A few weeks ago, I had the pleasure of attending a few talks at a local information security conference. In one of the not-so-vendor neutral talks, the speaker made a claim in passing that caught my attention. It’s a subject near and dear to my heart, so I thought I would blog about it.
The claim was that “compliance is dead.” The premise of this claim is that since very few organizations adhere to compliance, we should stop talking about it and let it fade away.
I, however, am here to tell you quite the opposite—that information security compliance should be talked about; it should be very important within your organization; and if your organization is not taking information security compliance seriously, there is definitely a problem!
Firstly, let’s answer the ever mind boggling question of “what is information security compliance?”
There are a variety of industry regulations, such as the Payment Card Industry’s Data Security Standard (PCI/DSS), the Sarbanes Oxley Act (SOX), and the North American Electric Reliability Corporation’s Critical Infrastructure Protection (NERC-CIP) Standards, that companies must adhere to in order to do business in their respective verticals. Historically, these standards have been relatively easy to comply with. There are many solutions and services an organization can purchase to easily become compliant with the regulations.
Information Security Compliance is essentially complying with the standard regulated by your industry. These standards dictate what types of information security precautions an organization should take to mitigate the risk of attack on information security assets. If followed correctly, these standards can be extremely helpful in reducing risk.
A poor trend in information security is the “checkbox” approach. Many organizations are very focused on finding the cheapest solution to “check the compliance box,” without considering the value that a more effective or usable solution or technique may provide.
A conversation with an auditor would typically go something like this:
Auditor: “Do you do vulnerability management?” IT Manager: “Check.” Auditor: “Track changes unauthorized changes on file systems?” IT Manager: “Check.” Auditor: “Are you collecting and correlating logs?” IT Manager: “Check.”
The problem with this approach is that the “checkbox solution” may not be adequate enough for the task at hand. My colleague Tim Erlin wrote a post with a great analogy on how being compliant doesn’t necessarily mean that you are secure:“I like the metaphor of lawn mowing. The existing focus on assessment has created a compliance requirement around performing assessments. That, in turn, drives a need for tools that deliver on that requirement.” “Imagine that you have a requirement to own a lawn mower. Being a fiscally prudent homeowner, you want the lowest cost tool to comply with that requirement. That might very well be a pair of nice, sharp scissors. If, however, that requirement shifts to actually mowing the lawn, you might decide that an investment in a more efficient lawnmower is warranted.” “The lesson here is that compliance is not equivalent with security. You can maintain compliance (own a lawn mower) without actually improving security (mowing the lawn). In fact, if you know that the requirement is going to change, you might be able to make a more informed choice to start with.”
If an organization and their auditors take information security more seriously, the conversation between the auditor and the organization would be a little different. The conversation should go something like this:
Auditor: “Are you managing and mitigating your vulnerability risk?” IT Manager: “Yes, here is evidence that we reduced our vulnerability risk by x%.” Auditor: “Are you tracking for unauthorized changes and investigating to ensure they were not a result of malicious activity?” IT Manager: “Yes, we identified that x number of changes were unauthorized and mitigated before there was any significant impact on our systems.” Auditor: “Are you collecting and correlating logs to identify any suspicious activity?” IT Manager: “Yes, we identified and remediated suspicious login attempts, blocking the attack before there was any significant impact on our systems.”
Compliance should be used as guidance for making our systems more secure; if we take advantage of this free advice we can better protect our assets and our customers’ information. This will require effort for everyone from the analyst, to the manager, to the auditor. Security is a joint effort and hopefully, we can work together to make strides in the right direction.
- PCI DSS v3.0 Readiness Resources
- Keeping Mega-Retailers Secure and In Compliance
- How PCI DSS v3.0 Will Affect Your Organization
- The Skinny on PCI DSS 3.0 Compliance Changes
The Executive’s Guide to the Top 20 Critical Security Controls Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock