Skip to content

Security and Compliance: They Are Not the Same Thing… But That’s OK

August 29, 2011

Does your organization have a security program, or a compliance program?  What’s that you say?  “If we’re complying with security mandates, then we have security”… Well, not really.  It’s time to put the myth to bed.

Ultimately, most compliance mandates – PCI DSS, HIPAA, SOX, GLBA, and others – are about protecting one type of data, not necessarily all business data, or all aspects of the systems that store, transmit and process.  In some cases, the target is credit and debit card data (PCI DSS), protected healthcare information (HIPAA), or consumer data (GLBA).  In other cases, it’s a specific type of data, such as financial reports (SOX), and only one aspect of that data (in the case of SOX, integrity of the data… not so much confidentiality or availability).

Regardless of the regulation, their goal is to function as a starting point for a security program that minimally meets their requirements, but is further augmented with additional policies, standards, procedures and controls to protect all valuable assets within the organization.  In order to protect sensitive data from either internal or external threats, it’s important that systems and processes are developed to achieve not only these minimum regulatory requirements, but the additional objectives that make a full-blown security program – which is actually much is harder than it sounds.  Proving either can also be a real challenge for many organizations.

From a compliance perspective, you “can check all of the boxes” to demonstrate that you’re meeting a regulatory standard, but that doesn’t mean that your entire infrastructure is secure.  Take Stuxnet, for example, which targeted the industrial software running on Siemens PLCs (programmable logic controllers).  While energy-related organizations could comply with all of the necessary network security regulations relating to their industrial systems (such as the NERC CIP standards), that won’t stop a Stuxnet-style attack that enters the infrastructure via another part of the network that slowly – but surely – makes its way to its intended target.  In the case of Stuxnet, it was Siemens PLC units.

Ensuring information security and regulatory compliance isn’t easy.  It often requires different data sets to be analyzed and recorded – creating additional work for already stretched information security professionals.  Fortunately, there are some basic, overlapping components to many regulations that also happen to be fundamental aspects of good security practices:

  • Visibility into all security-related data (not just one type of data, like logs/events)
  • Correlation of data to determine when bad things are happening
  • Demonstration of improvement in compliance and security posture over time
  • Quantitative risk monitoring to identify systems that are at-risk
  • Easy reporting to demonstrate both compliance and network security

Wouldn’t it be nice if there was a way to capture all your network security data from across an entire Enterprise network in real time and report against different subsets – not just from today, but yesterday… or last week… or perhaps last month in order to evidence network security or compliance with regulatory mandates?

Somebody ought to develop a platform like that

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: