Risk
1/30/2014
01:30 PM
Tom Bowers
Tom Bowers
Commentary
Connect Directly
RSS
E-Mail

Finding The Balance Between Compliance & Security

IT departments can reduce security risks by combining the flexibility of ISO 27000 with the stringent requirements of PCI. Here's how.

Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/31/2014 | 11:23:20 AM
Re: Take software providers to court?
That will be definitely be something to watch for -- and probably not something that will be resolved quickly. If it's a protracted litigation that ends in a settlement, we might never find out. But then again, maybe it will be the game-changer that the industry needs to address these serious security issues. (I hope so!)
TomBowers1812
50%
50%
TomBowers1812,
User Rank: Apprentice
1/31/2014 | 11:18:42 AM
Re: Take software providers to court?
The term "customer" refers to those retailers that use POS systems (e.g. - Target, Neiman Marcus, Michaels...). While unlikely to make headlines, I expect those retailers to file suit against their POS suppliers for not providing them secure POS systems and placing the retailer at risk.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/31/2014 | 11:02:28 AM
Take software providers to court?
By "customers of POS systems" do you mean consumer or retailers? And by legal action, do you mean stronger enforcement of compliance regs or something else?
TomBowers1812
50%
50%
TomBowers1812,
User Rank: Apprentice
1/31/2014 | 10:58:10 AM
Re: Balance Security - compliance isn't the issue
Marilyn the customers of POS systems and the government will need to put intense pressure on the POS companies to modernize. Unfortunately this will likely happen through the courts, which means a slower response. If the government is loathe to take haelth care software providers to court I see it as even less likely that they will take POS providers to court.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/31/2014 | 10:53:02 AM
Re: Balance Security - compliance isn't the issue
Tom, if not government regs, what do you think it will take for organizations-- retail, healthcare and others -- to modernize POS systems. Apparently, the ROI of dealing with a breach (cost of bad publicity, identity theft, compromised data) is still tilted towards doing nothing.
TomBowers1812
50%
50%
TomBowers1812,
User Rank: Apprentice
1/31/2014 | 10:20:34 AM
Re: Balance Security - compliance isn't the issue
Drew I'd like to think that this will move point of sale (POS) systems to modernize....but I doubt it. I see great similarities with health care systems. The POS / health care software REQUIRES antiquated operating systems with full administrative privledges to run. I am familiar with a large warehouse store that only recently upgraded their POS from Windows NT to Windows XP. Some upgrade. 
TomBowers1812
50%
50%
TomBowers1812,
User Rank: Apprentice
1/31/2014 | 10:15:03 AM
Re: Balance Security - compliance isn't the issue
Andrew I could not agree more that compliance is not true security. The harsh reality however, is that as a CISO I must do both. I used 27000 as shorthand for the entire 27000 series. This article is driven by the need to implement both 27000 and meet PCI requirements. PCI is very black and white, inflexible and narrowly focused. By changing my organizations focus to see credit card data as another type of sensitive data we are able to place PCI requirements in a more balanced context. Check box security (compliance) will NEVER be completely effective as it leaves gaps. 
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
1/31/2014 | 10:11:16 AM
Re: Balance Security - compliance isn't the issue
I think the single most important thing that might come from this breach is more urgency to overhaul the card processing system in the United States.

 
AndrewB871
50%
50%
AndrewB871,
User Rank: Apprentice
1/31/2014 | 8:10:19 AM
Balance Security - compliance isn't the issue
So often I read articles like this where compliance is compared with security.  This is always going to be a pointless debate.

This article references 27000 - which is actually the vocabularly document at the start of the series of security standards.

27001 references a Management system.  Its flexible sure, you could have very few security controls and a well thought out risk assessment with the emphasis on risk acceptance.  27001 is FREQUENTLY mistaken for its control annex - which lists a lot of controls that are sensible to implement if the risks affect you.

27002 - is a security implementation standard

27005 is a risk assessment standard

Problem - in MANY MANY business environments, there was NO security AT ALL before a compliance regime mandated it, either for a specific data type (PCI / HIPPA / SSNs etc), of for the 'infrastructure'.

Flexibility swings both ways, and in a lot of business environments is code for 'what can we get away with not doing'. 

Most security standards that are enforced with a compliance regime are asking for the right things to be done.  What then typically happens is the pre-compliance mentantality of 'how little can we do' over rides the - what happens if questions.

I'm sure we will see some epic knee jerk responses in relation to the recent breaches in the USA.  Something that neither PCI or and ISO framework would have prevented IF the business didn't commit to the appropriate controls OR decided they would accept the risk because well - very few get published.

The single most important thing that happened was that these breaches have been published, which now makes the C-level community aware of the threats.  Implementing the security frameworks  should be focused around protection of the assets that are most valuable.  Clearly in these instances mag stripe card holder data is still valuable.

As is lots of other data - so the businesses with that data in their custody must focus on keeping it safe.  The PCI is focused on card data,  married with 27001 ( a robust management system incorporating risk assessment and treatment) is a very very strong pairing.  The 27001 management system would capture why certain controls are implemented in certain ways - perhaps because a contractual requirement from PCI would apply or because the business is going to accept the risk.  The difference with a ISO management system is it makes the risk based decisions visable to all.  This in itself forces accountability and can make people think twice before they say - well I'm not going to fix that.  Especially if the risk register says CxO said - he's accepting that risk because of XYZ.

 

 

 

 
AmmarNaeem
50%
50%
AmmarNaeem,
User Rank: Apprentice
1/31/2014 | 2:10:42 AM
Security
Flexibility is the key to make the balance between compliance and security. With ERP, our oganizations become more secure and flexible and more integrated
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

CVE-2012-5487
Published: 2014-09-30
The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing.

CVE-2012-5488
Published: 2014-09-30
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.

CVE-2012-5489
Published: 2014-09-30
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.