Continual Compliance (Compliance vs. Security)

By - August 18, 2015

There is a modification of an old saying that has come to the security community that “Security is a journey. not a destination.” The idea is that security requires constant vigilance, awareness, effort and is not just something that you can do once and forget about. Information Systems are constantly under attack. Average internet exposed systems experience at least 100 automated attacks per day. While attackers might not succeed the first time to penetrate the system and steal data. They will keep trying and trying, over and over again and will do so until they breach the system. By comparison to security, compliance is a process that has a defined beginning and end to measure security at a point in time. W Edwards Deming is generally credited with the statement that you can’t manage what you can’t measure. Because of that we can’t be sure our security is working if we can’t validate its effectiveness. So compliance has its place, to regularly test our effectiveness. But to rely on a compliance only program will guarantee a data breach. The large number of “PCI compliant” organizations that have suffered data breaches (Target, Home Depot, etc) is evidence that compliance alone is not enough.

The Payment Card Industry’s Security Standards Council (PCI SSC) has recognized this failure and added a recommendation for Business As Usual (BAU) compliance as part of new version of the PCI DSS. While this is not a requirement it provides several advantages. Often our clients pass their first PCI assessment only to fail their second assessment because several controls needed to happen all year. They complete the assessment, consider it done and then stop all the ongoing controls that are part of the assessment. We routinely show up for the year two audit and only one or two quarterly ASV scans passed, that they have no or only one firewall rules review that was supposed to happen semiannually. That the central logging system ran out of disk space a month ago but nobody noticed. (meaning they obviously did not do “daily” log reviews). Failings like these make it impossible to prove that the system was compliant in year two (without lots of compensating controls, which leads into point two). Second the cost of putting controls in place, stopping them, and then reimplementing them is often going to be more expensive than keeping the process going all year round. Sure policies and procedures are written, but most of the actual security processes require regular actions and once you get into a habit of doing them they are easy. Think of it like passwords. Every time password complexity gets tougher there are revolts from the user base that they are too hard to remember. Remember there was a time where password complexity was never enabled, and most passwords had a maximum length of 8 characters. But a couple months after the change the users get in the habit and figure out a system and support calls return to the same level they were at before the change. So if you can keep the controls in place while there will be an initial pain hump it will go away. If you reimplement the controls every year your are guaranteeing that your audit and the months leading up to the audit will be painful and longer every year. Third and most importantly if the controls are not in place at all times the risk of a data breach is dramatically increased. While the PCI DSS is not perfect it is an impressive list of security controls that would make it really difficult for a fully compliant organization to be breached. It has preventative, detective, and on going controls that if all followed as designed would have stopped or at least identified all the breaches that have had detailed published so far.

Part of the security journey requires that businesses implement processes to assess their control framework periodically, and strengthen internal staff or leverage outside resources to help ensure PCI compliance and mitigate the risk of a data breach. But this process of regularly reviewing the controls has also been an area that our clients have struggled with. With all the day to day responsibilities it can be difficult to make time for these assessments and ensure that the regular processes are occurring. Our continual compliance services are designed to assist in this process and help our clients achieve ongoing compliance.

For further information, download the following whitepaper to learn how you can protect your customer’s card data and limit risk to the organization


Leave a Reply

Your email address will not be published. Required fields are marked *

Receive Posts by Email

Subscribe to the Management Consulting blog and receive notifications of new posts by email.