Comments on: The Fort Knox Approach To Security

By: The Fort Knox Approach to Security | IT Security

The Fort Knox Approach to Security | IT Security — Tue, 24 Apr 2012 03:22:16 +0000

[...] Cross-posted from PCI Guru [...]

By: PCIGuru

PCIGuru — Mon, 16 Apr 2012 10:17:37 +0000

You point out just one of many things that get in the way of properly securing information. There is also application architecture, ease of user access, reporting, the list can go on and on. What it takes is management’s willingness to cut through all of that and just say, “We will do what is necessary to ensure we do not suffer a data breach, because I do not want this company’s imaged tarnished over something we could have stopped.” I have had a couple of clients take that approach and are now very secure versus where they started.

By: QSA Steve

QSA Steve — Mon, 16 Apr 2012 09:40:16 +0000

Essentially this is a plea for an approach to security based on risk assessment of information assets. I wholeheartedly agree that this is the right approach. In my experience many organisations have never really even analysed exactly what they do hold never mind assessed its value. However, in practice, assuming that an organisation has taken this first step and knows what they have, the problem is assessing the ‘right’ level of security and the human issue of covering one’s back. To clarify what I mean, turn the problem around. Starting with PCI requirements ask yourself, which requirement would I NOT want to apply to this particular dataset and am I happy to justify why not? And if I am applying it to A, B and C, is it actually going to cost any more to apply it to X,Y,and Z as well? Suddenly we see why so many will take a one size fits all approach.