Compliance is no guarantee of security

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.net-security.org/article.php?id=1993

The regulatory landscape is constantly evolving. For example tougher new EU
data protection laws are scheduled to come into effect over the next year
or two. These new regulations will result in non-compliant firms being
fined €100m or up to five per cent of global turnover – whichever is the
higher. Last year there were 2,164 incidents of data loss. According to a
report by Risk Based Security and the Open Security Foundation 72% involved
external attackers while 25% were classified as internal incidents,
although the latter were attributed mainly to human error and accidents
rather than malicious intent.

Yet – often for reasons of cost and complexity - many off-the-shelf
compliance solutions on the market today have yet to prove themselves from
an ROI point of view. Instead firms commonly choose to meet their
compliance obligations by developing their own home-grown methods – often
involving spreadsheet questionnaires - to manage compliance programmes such
as PCI DSS.

While there is nothing wrong with the PCI DSS standard as a set of
controls, it is little more than the basic minimum that an organisation
should set out to achieve. It should not be a replacement for solid
Business-as-Usual (BAU) security practices. One of the biggest data breach
stories of 2013 was at US retailer Target where the personal data of around
110 million customers was reported to have been leaked. It is not clear
whether Target was in compliance with PCI DSS at the time it was breached
but statistically the chances are that it was not. According to Verizon's
2014 PCI Compliance Report only 11.1% of businesses globally were fully
compliant in 2013.

PCI DSS compliance is based on a single assessment each year. The
assessment represents a moment in time, an accurate verdict made at a
single point during a twelve month period. It is not a guarantee of
compliance for even the following day let alone for any enduring length of
time. There is plenty of evidence to show that many data breaches do occur
sometime after a successful PCI DSS audit.

One possible reason for this goes back to the spreadsheet. The spreadsheet
for all its versatility is simply part of a largely manual process. In a
large-scale compliance audit the spreadsheets cut across all kinds of
internal programmes and departments, HR, Finance or IT for example. It is
almost impossible to gauge the overall status of a large-scale compliance
programme without lengthy and painstaking analysis of hundreds of completed
responses. Skilled compliance and risk personnel end up being burdened with
manual process administration and are given insufficient insight into
trends and anomalies to support business decisions.

This absence of automation in a spreadsheet-based approach is its Achilles
heel. A lack of shared obligation or team effort places all of the
responsibility for delivering results with the compliance officer. At the
same time questionnaire recipients are told they have to complete them
although they may not fully understand the criticality of the data they
provide. Meanwhile as far as their managers are concerned it’s just another
job that has to be done. You have no central visibility of your audit’s
status and very little control over the compliance process. In short you
end up with something that is little better than an exercise in the pursuit
of compliance for compliance’s sake instead of focusing on making security
the first priority.

Neither off-the-shelf nor home-grown systems are capable of meeting what
organisations need most – namely an easy to implement solution that
supports existing processes (rather than re-engineering) which has in-built
analytics to allow informed decision making based on corporate exposure to
risk. With data breaches on the increase, it highlights that organisations
in the 21st century need something better than spreadsheets to manage their
security processes.

In my experience organisations find standards such as PCI much easier to
comply with if stakeholders are able to collaborate in a centralised
control-oriented process hosted in the Cloud. This has the immediate
benefit of helping organisations automate their auditing process. It also
gives them an easy way to devolve responsibility for completing
questionnaires or sections of questionnaires to those most qualified to
provide the answers and centralise evidence collection. This eliminates any
need for lengthy spreadsheet-based programmes and frees up highly skilled
compliance and risk personnel from time-consuming project administration.

The ability to bridge the intelligence gap between off-the-shelf and
home-grown compliance systems is a real game changer. By giving
organisations immediate visibility of the status and greater overall
control over their compliance programmes it helps them meet their current
compliance demands and makes responding to future changes so much easier.
Having a control–centric process that embeds demonstrable working controls
into the daily routine keeps it separate from the regulatory standard and
makes continuous compliance part of everyday best practice.

In conclusion, I believe a continuous BAU approach to information security
is essential. Furthermore a cloud-based software-as-a-service approach can
make the transition of existing processes straightforward and extremely
cost-effective. Improving the security of your organisation is a better way
to safeguard against breaches than relying exclusively on ‘tick box’
compliance exercises. A continuous approach to compliance puts controls at
the centre of the compliance programme, as opposed to relying on an annual
audit, where control activity is performed and monitored throughout the
calendar year. This approach provides real-time visibility of the
organisation’s compliance status – the net effect being more merchants
incorporating PCI DSS compliance into their BAU practices and importantly
improving the organisation’s security posture.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!