By: Sean Sherman
Compliance programs sometimes get a hard rap. The recent Heartland Data breach and the subsequent verbal thrashing of the PCI compliance program at a congressional hearing might put that compliance program’s relation to security into question. In this case, Congress seems to have asserted that security equals compliance, and failure of one means the failure of both. But I suspect most security professionals will disagree – correctly. While we know they are linked, the relationship is complex — and important to manage.
I assert that that good security is like good health – a multi-faceted program of applying best practices to many different parts of the entire business. Just like we might be eating right and exercising to keep in shape, businesses will perform regular risk assessment, educate staff and build appropriate controls to maintain strong security. And compliance is like getting your vital statistics – a test of your blood pressure or cholesterol checks for certain conditions but your doctor (like your Security team) will tell you good stats do not guarantee total health. Furthermore, as you age, you need different tests (controls) to check for health statistics that reflect risks appropriate with your age and other risk factors.
So analogies aside, the question is: are you keeping up to date with the compliance program appropriate for your business security? Just like a checkup, a compliance initiative provides a place to start a good security program by providing “common” control objectives for the business, and then it is up to the business to assess their actual security risk and tune the compliance program (controls) to meet the specific risks that a generic approach might not address.
Two aspects of your compliance program are critical: the accuracy and currency of the compliance source material, and up-to-date controls for the specific equipment in scope of the compliance program. Here at Tripwire, we are constantly refining our library of compliance policies and mapping new controls for support of new or updated platforms. This work employs a sizable team that includes security analysts, auditors, and technicians, but the benefit for the client is that they can take advantage of current compliance guidance/technical controls as either a place to start or to refine security monitoring. We believe we are saving our clients time and effort by preparing the compliance templates so that audits are easier, but also so that you can focus on the security of your systems.
So eat right, stay healthy and plan to put in some work to keep your organization safe by using compliance programs to monitor the appropriate control settings. And let us know if we can help.