Tuesday, October 30, 2007

Security Benefits of Compliance

Computer World has an article (link) up by Dan Sarel, vice president of products at a database security company, in which Mr. Sarel provides his perspective on "Why we still invite data breaches." The article mentions various breaches (e.g., TJX, Monster.com, Fidelity Information Services), and laments that
It may be impossible to secure enterprise data completely, but as the threat landscape changes, enterprise security has been slow to catch up. For some, new standards such as the credit card industry's PCI-DSS served as a wakeup call. Yet many companies that have gone through the process of complying with new security standards still remain far from securing themselves.

While I think Mr. Sarel's point that many companies are still not secure is basically accurate, I was surprised about his characterization of companies that have gone through the process of complying with the new security standards as "far from securing themselves." Actually complying with the relevant standards can have a significant impact on an organization's security. Case in point: TJX. According to publicly available data, that company's breach was made much worse than it had to have been because TJX had basically no idea what was going on - even to the point that hackers passed encrypted messages to each other over TJX's network. That type of use of a compromised network would have been detected if TJX had been following the 10th requirement of the PCI DSS: track and monitor all access to network resources and cardholder data. Rather than leaving a company far from securing itself, compliance with the applicable regulations (e.g., GLBA, HIPAA, PCI DSS) actually leads to better security. This is something that Mr. Sarel glosses over when lumping compliant and non-compliant entities together, and, in my opinion, is something that weakened his article overall.

1 comment:

Sam Maron said...

Businesses are more and more concerned about business data protection. Network security, at the perimeter, is not a totally solved problem, but there is a community consensus among IT security professionals that the big vulnerability lies at the business data level.
best virtual data room providers