Working to accomplish compliance and security
by Christopher Strand - PCIP - Senior Director of Compliance at Bit9 - Friday, 25 April 2014.
Organizations have until January 2015 to meet the new requirements of the PCI Data Security Standard version 3.0. Businesses need to ensure that compliance is cyclical and proactive rather than a report pulled together just before the auditor arrives. How can a business protect its infrastructure and data on multiple levels? This article discusses strategies that can help organizations more easily achieve and maintain PCI compliance.

Achieving compliance with more stringent, dynamic, and overlapping governmental and industry regulations requires that your enterprise:
  • Protect business-critical corporate information; most notably, personally identifiable information (PII).
  • Maintain control over and ensure visibility into corporate information assets, from servers to widely distributed and mobile endpoints.
  • Communicate your security policies and procedures with employees and partners.
These mandates are essentially the same requirements for an effective security posture. Yet, it has been shown time and again that passing compliance audits is no guarantee you are secure, whether from internal breaches (unintentional or planned malfeasance) or external attacks, such as the APT.

It falls substantially to an increasingly strapped IT department to ensure the enterprise can meet its regulatory compliance goals, as well as detect and stop threats to enterprise information.

By focusing on driving risk out of the equation and taking a more proactive and, where appropriate, automated approach to security, IT can fulfill both missions more efficiently: achieve compliance, better protect corporate information, and help meet the financial goals of the enterprise.

Compliance controls don't make a security posture

Given that compliance and security share similar mandates, you’d expect considerable overlap in enterprise compliance and security initiatives. In actual practice, organizations continue to focus on, and budget for, meeting specific compliance controls, whereas it may be more challenging to obtain funding for new security initiatives. Frequently, initiatives to meet and pass compliance audits are crafted and maintained by teams separate from enterprise security.

Say you’ve addressed the requirements for a specific compliance regulation by deploying some basic security technology. To help satisfy PCI DSS requirements, you’ve installed encryption software and simple access controls. You may pass a PCI DSS audit, but you have not achieved an effective enterprise security posture.

Today’s advanced attacks are designed to work around these defenses—knowledge that those designing compliance strategies may not possess and may not be held accountable for in the long run. The two realms need to coordinate.

Does the company’s security posture monitor where and when encryption software is actually running? And what steps have been taken to prevent access and authorization controls from being hijacked, a common technique of the advanced attack? Valuable data and business systems remain vulnerable and, if compromised, may result in significant damages (lost business, notification requirements, penalties and fines, damage to brand, etc.).

Reactive security is no match for advanced attacks

Those responsible for designing security strategies may feel they are adequately protecting the data and systems to meet compliance regulations by using tools such as AV software and HIPS.

Spotlight

Operation Pawn Storm: Varied targets and attack vectors, next-level spear-phishing tactics

Posted on 23 October 2014.  |  Targets of the spear phishing emails included staff at the Ministry of Defense in France, in the Vatican Embassy in Iraq, military officials from a number of countries, and more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Oct 24th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //