Security- Beyond Compliance

25 March 2009

Security- Beyond Compliance

Compliance will not always guarantee that your information security assets are well protected. Security is beyond compliance.

An example

In the last week of Januray 2009, Heartland Payment Systems announced that their network were compromised and hackers accessed their customer information.Hackers had access to Heartland's network for more than a week.

Heartland is one of the largest payment processor in the world which process more than 11 million transactions a day and more than $80 billion in transactions a year.

Heartland were PCI DSS compliant but they did not notice the hacker activities until they were  alerted by Visa and MasterCard of suspicious activity surrounding processed card transactions. The immediate action/response from Heratland was to develop and End-to-End Encryption Solution. Last week, VISA temporarily removed Heartland from its list of PCI DSS compliant service providers.

More details at 2008breach

Trust based Security

Information Security standards and Certifications are always good and they help organizations to win customer confidence and get business. But being compliant does not guarantee that your business assets are protected. Security is trust and when security is compromised trust is lost.  And when trust is lost you lose your business

Many people talk about security during the anual internal/external auditing. And they forget that once the certification process is over. We define information security  policies and standards because they are either mandatory or regulatory or we just need to be in compliant.  

When performing risk analysis for each business assets we evaluate the existing security controls,if any. Or we will add a new one if there is none. But people normally do not think beyond compliance and think about the level of security guaranteed by those controls. Our network is not protected just because we installed an IPS solution from a leading Vendor. We need to evaluate the trust level for each business asset (people, processes,devices and data), before and after placing a security control.

The last thing any one would like to hear at this time is another data breach. Proper monitoring and continious security review will help us to increase the level of trust for each business assets.  Companies need to improve the trust level of their business assets before asking customers to trust them.

Disclaimer: "What ever I discussed here are my personal opinions and they do not represent the opinions or positions of my employer".

Posted by Praveen Karunakaran on 25 March 2009 at 05:19 PM in IT Security | Permalink

转自https://blog.isc2.org/isc2_blog/2009/03/security--beyond-compliance.html