Meshing Compliance with Security
The realities of today’s heavily regulated IT environment have forced a priority shift with IT security. Initiatives that once could never find a patron are now being funded, as organizations scurry to comply with regulatory demands. This has been a positive step for a lot of IT security practices, but there are some definite downsides.
The sad news is that some organizations have begun to equate compliance with security, assuming that the act of complying with standards such as the Payment Card Industry (PCI) Data Security Standard (DSS), and regulations such as the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act (SOX) or the Gramm-Leach-Bliley Act (GLB) automatically ensures sufficient security of IT infrastructure and data stores. But, as most grizzled security veterans will tell you, this is far from the truth.
"It's not a golden pass or a silver bullet; it just means you meet their regulations, not that you're secure," says Alan Shimel, chief strategy officer of the security firm StillSecure. "So (it) is a fine start, but it's not the be all and end all."
Shimel and others say that it is critical for organizations to understand that compliance does not equal security. Some IT security practitioners in the trenches have tried to fight overreliance on the security views of regulators by taking a step back and thinking about how to build a comprehensive security program that is driven by risk management best practices rather than regulations alone. Their theory is that by handling security first, compliance will take care of itself.
"If you focus on compliance, you can easily miss security concerns," says Vern Cole, chief security officer for Varolii, an on-demand interactive communication solutions company. "That's one of the reasons why Varolii has chosen to focus on a best practice standard like the ISO standard, so that by complying with that standard, by meeting those requirements and focusing on that standard body, we're going to hit any compliance requirement that comes up from a regulatory body."
Varolii is currently in the process of certifying its IT practices against the International Organization for Standardization's ISO 27001 standard. The process is arduous and demanding, Cole says, adding,
"We are still getting compliant with the standards body. There's a lot going on, and if you were to talk to some of our engineering and operations people, they would probably tell you all they're doing right now is making adjustments to our existing infrastructure and working very hard and very rapidly to get some things in place."
Cole says much of the effort has centered on redeveloping the underlying IT infrastructure to enable easy and efficient security monitoring in the future. "We're modifying our architecture to allow better insight into where we store our information, how it's being accessed and [how we can] consolidate this type of information into a centralized place where it is easier for us to monitor and access the information."
All of the work is worth it, Cole claims, because it builds a bedrock of fundamental security practices and not only ensures compliance with today's standards but also makes it easier to comply with new standards whenever they're rolled out.
"When you look at things like HIPAA, PCI and GLB, all those are regulatory requirements based on an international standard. Typically, they may not call out the ISO standard specifically, but when you boil it down, they're applying a security requirement to a particular data set," Cole says. "So by following an internationally recognized standard such as the ISO 27000 series, we're going to meet the regulations, as long as we apply our controls appropriately."
Cole and Varolii are hardly alone in this progressive mind-set. Bruce Wignall, chief information security officer [CISO] of the mega-call center firm Teleperformance, says that ISO standards are at the "heart and center" of his organization's security practice. With the groundwork laid by these broad standards, Wignall can more easily overlay other more specific standards or regulatory compliance practices.
"We bolt in ITIL [IT Infrastructure Library] on top of ISO [or] we bolt in PCI on top of ISO, and that starts to [erect] the building blocks of our security practice and just makes it easier to bite off one piece at a time," Wignall says. He adds that standards-based security is less about throwing regulatory compliance concerns out the window and more about approaching the spirit of the entire arc of security regulations, which were, after all, developed to protect the data.
"I think it is important; I think it's a responsibility all of us have. I don't think you should take the least intrusive route (or) look at it as something you don't want to do," Wignall says. "We're not taking a minimal approach; we're taking an aggressive approach because it's actually maturing everything we're doing."
This is likely to hit both security and compliance much more effectively than just trying to adhere to the letter of the law. For example, certain regulations require encryption of specific data sets. Rather than encrypting only the specifically mandated data, Wignall has chosen to encrypt everything. This "dumbs it down" for his organization, he says, and makes it easier to comply with future regulations.
"When a new security certification [is] invented, it [won't be] that big a deal. I know I can comply because I'm doing all of the things I should be doing," he says.
Taking this best practices first approach also makes it easier to navigate the security vendor landscape, security experts say.
Unfortunately, the myth of security as compliance has partially been perpetuated by security vendors who see compliance mandates as an opportunity to prey upon organizations that wouldn't necessarily spend money on their products but are looking for an easy fix for all of their security and compliance problems.
"When somebody comes riding in on a white horse and says, ‘Hey, I'm going to make this easy for you, just write me a check,' you really want to believe that," says Mike Rothman, president and principal analyst of Security Incite. "There's nothing easy about [compliance]; there's nothing easy about security. So when a vendor comes out and says we'll make compliance [easy] or we'll make security easy, that's borderline offensive because it's not true, but the customer wants to hear that."
Observers such as Ken Tyminski, former vice president and CISO at Prudential Insurance Company of America, say that when users adhere to security best practices, compliance efforts will be driven by people, policies and processes, not by technology. The added benefit is that this focus makes it easier to avoid getting sucked into vendors' empty promises.
"I used to get all sorts of vendors who would come in and say, ‘I can solve this regulatory challenge.' It didn't matter if it was GLB or PCI or SOX, it seems whatever was hot at the time, they were experts in that particular regulation," Tyminski says. "I see many people make this mistake [where they say], ‘We bought this widget so therefore we're PCI compliant or we're SOX compliant.' " It is a much bigger issue than that when you look at it. So my recommendation is [to] understand what you are doing [and] understand what you are trying to protect. Then it will be obvious what the best technology is, given your situation."
Reproduced from an article published by Baseline
© Baseline
The original article can be viewed here:
http://www.baselinemag.com/c/a/Compliance/Meshing-Compliance-with-Security/
Permalink Bookmark Digg this story
