The Dangers of Over-Reliance on Compliance
- 06 August, 2009 04:02
- Comments
Have you noticed that many of the firms suffering high profile, serious, and expensive information security breaches have nonetheless been 'compliant' with certain laws, regulations, or standards? Consider the case of credit card processor Heartland Payment Systems, which recently suffered the unauthorized disclosure of over 100 million credit card and debit card transactions. The firm handles the transactions of over 175,000 merchants. Hundreds of banks have already had to reissue cards as a result of the breach. Note that Heartland was, at the time, certified as fully Payment Card Industry (PCI) compliant. Many other organizations that fall under various Federal, state, and industry regulations are continually experiencing breaches as well. According to The Chronology of Data Breaches ( www.privacyrights.org), millions of records have been compromised thus far in 2009.
Management at far too many organizations has been placing too much emphasis on compliance. Adequate information security cannot be achieved by simply being in compliance with all relevant laws, regulations, and standards. As much as management might like the definitive statement that this compliance provides (and certainly there are marketing benefits of such compliance), all these compliance efforts still say nothing about whether management has taken the time to do the necessary risk management. These compliance efforts still say nothing about whether management has struck the right balance between competing security-related objectives and struck this balance in a manner that is specific to the environment in question.
A common problem we see is the inability of information security and compliance managers to focus on what's important when it comes to compliance. Certain people focus solely on security operations, at the same time overlooking important technical issues. Others believe that running security scans on a periodic basis is enough. Some believe that running down a checklist of compliance requirements is all that's needed. Sorry, but it's not that simple. We've even seen situations where the people in charge weren't aware of what they needed to comply with, such as state breach notification laws. Wise managers know what they're up against and have the ability to determine what's appropriate in the context of the business rather than treat everything as black or white-right or wrong.
The Shifting Landscape
Part of the problem here is that these laws, regulations, and standards are static. In contrast, information security is dynamic, in fact very rapidly changing. Managers who believe that they are going to establish a secure environment by simply doing the minimum, simply becoming compliant with the requirements specified in laws, regulations, and standards (and hopefully legal agreements as well), will be woefully disappointed. A formal risk management process is instead required. Managers need to look at the unique circumstances of their computing environment-things like the level of user awareness about information security, the type of information systems technology deployed, the type of products and services offered. The nature of the controls needed will then be a function of these situation-specific factors. All of this work of course needs to be performed after a risk assessment is completed, an exercise that needs to take place at least every year. Information systems evolve and change too quickly to warrant anything less.
Another part of the problem is human nature. People want shortcuts-a direct result of the innate human need for instant gratification. Furthermore, people don't want to have to pay any more money than they have to, people don't want to have to think deeply or exert more effort when they are already overwhelmed with other matters. The problem is also a function of societal expectations. Wall Street focuses on short-term results, and rewards managers who cut costs today, even though these same managers may be risking the organization's bankruptcy in the longer term future.
Likewise, the legal system has not yet established the proper incentive systems. Often those in a position to do something about security problems are not legally liable for losses. For example, the operating system vendors are not being held liable for the many damages done by malware, such as Trojans, even though we have had the technology to eliminate malware entirely for many years (and it was in fact incorporated into many mainframe systems). The focus in the information security field has recently, as a result of these psychological and societal factors, been short-term and unduly narrow in scope.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
- Bookmark this page
- Share this article
- Got more on this story? Email CIO
- Follow CIO on twitter
- Heartland: 'Largest Data Breach Ever' - CSO Online - Security and Risk
- Privacy Rights Clearinghouse--privacyrights.org
- CSO Disclosure Series : Data Breach Notification Laws, State By State - CSO Online - Security and Risk
- Amazon.com: Information Security Policies Made Easy, Version 10 (9781881585138): Charles Cresson Wood, Information Shield: Books
- InfoSecurity Infrastructure, Inc. - Sausalito, CA
- Amazon.com: Hacking For Dummies (For Dummies (Computer/Tech)) (9780470052358): Kevin Beaver, Stuart McClure: Books
- Principle Logic - Home of computer and information security expert Kevin Beaver
- CISO Guide to Next Generation Threats - Combating Advanced Malware, Zero-Day and Targeted APT Attacks
- Cost Effective Security and Compliance with Oracle Database 11g Release 2
- Security Threat Report 2012
- Why Encrypt? Securing Email without compromising communications.
- HP VirtualSystem VS1 for VMware - Virtualised environments made faster and easier
-
Phones are distractions during catch-ups
-
Google's Sidewiki lets people post comments about Web pages
-
Leaving your job? Take your data with you
-
Australia's first 4G smartphone is the HTC Velocity 4G
-
Social networking, ignorance, and apathy
-
Workshifting: How IT is Changing the Way Business is Done
While workshifting delivers powerful benefits, from increased productivity and improved cost-efficiency for both business and IT, to improved recruitment and retention, to business continuity and security, it also poses significant challenges for IT. The following discussion examines the forces driving the rapid rise of workshifting, the forms it can take, the IT challenges that must be addressed to enable it, the technologies now available to unlock its full value and the resulting benefits for the business. -
Securing SOA and Web Services with Oracle Enterprise Gateway
Companies worldwide are actively deploying service-oriented architecture (SOA) infrastructures using web services, both in intranet and extranet environments. While web services offer many advantages over traditional alternatives (e.g., distributed objects or custom software), deploying networks of interconnected web services still presents key challenges, especially in terms of security and management. -
Webcast: Innovation Driving UC Everywhere: From Mobile to the Cloud and Beyond
Polycom announced it is acquiring HP's Visual Collaboration Business Unit, including HP's Halo products and Managed Services, and the two companies have entered into a deep strategic agreement through which Polycom will become HP's exclusive partner for telepresence and video UC solutions. This will create an end-to-end UC solution that will deliver to our joint customers an unparalleled user experience, interoperability, investment protection, and ease of deployment. Watch this webcast.
Get exclusive access to Invitation only events CIO, reports & analysis. 
Comments
Post new comment