yourself you’ll find it very quickly, Russo said.
Stock photo of data network monitoring courtesy of Shutterstock.