Security vs. Compliance (Serving two Masters)

Security vs. Compliance

Why VS?

•Compliance and Security should compliment and aid each other in fulfilling the corporate security goal

•Many times this is not the case

•Sometimes there are misinterpretations of compliance requirement satisfaction and true security

•Compliance often thought of as = security rather than augmenting and helping the total security posture

•Compliance often is driver and reason for “knee jerk” reactions in applying security technologies

–Sometimes not fully assessed for impact, risk need, etc.

Key Points

•Security and Compliance often overlap BUT

–Sometimes organizational security requirements are unrelated to compliance

•(Example: Perform “red team” vulnerability analysis)

–Sometimes compliance requirements unrelated to Security

•(Example: Lockdown Internet Explorer (but the environment doesn’t even allow Internet access)

•Security is the necessary foundation for compliance and not the other way around!

•Security focuses on the protection of the organization

•Compliance often focuses on the protection of the individual or entity

–Sarbanes-Oxley compliance only requires assessment of databases involved in financial reporting (what about the other DB’s?)

–How many other threat vectors can lead to the compromise of the same or similar data?

Key Points

•Company can fall into trap to thinking that is ALL they have to secure or start trying to figure out how best to only meet the regulatory compliance goals.

•Other security aspects can get pushed aside, forgotten, or purposefully not addressed in order to leverage resources for regulatory compliance issues.

–Budgets then allocate in response to compliance issues instead of proactively looking at security initiatives ahead of time.

•Organization can fall into trap of “checkbox” compliance

–Enterprises don’t lend much thought to appropriate policies or required systems, nor to what they are going to do with the inevitable streams of data coming from their new security products bought to satisfy some compliance control.

Compliance

•Compliance refers to

–Establishment of corporate policies to meet regulatory requirements

–Validation that corporate systems and procedures comply now (or have complied in a specific period of time) with regulations

•US regulations include:

–Sarbanes-Oxley

–California SB 1386

–21 CFR Part 11

•Compliance policy for automated information systems (AIS) derived from corporate compliance policy

Compliance

•Compliance = Regulations

–FISMA, HIPPA, Sarbanes-Oxley

–And the tide keeps rising

•The rationale behind the regulations is to increase transparency and/or improve efficiency

Overview of Regulations

Various regulations mandate the protection of information including industry-specific and geography-specific. Outlined below are several regulations and their security requirements:

Security

Increasing need for organizations to know who is doing what when with what information, and then to authorize only certain people to do certain things at certain times

Compliance only = False sense of security sometimes

Hannaford Bros Grocery Chain

4.2 Million credit card numbers exposed

Had recently been PCI certified

Certified in February of 2008

Attack commenced on Dec. 7 but wasn’t contained until March 10th.

Security and Compliance

•compliance policies typically addresses

–Conditions under which authorized users can access functions or data

–Maintaining records of user access to functions/data

–Preventing modification or disclosure of data (unintended or deliberate)

•Security mechanisms

–Can implement policies which support compliance

–Provide evidence of compliance

•Security does not guarantee compliance and compliance does not guarantee security!!!!

Fundamentals of Technology to Support Security and Compliance

•Collection/consolidation of content (in a content management system)

•Authentication

•Encryption and Rights Management (in place, in transit, in use)

•Non-Repudiable Audit Trail of access and routing

Fundamentals of Planning for Security and Compliance

•Business Process Modeling

•Understand regulatory requirements

•Establish a process for compliance review

•E-discovery

Where To Spend

•First try to recognize differences the discrete differences between security and compliance

–Allocate resources, effort, and money to where it mutually benefits both areas as much as possible.

•Use compliance regulations as an impetus to improve security

–Many compliance regulations address more procedural and process-oriented activities –usually reactive and not proactive

–Organizations SHOULD be installing security mechanisms that aid in BOTH the actual security and the procedural and process-oriented compliance requirements.