BLUF - Bottom Line Up Front
IT compliance and information security are not the same. Compliance involves meeting specific requirements to manage risks, but this does not guarantee security. Real security needs constant monitoring and quick responses. For example, detecting and addressing unauthorized wireless access should happen continuously, not just quarterly. Similarly, log monitoring should be ongoing, not periodic. Implementing a robust security framework like ISO 27001 can enhance overall security, integrating compliance with proactive measures.
Often in the realm of IT management, the thought of IT compliance is associated with information security. This is unfortunately not the case as they are two very different things. In this article, we will simplify compliance, and discuss why a pro-active security program is the ideal approach for modern business practice.
Being Compliant alone cannot secure data
Being compliant means your business fulfils a set of requirements and mandates. These requirements consist of different policies, laws, rules, specifications, and standards, all of which are intended to reduce overall risk by holding business practice to an agreed-upon set of requirements. Unified Compliance Frameworks just needs to mark checkboxes in order to be successfully implemented. One may infer from this compliance is not needed. Please allow me to clarify, being compliant, and practising in a compliant manner is a great thing for companies to do, but alone is not going to secure your data.
To what degree, and how a company becomes compliant is kinda left up in the air. An organization can use any number of methods to satisfy the requirements of a compliance check. This is why being a complaint does not mean the company is secure. Let’s take a look at an example, from PCI DSS 3.2 – 11.1 :
“Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on a quarterly basis. Note: Methods that may be used in the process include but are not limited to wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS. Whichever methods are used, they must be sufficient to detect and identify both authorized and unauthorized devices. “
This is a great example where actual security can be greatly overlooked. A company can actually exceed the satisfaction for this check and still be very insecure. Yes, the business needs to do this, however monitoring for rogue wireless access points needs to be continuous, not quarterly satisfying a checkbox. If you’re serious about stopping potential wireless threats continuous around the clock monitoring and response should be in place. Reality: a successful wireless attack can be extremely fast, why shouldn’t your response be?
Real-Time Monitoring
Similarly in the compliance space, but this time HIPAA Security instead of PCI-DSS, we can look at C.F.R. § 164.308(a) which states in order to be compliant you must develop procedures for monitoring log-in attempts and reporting discrepancies.
Yes, those practices are a great thing! Yet the only requirements are monitoring and reporting. Again this should be ongoing around the clock activity, monitoring should be continuous, and beyond reported should be investigated in near real-time due to the suspicious activity. There is a big difference between looking at log files at a set interval, and in near to real-time alerting. Contrary to example, the NIST SP 800-37 standard does implement near real-time monitoring, but that’s a whole different compliance standard. You may be asking yourself “with this many different compliance standards how does my company build the most secure system?”
The solution for a higher standard of security is just that! A security framework consisting of a set of standards, policies, guidelines, and procedures set in place by management for the business to follow. The program envelopes all of your business, reducing risk, and providing assurance in each aspect of your business’s actions. For each business, the exact needs will differ. One such existing guideline is ISO 27001, it’s the current information security standard, from which you can implement your different needed compliance standards. Check out the ultimate CISO guide on Top 30 Security Control Frameworks 2019
In conclusion, we’ve answered why compliance does not equal security and discussed taking the next proactive security step needed in this ever-evolving world. If you are interested in taking your compliance where it impacts security, give us a ring or contact us for a demo!