Is “Compliance”
and “Real Security” synonymous? Why organizations get compromised in spite of
being compliant? What should we do to avoid that?
Compliance today is one of the most talked and debated topics. Compliance is the need of the day. However, many a times we miss out the real security in our pursuit of compliance. Numerous organizations got compromised in spite of being compliant. Is compliance the real goal or is it “real security”? Theoretically, off course it is “real security” and that is the exact reason why the standards, guidelines and compliances have emerged. Today, in the race of time we hastily run for achieving certification and what we miss out at times could be the real goal - the “real security”.
The Good ...
The standardization and regulation of business practices have became very critical issues to many governments. The intent of such compliances is to protect the shareholders and the general public from the willful fraudulent practices in accounting, IT networks and business management. This varies from SOX, PCI DSS, ISO 27001 and HIPAA etc to suit specific industry and business types. A compliance framework provides structure and stability and implementation of a framework generally results in greater levels of process orientation within the organization and leads to many operational and security benefits. It also facilitates the systematic setup of a continuous improvement process accommodating changes in regulations and incorporating new regulations as they become applicable.
The Bad ...
The truth is that it's possible to have excellent security and be non-compliant. It is possible to pass a compliance audit with flying colors and yet have poor security. The misconception that compliance equals security has led organizations to spend excessively on compliance, sometimes at the cost of security. Many regulated industries now spend a significant portion of security resources on compliance initiatives. This single-minded approach to compliance can put at risk some of the security initiatives within your business, even just to the point of shifting the internal priorities towards those initiatives involved with compliance.
Compliance creates a false sense of security. Being compliant may not mean that you are secure. The burden of compliance may lead to short term prioritization that may not be aligned with real security needs. It is commonly observed that to manage the compliance audit, the IT managers at times get hard pressed for time and hence overlooks several action items which are critical for security but may not be of immediate concerns for the audit. For example, an IT administrator may be forced to get focused on creating adequate documentation while missing out on applying a critical patch at the right time. Compliance can be a burden for smaller organizations or organizations with inadequate manpower. This can lead to working on too many things and not doing any of them perfectly.
Compliance is a journey and not a goal. However, many of us fail to realize or follow that. Once we achieve compliance, the fatigue and joy of achieving it makes us strive less hard at least for the time being.
The Ugly ...
Although being verified by the compliance framework and best practices, some of the largest organizations have faced security breaches. It is pretty painful for an organization that has spent millions of dollars on compliance effort but still couldn't evade the grip of a deadly breach. The ugliest part of the story: have compliance only to get prepared for the next breach. This is particularly true as compliance makes an organization complacent to security risks and at times too slow to keep pace with the fast changing threat landscape.
The year of 2007 started with the most sensational “TJX data breach” when as many as 96 million customers credit card data was stolen. The organization was ISO27001 compliant and had implemented COSO framework as a best practice. Monster.com had also faced a similar situation last year where a trojan horse called “infostealer” had stolen more than 1.6 million records of job seekers and employers. Bank of India also faced a security incident in August 2007.
In November, theU.K. government arm of Revenue and
Customs disclosed that it had lost records on 25 million juvenile benefit
claimants. The department was compliant to UK data protection Act. World Bank
Group network (one of largest data repositories of sensitive data) has been
compromised by multiple people in early 2008.
Compliance today is one of the most talked and debated topics. Compliance is the need of the day. However, many a times we miss out the real security in our pursuit of compliance. Numerous organizations got compromised in spite of being compliant. Is compliance the real goal or is it “real security”? Theoretically, off course it is “real security” and that is the exact reason why the standards, guidelines and compliances have emerged. Today, in the race of time we hastily run for achieving certification and what we miss out at times could be the real goal - the “real security”.
The Good ...
The standardization and regulation of business practices have became very critical issues to many governments. The intent of such compliances is to protect the shareholders and the general public from the willful fraudulent practices in accounting, IT networks and business management. This varies from SOX, PCI DSS, ISO 27001 and HIPAA etc to suit specific industry and business types. A compliance framework provides structure and stability and implementation of a framework generally results in greater levels of process orientation within the organization and leads to many operational and security benefits. It also facilitates the systematic setup of a continuous improvement process accommodating changes in regulations and incorporating new regulations as they become applicable.
Why is compliance important?
·
Helps in establishing the baseline security
processes.
·
Compliance is mandatory for certain businesses.
·
Helps in gaining customer trust.
·
Good start for managing security in a
structured way.
|
The Bad ...
The truth is that it's possible to have excellent security and be non-compliant. It is possible to pass a compliance audit with flying colors and yet have poor security. The misconception that compliance equals security has led organizations to spend excessively on compliance, sometimes at the cost of security. Many regulated industries now spend a significant portion of security resources on compliance initiatives. This single-minded approach to compliance can put at risk some of the security initiatives within your business, even just to the point of shifting the internal priorities towards those initiatives involved with compliance.
Compliance creates a false sense of security. Being compliant may not mean that you are secure. The burden of compliance may lead to short term prioritization that may not be aligned with real security needs. It is commonly observed that to manage the compliance audit, the IT managers at times get hard pressed for time and hence overlooks several action items which are critical for security but may not be of immediate concerns for the audit. For example, an IT administrator may be forced to get focused on creating adequate documentation while missing out on applying a critical patch at the right time. Compliance can be a burden for smaller organizations or organizations with inadequate manpower. This can lead to working on too many things and not doing any of them perfectly.
Compliance is a journey and not a goal. However, many of us fail to realize or follow that. Once we achieve compliance, the fatigue and joy of achieving it makes us strive less hard at least for the time being.
What are the negative sides of compliance?
·
Being compliant and being secure is not
necessarily the same.
·
Creates a false sense of security. Brings in
complacency within the team.
·
Compliance may lead to short term
prioritizations which are not aligned with real security needs.
·
Compliance can be a burden for organizations
with resource crunch.
·
Guidelines are good but not always 100 percent
complete. SANS Top 20 or OWASP Top 10 may be a good check but you may have
vulnerabilities beyond that.
|
The Ugly ...
Although being verified by the compliance framework and best practices, some of the largest organizations have faced security breaches. It is pretty painful for an organization that has spent millions of dollars on compliance effort but still couldn't evade the grip of a deadly breach. The ugliest part of the story: have compliance only to get prepared for the next breach. This is particularly true as compliance makes an organization complacent to security risks and at times too slow to keep pace with the fast changing threat landscape.
The year of 2007 started with the most sensational “TJX data breach” when as many as 96 million customers credit card data was stolen. The organization was ISO27001 compliant and had implemented COSO framework as a best practice. Monster.com had also faced a similar situation last year where a trojan horse called “infostealer” had stolen more than 1.6 million records of job seekers and employers. Bank of India also faced a security incident in August 2007.
In November, the
No comments:
Post a Comment