A discussion got started on Twitter two weeks ago about whether or not complying with standards and regulations such as PCI, HIPAA, FISMA, ISO 27001, etc worked when it comes to securing data.  A good friend of mine, Mike Smith of the Guerilla CISO Blog, offered the point of view that compliance works, it is just that we don’t have the right requirements.  It was my point of view that compliance doesn’t work and thus the point/counterpoint began.

 

Let me say that Mike and I are very good friends and we respect each other’s opinion and point of view.  That was good because we were able to focus on attacking each other’s arguments and the conversation didn’t degrade into the usual “you don’t get it and you should just listen to me because I’ve been doing this for x number of years and know what I’m talking about” that we regrettably so often see now a days.   Let me also say that Mike and I often like to play devil’s advocate in order to explore both sides of an argument.  I can say that what I’m about to relay, I honestly believe but I make no assertion with Mike’s point of view.  You’ll have to ask him if he holds that position or if he was playing devil’s advocate with me.  In the end it really doesn’t matter all that much. 

 

We took the discussion off Twitter and onto email because it is hard to develop and present arguments in the 140 character sound bites that are Twitter.   What I’m about to summarize is an email that I send laying out what I believe to be the salient points and my contention that compliance doesn’t work.  Once this is over please feel free to join the discussion – dissenting points of view are welcome. 

 

Point:

Compliance does work it is just that we haven’t done a good enough job in setting the requirements (the required elements of standards and regulations such as PCI, FISMA, ISO 27001, COBIT, etc).  Since these requirements are not directly translatable into buildable/testable requirements then they are not adequate and that is why compliance fails.  If our requirements were buildable and testable then achieving compliance would work. 

 

Counter Point:

Compliance doesn’t work because it is based on the assumption that achieving a given set of requirements will result in a secure system (or environment).  For example, installing a web application firewall or intrusion detection system will not necessarily help to secure your environment if they are not configured properly.  Standards and Regulations are often written to address the widest audience possible.  As a result many, if not all, of the requirements need to be tailored for each specific environment.   By refining the requirements you effectively reduce the applicable audience and by extension increase the number of variances that need to occur in order to widely apply the standard or regulation.  As a result you’ll still be struggling with the same issues just from a different direction.

 

In order for something to be considered a standard it must meet the balance between being applicable to a majority of its audience and be actionable.  If it is too broad then it can’t be a standard because it doesn’t provide value, if it is too narrow then it can’t be a standard because its audience is too small (i.e. it is not widely applicable).   So is it really a problem with standards?  I don’t think so. 

 

The main problem with the compliance mentality is that it has you striving to achieve a requirement which, while related to the goal, is not the actual goal of what you are trying to accomplish.  The goal that you are trying to secure information with a reasonable level of security controls.  A reasonable level of security involves much more than achieving a set of requirements within a standard.  It involves fully understanding the information lifecycle and choosing controls which correspond to how information is used and how critical it is to your organization.  By definition, standards don’t offer that. 

 

Now don’t get me wrong, I’m not advocating that we throw out standards such as PCI, FISMA, HIPAA, ISO, etc.  What I am saying is that we need to view them in the proper perspective and for what they are as opposed to what they have been portrayed as.  Standards and regulations can and do provide focus and some of the necessary elements to achieve a reasonable level of security but they do not make an organization secure in and of themselves. 

 

Is the answer to create more refined standards and regulations?  I don’t think so.  By doing so you would only make them less applicable.  What we do need to do is make sure that our approach to security not only incorporates the existing standards and regulations but goes beyond them is search of a reasonable level of security control.  (Whether a truly secure system is even possible is another topic that we can debate.)  Information Security is a journey, it isn’t a destination.  We need to foster an approach that values responsibility and reasonableness over blind compliance.  

 

Tags: Compliance, FISMA, Guerilla CISO, HIPAA, ISO 27001, Mike Smith, PCI, regulation, requirements, twitter

Mike Smith over on the Guerilla CISO blog has just posted a presentation entitled The Accreditation Decision and the Authorizing Official.  This is an update of a slide deck that Mike, Joe Faraone, and I have been using in our Potomac Forum C&A seminar’s for a few years.  Feedback from the government sector has been pretty good.  If you are in the position of accepting risk for a government system then you might find it interesting as well. 

You can find it at: http://www.guerilla-ciso.com/archives/699

Tags: Accreditation, Accreditation Decision, Authorizing Official, C&A, Certification, Guerilla CISO, Joe Faraone, Mike Smith, Potomac Forum, risk acceptance

The following is a very interesting white paper on the Evolution of Digital Forensics by Ian Charters.  Ian is a very good friend of mine and a member of the Board of Advisors for my company Ascension Risk Management.  The paper is aimed at the laymen and explores how digital forensics has evolved over the years. 

Ian’s background has covered a wide range of environments.  He began his career as an independent business man with his own networking and software development firm before he was recruited into the nation’s Intelligence community.  His tenure there spanned over 20 years and included service in both the Defense Intelligence Agency (DIA) and the Central Intelligence Agency (CIA).  It is from this time period from which Ian’s experience with digital forensics springs. 

If you have ever been interested in Digital Forensics then this paper is a great introduction into the field.  It is a quick, non-technical overview of the subject and aimed at the general reader.  Further papers may explore some of the more technical aspects of digital forensics and how they can be used in the corporate environment. 

This white paper was originally posted on The Guerilla CISO, a blog run by another friend of mine.  It is cross-posted here with permission by both The Guerilla CISO and the author. 

 

Click here to download the white paper in PDF format:

The Evolution of Digital Forensics by Ian Charters

Tags: Digital Forensics, Guerilla CISO, Ian Charters

There is a great post over on the Guerilla CISO.  The post is a guest post by a friend of mine and wonderfully illustrates how seeking to be merely compliant with current regulations can sometimes lead to problems when faced with a crisis. 

I won’t take any wind out of the author’s sails by commenting further right now.  Check out “Could the Titanic have changed course?” over on the Guerilla CISO.

Tags: Compliance, Guerilla CISO, Titanic