Re: Compliance Is Wasted Money, Study Finds

[J Roger <securityhocus () gmail com>]

The entire compliance industry has design flaws which cause results to be
skewed such that the intended value is lost.

CompanyA hires a PCI auditor for their annual PCI audit. It is in the
auditors best interest to make sure CompanyA has a pleasant enough
experience with them through the audit up to and including the reported
findings otherwise CompanyA will just select a different auditor for the
following year that will be kinder to them for the same reasons.

If an auditor fails to pass CompanyA, they stand a very good chance to lose
a customer. Not only that but word of mouth could hurt their potential to
gain new customers. Naturally, auditors like everyone else want to make
money. As such, auditors want to keep existing customers and gain new
customers.

Keep in  mind that all of the large PCI breaches reported publicly over the
past couple years have been for companies that have passed their annual PCI
audits.

1) The bar for PCI compliance is fairly low
2) The cost to go through an annual PCI audit can be fairly high (which
unfortunately gives executives signing the checks the false impression that
there is much security value from the process and not just the ability to
continue processing payment cards)
3) The auditors required for large companies annual PCI audits have
conflicting interests between the intent of PCI compliance and making money

The recipe results in organizations paying lots of money to continue making
more money for themselves while the real information assets go ignored and
the PCI relevant findings are either swept under the carpet or downplayed
such that they are no real issue.




On Wed, Apr 7, 2010 at 7:24 AM, Keith Tomler <ktomler () gmail com> wrote:

> You say:
>
> "...Enterprises are spending huge amounts of money on compliance
> programs related to PCI-DSS, HIPAA and other regulations, but those
> funds may be misdirected in light of the priorities of most
> information security programs, a new study has found..."
>
> BALONEY
>
> As an Information Systems Auditor, it seems that if you have a valid
> finding and a reasonable recommendation, management usually doesn't
> act on it.
>
> However, if you have the same finding and recommendation and then cite
> a regulation, management is forced to act upon it.
>
> I believe that the regulations were drafted in order to force entities
> into doing what they should have done in the first place.
>
> I should not have to cite regulations in order to make sure logs are
> being reviewed, business recovery plans are drafted and machines are
> disposed of properly.  But people and companies do not do these
> things, so laws are made in order to force compliance.
>
> For example:
>
> (D) Information system activity review (Required). Implement
> procedures to regularly review records of information system activity,
> such as audit logs, access reports, and security incident tracking
> reports.
>
> (7)(i) Standard: Contingency plan. Establish (and implement as needed)
> policies and procedures for responding to an emergency or other
> occurrence (for example, fire, vandalism, system failure, and natural
> disaster) that damages systems that contain electronic protected
> health information.
>
> (i) Disposal (Required). Implement policies and procedures to address
> the final disposition of electronic protected health information,
> and/or the hardware or electronic media on which it is stored.
>
> The regulations are a bit dry, but enlightening nonetheless.
> http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/index.html
>
>
>
> On Tue, Apr 6, 2010 at 2:23 AM, Ivan . <ivanhec () gmail com> wrote:
> > For those who don't frequent slashdot.......
> >
> > "Enterprises are spending huge amounts of money on compliance programs
> > related to PCI-DSS, HIPAA and other regulations, but those funds may
> > be misdirected in light of the priorities of most information security
> > programs, a new study has found. A paper by Forrester Research,
> > commissioned by Microsoft and RSA, the security division of EMC, found
> > that even though corporate intellectual property comprises 62 percent
> > of a given company's data assets, most of the focus of their security
> > programs is on compliance with various regulations. The study found
> > that enterprise security managers know what their companies' true data
> > assets are, but find that their security programs are driven mainly by
> > compliance, rather than protection (PDF)."
> http://www.rsa.com/products/DLP/ar/10844_5415_The_Value_of_Corporate_Secrets.pdf
> > ------------------------------------------------------------------------
> > Securing Apache Web Server with thawte Digital Certificate
> > In this guide we examine the importance of Apache-SSL and who needs an
> SSL certificate.  We look at how SSL works, how it benefits your company and
> how your customers can tell if a site is secure. You will find out how to
> test, purchase, install and use a thawte Digital Certificate on your Apache
> web server. Throughout, best practices for set-up are highlighted to help
> you ensure efficient ongoing management of your encryption keys and digital
> certificates.
> >
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> > ------------------------------------------------------------------------
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/