Snippet from a recent exchange where I was having fun. Content was dictated... Forgive obvious errors.
Security
|
Compliance
|
Driven by fear, pain
|
Driven by fear, pain
|
Because of security
operations, business management, customers
|
Because of auditors/Assessors,
business management, customers
|
Because of news stories,
threats, previous compromises, 60 Minutes, bogeyman, contract requirements
|
Because of assessments, legal requirements,
contract requirements/agreements, organizational policy
|
Because no one wants to lose
their job
|
Because of regulations and
standards such as HIPAA, CJIS, FedRAMP, PCI DSS
|
PRIMARY OBJECTIVE: Protect Data.
|
|
WHO?: Similar stakeholders involved. They may not see it
that way, but they are.
|
|
WHAT?: Same data involved. Financial information,
Intellectual property, credit card data, electronic patient healthcare
information, plans for the death Star version 2.0, rocket ships, music tracks
for Adele’s next album.
|
|
WHEN?: All the time. Continuous compliance is the new
black. Typically/traditionally annual review, but this is changing.
|
|
WHERE?: Primary focus and scope is always where data is
stored, processed, or transmitted because these are the places that you have
direct access. Includes everything layer 2 adjacent. Location doesn't matter.
Public/private – don't care. Secondary focus is always on the supporting
infrastructure and security/operations management infrastructure for the
primary scope. Includes any system that directly accesses primary scope.
There are some exceptions.
|
|
WHY?: Protect Data. Same objective.
|
|
FAQ
|
|
Compliance and security are
different animals with completely different objectives. How can you say that
if you meet compliance objectives then you are secure?
|
A vast majority of the
regulations, standards, and best practice frameworks directly address the
requirement of an active risk management program. Risk management is the
identification of potential threats, prioritization, cost analysis, and
threat mitigation through the use of safeguards. Another word for safeguards
is controls. They are synonymous.
Therefore, you must
effectively address all security risk (subjective qualitative and
quantitative) before you can attest to meeting risk management control
objectives for compliance.
|
No seriously. Compliance is
not security.
|
That's correct. Security is an
outcome of compliance executed properly. Compliance is how the football team
executes the offense. Security represents the offensive linebackers. The
Dallas Cowboys had arguably the best offensive line in football.
Unfortunately, nothing else worked. We will not discuss the outcome of the
season.
|
But my customer asked me a
question that sounded a whole lot like a security question…
|
Perhaps it was.. Or perhaps if
you dig a little bit deeper then you will find the security requirement is
driven by a compliance requirement/objective.
|
My customer said they only
care about security.
|
Sometimes this is true. Other
times, you may find that management has a different viewpoint.
Healthcare, financials, anyone
dealing with money, customer information, trading/reporting publicly, global
operations, public sector, critical infrastructure, high risk operations
looking for DOD equivalent, defense, federal, foreign governments, consumer
transactions, B2B transactions, service providers, etc. Pretty sure that
includes most of the Fortune Global 500. http://fortune.com/global500
|
Are you sure you know what
you're talking about?
|
<Drop the mic..>
|