Risk
1/30/2014
01:30 PM
Tom Bowers
Tom Bowers
Commentary
Connect Directly
RSS
E-Mail

Finding The Balance Between Compliance & Security

IT departments can reduce security risks by combining the flexibility of ISO 27000 with the stringent requirements of PCI. Here's how.

Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/31/2014 | 11:23:20 AM
Re: Take software providers to court?
That will be definitely be something to watch for -- and probably not something that will be resolved quickly. If it's a protracted litigation that ends in a settlement, we might never find out. But then again, maybe it will be the game-changer that the industry needs to address these serious security issues. (I hope so!)
TomBowers1812
50%
50%
TomBowers1812,
User Rank: Apprentice
1/31/2014 | 11:18:42 AM
Re: Take software providers to court?
The term "customer" refers to those retailers that use POS systems (e.g. - Target, Neiman Marcus, Michaels...). While unlikely to make headlines, I expect those retailers to file suit against their POS suppliers for not providing them secure POS systems and placing the retailer at risk.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/31/2014 | 11:02:28 AM
Take software providers to court?
By "customers of POS systems" do you mean consumer or retailers? And by legal action, do you mean stronger enforcement of compliance regs or something else?
TomBowers1812
50%
50%
TomBowers1812,
User Rank: Apprentice
1/31/2014 | 10:58:10 AM
Re: Balance Security - compliance isn't the issue
Marilyn the customers of POS systems and the government will need to put intense pressure on the POS companies to modernize. Unfortunately this will likely happen through the courts, which means a slower response. If the government is loathe to take haelth care software providers to court I see it as even less likely that they will take POS providers to court.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/31/2014 | 10:53:02 AM
Re: Balance Security - compliance isn't the issue
Tom, if not government regs, what do you think it will take for organizations-- retail, healthcare and others -- to modernize POS systems. Apparently, the ROI of dealing with a breach (cost of bad publicity, identity theft, compromised data) is still tilted towards doing nothing.
TomBowers1812
50%
50%
TomBowers1812,
User Rank: Apprentice
1/31/2014 | 10:20:34 AM
Re: Balance Security - compliance isn't the issue
Drew I'd like to think that this will move point of sale (POS) systems to modernize....but I doubt it. I see great similarities with health care systems. The POS / health care software REQUIRES antiquated operating systems with full administrative privledges to run. I am familiar with a large warehouse store that only recently upgraded their POS from Windows NT to Windows XP. Some upgrade. 
TomBowers1812
50%
50%
TomBowers1812,
User Rank: Apprentice
1/31/2014 | 10:15:03 AM
Re: Balance Security - compliance isn't the issue
Andrew I could not agree more that compliance is not true security. The harsh reality however, is that as a CISO I must do both. I used 27000 as shorthand for the entire 27000 series. This article is driven by the need to implement both 27000 and meet PCI requirements. PCI is very black and white, inflexible and narrowly focused. By changing my organizations focus to see credit card data as another type of sensitive data we are able to place PCI requirements in a more balanced context. Check box security (compliance) will NEVER be completely effective as it leaves gaps. 
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
1/31/2014 | 10:11:16 AM
Re: Balance Security - compliance isn't the issue
I think the single most important thing that might come from this breach is more urgency to overhaul the card processing system in the United States.

 
AndrewB871
50%
50%
AndrewB871,
User Rank: Apprentice
1/31/2014 | 8:10:19 AM
Balance Security - compliance isn't the issue
So often I read articles like this where compliance is compared with security.  This is always going to be a pointless debate.

This article references 27000 - which is actually the vocabularly document at the start of the series of security standards.

27001 references a Management system.  Its flexible sure, you could have very few security controls and a well thought out risk assessment with the emphasis on risk acceptance.  27001 is FREQUENTLY mistaken for its control annex - which lists a lot of controls that are sensible to implement if the risks affect you.

27002 - is a security implementation standard

27005 is a risk assessment standard

Problem - in MANY MANY business environments, there was NO security AT ALL before a compliance regime mandated it, either for a specific data type (PCI / HIPPA / SSNs etc), of for the 'infrastructure'.

Flexibility swings both ways, and in a lot of business environments is code for 'what can we get away with not doing'. 

Most security standards that are enforced with a compliance regime are asking for the right things to be done.  What then typically happens is the pre-compliance mentantality of 'how little can we do' over rides the - what happens if questions.

I'm sure we will see some epic knee jerk responses in relation to the recent breaches in the USA.  Something that neither PCI or and ISO framework would have prevented IF the business didn't commit to the appropriate controls OR decided they would accept the risk because well - very few get published.

The single most important thing that happened was that these breaches have been published, which now makes the C-level community aware of the threats.  Implementing the security frameworks  should be focused around protection of the assets that are most valuable.  Clearly in these instances mag stripe card holder data is still valuable.

As is lots of other data - so the businesses with that data in their custody must focus on keeping it safe.  The PCI is focused on card data,  married with 27001 ( a robust management system incorporating risk assessment and treatment) is a very very strong pairing.  The 27001 management system would capture why certain controls are implemented in certain ways - perhaps because a contractual requirement from PCI would apply or because the business is going to accept the risk.  The difference with a ISO management system is it makes the risk based decisions visable to all.  This in itself forces accountability and can make people think twice before they say - well I'm not going to fix that.  Especially if the risk register says CxO said - he's accepting that risk because of XYZ.

 

 

 

 
AmmarNaeem
50%
50%
AmmarNaeem,
User Rank: Apprentice
1/31/2014 | 2:10:42 AM
Security
Flexibility is the key to make the balance between compliance and security. With ERP, our oganizations become more secure and flexible and more integrated
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2413
Published: 2014-10-20
Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to inject arbitrary web script or HTML via the Mod* cookie parameter to html/modules.php.

CVE-2012-5244
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to functions/widgets.php, (6) the category parameter to...

CVE-2012-5701
Published: 2014-10-20
Multiple SQL injection vulnerabilities in dotProject before 2.1.7 allow remote authenticated administrators to execute arbitrary SQL commands via the (1) search_string or (2) where parameter in a contacts action, (3) dept_id parameter in a departments action, (4) project_id[] parameter in a project ...

CVE-2012-5865
Published: 2014-10-20
SQL injection vulnerability in dispatch.php in Achievo 1.4.5 allows remote authenticated users to execute arbitrary SQL commands via the activityid parameter in a stats action.

CVE-2012-5866
Published: 2014-10-20
Cross-site scripting (XSS) vulnerability in include.php in Achievo 1.4.5 allows remote attackers to inject arbitrary web script or HTML via the field parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.