Tuesday, January 5, 2016

Security vs.Compliance

Snippet from a recent exchange where I was having fun. Content was dictated... Forgive obvious errors.

Driven by fear, pain
Driven by fear, pain
Because of security operations, business management, customers
Because of auditors/Assessors, business management, customers
Because of news stories, threats, previous compromises, 60 Minutes, bogeyman, contract requirements
Because of assessments, legal requirements, contract requirements/agreements, organizational policy
Because no one wants to lose their job
Because of regulations and standards such as HIPAA, CJIS, FedRAMP, PCI DSS
WHO?: Similar stakeholders involved. They may not see it that way, but they are.
WHAT?: Same data involved. Financial information, Intellectual property, credit card data, electronic patient healthcare information, plans for the death Star version 2.0, rocket ships, music tracks for Adele’s next album.
WHEN?: All the time. Continuous compliance is the new black. Typically/traditionally annual review, but this is changing.
WHERE?: Primary focus and scope is always where data is stored, processed, or transmitted because these are the places that you have direct access. Includes everything layer 2 adjacent. Location doesn't matter. Public/private – don't care. Secondary focus is always on the supporting infrastructure and security/operations management infrastructure for the primary scope. Includes any system that directly accesses primary scope. There are some exceptions.
WHY?: Protect Data. Same objective.
Compliance and security are different animals with completely different objectives. How can you say that if you meet compliance objectives then you are secure?
A vast majority of the regulations, standards, and best practice frameworks directly address the requirement of an active risk management program. Risk management is the identification of potential threats, prioritization, cost analysis, and threat mitigation through the use of safeguards. Another word for safeguards is controls. They are synonymous.
Therefore, you must effectively address all security risk (subjective qualitative and quantitative) before you can attest to meeting risk management control objectives for compliance.
No seriously. Compliance is not security.
That's correct. Security is an outcome of compliance executed properly. Compliance is how the football team executes the offense. Security represents the offensive linebackers. The Dallas Cowboys had arguably the best offensive line in football. Unfortunately, nothing else worked. We will not discuss the outcome of the season.
But my customer asked me a question that sounded a whole lot like a security question…
Perhaps it was.. Or perhaps if you dig a little bit deeper then you will find the security requirement is driven by a compliance requirement/objective.
My customer said they only care about security.
Sometimes this is true. Other times, you may find that management has a different viewpoint.
Healthcare, financials, anyone dealing with money, customer information, trading/reporting publicly, global operations, public sector, critical infrastructure, high risk operations looking for DOD equivalent, defense, federal, foreign governments, consumer transactions, B2B transactions, service providers, etc. Pretty sure that includes most of the Fortune Global 500. http://fortune.com/global500
Are you sure you know what you're talking about?
<Drop the mic..>