I am really tired of this dodge that compliance does not equal security.
I was recently on a Webinar by a major security vendor and one of their points was that executive management is finally starting to realize that compliance does not equal security. And I realized what the problem is; people are confusing those PCI ROCs, internal audit reports and the rest of compliance assessments as an accurate assessment of an organization’s security.
Organizations develop and implement security policies, standards and procedures to protect the networks and systems used by the organization. Those policies, standards and procedures were not created in a vacuum; they were developed based on what the organization has learned over time to protect itself as well as items taken from ISO, PCI, HIPAA, FISMA, etc. which are derived from the lessons learned by lots of people in the information security arena. In order to be as secure as possible, everyone in the organization must follow (i.e., comply) with all of the organization’s policies, standards and procedures. The idea being that ISO 27K and FISMA are complete security frameworks whereas PCI, HIPAA and the like are security frameworks focused on specific types of information.
Where the wheels keep coming off in this discussion is the confusion between compliance testing and reporting and the act of compliance by your employees and business partners. Compliance is an ongoing, 24x7x365 effort. Compliance assessments are a snapshot of compliance at the time the reports were written. This is no different than going to the doctor for your annual physical which results in a snapshot of your health at that point in time. It is not that those compliance reports are worthless; they just need to be referenced and used properly based on the fact that they are a snapshot.
A prime example of this is the PCI ROC. Other than vulnerability scanning, penetration testing and change management testing, there is nothing in the PCI ROC that covers a period of time and even the aforementioned topics are limited as to the time frames used for testing. The ultimate result of this is that you get a snapshot of compliance as of the date of the report. Unless something was out of compliance at that point, you will never know. This is not anyone’s fault, it is just how the system works because no organization is willing to pay for their QSA/ISA to assess them 24x7x365.
What all of these frameworks assume and expect is that the organization has put into place monitoring that does test compliance with their security policies, standards and procedures 24x7x365. For small organizations this can be done manually by monitoring event logs and syslogs on the small number of systems involved.
For everyone else, automated toolsets are going to be required such as security incident and event management (SIEM), configuration management, intrusion detection/prevention, wireless monitoring, network performance and traffic monitoring, help desk, change management and similar tools are required to do the job properly. This is because of the volume of information involved that requires analysis and correlation cannot be completed without some form of automated tools.
But just having these tools does not ensure compliance either. The tools need to be properly configured, maintained and monitored so that appropriate personnel are notified of out of compliance conditions and that those issues are addressed in a timely manner. If that analysis and notification process were truly going on, most of the breaches that have occurred to this point would likely have not occurred or would have been stopped early on.
But the real lesson here is that the technology side of security is the easy part. Firewalls, intrusion detection/prevention, routers, switches, servers, security tools, etc. can all be configured to ensure 100% 24x7x365 compliance with all relevant security policies, standards and procedures.
The hard part of security is people for a variety of reasons. The most obvious reason the people side of security is hard is the fact that most information security people are loathe to deal with people. That is an issue that is important and needs to be addressed in another post.
The larger people problem is that, at the end of the day, people are not 100% 24x7x365 compliant because they are fallible. And no matter how much training you provide people, you are not going to change the fact that they are fallible.
But that is what all of that technology is for is to let you know when people are fallible and to stop or minimize the risks generated because of their fallibility.
PCI Guru 