telecoms
Applications
Broadband
Digital Content
Fabric
Mobile
pcs
Chips
Graphics
Hardware
Internet
Notebooks
Peripherals
Servers
Software
Unusual
outsourcing
BPO
Outsourcing
CRM
business
Financials
Legal
Logistics
Resellers
Retail
Security
NewsNow
RSS Feed
Friday, 5 December 2008 07:53 UK Bengaluru, India


 

Compliance vulnerability roadmap revealed at Defcon 16

Security risk of the compliance model

By Copper Harding @ Sunday, August 10, 2008 6:49 AM

 
 

A security engineer named Weasel provided an outline of the problems with a compliance vulnerability roadmap for companies needing data security to me at Defcon 

The benefits of compliance are to provide standards, implement controls that are hard to use and often have user pushback to implementations, and credentials for people who don't want to work or go to school.

Some of the standards considered are: COBIT (best practices framework, policy), PCI DSS (how to process, store and transmit payment card information), HIPAA (medial information privacy), GLBA (financial privacy), SOX, ITAF. One of the largest problems with compliance is that it has a psychological impact of providing a false sense of security, often mis-interprets IT concepts, it shifts budgets and resources away from security and towards compliance and also allows the company to pass an audit but in no way provides for an actually secure system.

The bottom line is that it gives a company a false sense of security and potentially a legal defense if an information breach harms customers. Unfortunately the whole system of compliance needs overhaul as it often has conflicts of interest, misrepresents the actual security of the changes and is trying to replace people with a product. Compliance can also force IT choices into older technologies that are less safe with limited functionality.

This means that companies are managing their risk by using compliance instead of mitigating their risk and exposure. Many companies make a cost benefit analysis that is incomplete because they choose the 'manage the risk' which is cheaper up front. However, not evaluating the costs of a disaster and using that in a risk management/mitigation decision process can leave a company open to even more expensive exposure.

The compliance standards are also updated very slowly and so new technology isn't in compliance or just isn't used by companies in a compliance mind-set. The real issue with this is that the compliance road-map provides a starting point for attacks as most companies do not go above and beyond compliance minimums if they have chosen the path of compliance. This means that an attack begins with those minimums. The compliance standards actually provide information and options to a potentially malicious attack. The bottom line is that very often IT needs to spend more time educating management to provide security risk mitigation instead of compliance and compliance that is not necessarily legally required.  X

 
Copyright 2008 - ITExaminer.com  Terms Of Use  Privacy Statement  Contact Us