Compliance drives a large portion of our IT spend and our IT efforts. In 2011 it is just a fact of life. We were all scared to death back during the Enron/Anderson thing and by the tide of regulations that followed. Serious enough SOX violations can mean going to jail. Beyond that the PCI fines that can be levied on a company for violations can (in theory) reach 250,000 per occurrence. We need to take all these regulations deadly serious… but here is where we run into the disconnect.
I have met very few security or administration professionals that have actually read the regulations they are complying with, I mean really read them. Most overworked and under resourced security administrators just read the auditors requirements.
The Entire PCI DSS requirements doc is under 25 pages and they are low density pages. GLBA is less than a page. Granted some of the others (Notably FISMA) are a lot more comprehensive. Most of what the large body of regulatory requirements asks for is near identical to what an average CISSP would design anyway. In retrospect I think the fusillade of regulations caused us to panic. No one wanted to be seen as not addressing the problem so we over reacted badly. This over reaction gave us two significant problems.
1) Compliance drives Security, not the other way around.
2) In our confusion and frustration we hire an auditor and believe everything they say
Neither of these seems to be particularly bad at first glance, A bit concerning maybe but not awful. After digging in a bit it grows more problematic.
Regulations will always be trailing edge. We can’t regulate something until we know about it. We don’t regulate something until there is a problem with it. So by the time a threat vector becomes subject to regulation it is already full blown and pervasive. By letting compliance drive security we are in a perpetual game of catch up with and always letting the malefactors have a head start.
The decisions to follow out auditors recommendations should fix this. They are IT Security professionals and have the time and intensity to spend on creating a proactive threat mitigation program. In a perfect world it would work just like that. In practice auditors are just like every other business in the world: they are all about maximizing their profits. This maximizes the amount of work they recommend and the amount of paper they produce.
Do not mistake me for being anti-audit or anti auditor. I am not. What I am against the abdication of though and responsibility that is becoming standard.
Our Auditors must become our partners in compliance and security, not our masters. We, as IT professionals, need to read our Compliance standards, understand them, and question the plans for compliance.
We need to push back against excessive controls that do not actual address the issues. In my time with clients in the field I have seen zealiotious adherence to really odd controls under the blanket logic of “it is required for PCI” or something similar. The compliance standards are invoked like magic words. If I then pull out my copy of the PCI DSS and show that whatever truly odd control is exhibited that day is not in the standards at all I am greeted by an awkward silence. I have seen equally odd reasons for gaping security holes: “We can’t fix that, we have to do it that way for compliance”.
Neither Security nor Compliance is rocket science. We may need to stab some sacred cows and may have to change a few business processes so we aren’t fighting ourselves. Above all we must remember that we as the IT Security industry have a responsibility to design and implement the best solutions we can. Neither Audit nor compliance changes this basic fact.
No comments:
Post a Comment