Information Security in the Real World. Confidentiality, Availability, Integrity, Practicality.

Thursday, 3 May 2012

Compliance isn't everything.

What Good is PCI-DSS? from Infosec Island.

More evidence that Compliance should never be equated with Security. There are three issues to my mind:
1. "Point in time" compliance, that is that you're Compliant at the date of the Assessment, but once the auditors have gone, if you don't have Continous Controls, you can drift from that position quite rapidly.
2. Quality of Assessment, i.e. a bad QSA or a good one with bad advice can assess positively in error. And the organisation has no interest in a negative result so will do all they can to gain a pass. The result is false positives.
3. The Human Factor. As the linked piece says.. "No matter how much technology you throw at security, people will always be the weakest link. The PCI-DSS standard (and many others) doesn't do a very good job of evaluating how well we train our people to recognize social engineering and spear phishing."

As I've said before, compliance is not security, but if you do security right, you'll achieve compliance. Get your horse in front of your cart. And manage that Human Factor.

No comments:

Post a Comment