Working to accomplish compliance and security
by Christopher Strand - PCIP - Senior Director of Compliance at Bit9 - Friday, 25 April 2014.
Organizations have until January 2015 to meet the new requirements of the PCI Data Security Standard version 3.0. Businesses need to ensure that compliance is cyclical and proactive rather than a report pulled together just before the auditor arrives. How can a business protect its infrastructure and data on multiple levels? This article discusses strategies that can help organizations more easily achieve and maintain PCI compliance.

Achieving compliance with more stringent, dynamic, and overlapping governmental and industry regulations requires that your enterprise:
  • Protect business-critical corporate information; most notably, personally identifiable information (PII).
  • Maintain control over and ensure visibility into corporate information assets, from servers to widely distributed and mobile endpoints.
  • Communicate your security policies and procedures with employees and partners.
These mandates are essentially the same requirements for an effective security posture. Yet, it has been shown time and again that passing compliance audits is no guarantee you are secure, whether from internal breaches (unintentional or planned malfeasance) or external attacks, such as the APT.

It falls substantially to an increasingly strapped IT department to ensure the enterprise can meet its regulatory compliance goals, as well as detect and stop threats to enterprise information.

By focusing on driving risk out of the equation and taking a more proactive and, where appropriate, automated approach to security, IT can fulfill both missions more efficiently: achieve compliance, better protect corporate information, and help meet the financial goals of the enterprise.

Compliance controls don't make a security posture

Given that compliance and security share similar mandates, you’d expect considerable overlap in enterprise compliance and security initiatives. In actual practice, organizations continue to focus on, and budget for, meeting specific compliance controls, whereas it may be more challenging to obtain funding for new security initiatives. Frequently, initiatives to meet and pass compliance audits are crafted and maintained by teams separate from enterprise security.

Say you’ve addressed the requirements for a specific compliance regulation by deploying some basic security technology. To help satisfy PCI DSS requirements, you’ve installed encryption software and simple access controls. You may pass a PCI DSS audit, but you have not achieved an effective enterprise security posture.

Today’s advanced attacks are designed to work around these defenses—knowledge that those designing compliance strategies may not possess and may not be held accountable for in the long run. The two realms need to coordinate.

Does the company’s security posture monitor where and when encryption software is actually running? And what steps have been taken to prevent access and authorization controls from being hijacked, a common technique of the advanced attack? Valuable data and business systems remain vulnerable and, if compromised, may result in significant damages (lost business, notification requirements, penalties and fines, damage to brand, etc.).

Reactive security is no match for advanced attacks

Those responsible for designing security strategies may feel they are adequately protecting the data and systems to meet compliance regulations by using tools such as AV software and HIPS.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th