Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

8/29/2014
02:07 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

Why Are Security Pros Blas About Compliance?

A survey of 500 IT and security decision makers in the UK and US shows that a majority are in the dark about regulatory requirements for their business organization.

Regulatory compliance is often seen as an oppressive demand on an organization, something that must be adhered to because, well, it just has to be, rather than because it benefits the business.

For some IT and security professionals, it's tempting to view the importance of complying with regulatory rules on how to secure data as secondary to their own security measures. You know how to secure your organization's data better than a government agency, right?

The truth is that many regulation sets have very specific requirements around how data is stored and secured, making them very much a consideration for IT. In the US, the Sarbanes-Oxley Act (SOX) and Payment Card Industry Data Security Standards (PCI DSS) are a case in point.

SOX compliant? Not sure…
A recent IS Decisions survey of 500 IT decision makers in the UK and US sheds some light on the fact that a majority of IT professionals are in the dark about whether there even are regulatory requirements for their organization. A full 57% of respondents in the US "don't know" whether they are compliant with SOX or not.

SOX, as you probably know, applies to public companies and as such is designed to ensure the accuracy of financial data and combat fraudulent activity. It is quite specific about addressing one of the greatest security challenges, particularly for large organizations: insider threats.

Most US organizations are not publicly listed, so perhaps IT teams can be excused for not being sure about their SOX compliance. But firstly, SOX must be considered -- this is federal law. Though it doesn't apply if your business is not publicly listed, some awareness of its implications can't hurt.

Moreover, the sheer number of internal security breaches occurring in US businesses every day -- our research told us the number is more than 2,500 -- indicates that businesses of every size and financial status could benefit from being aware of these regulations and how they can protect sensitive data.

PCI: widely applicable, broadly ignored
On the other hand, PCI DSS applies to a far greater majority of businesses. The international regulatory standard around the storing, processing, and protection of credit card information applies to all businesses that take card payments, which is most businesses. Yet two-thirds of IT professionals are not sure if they are compliant or not, according to our research.

Despite the fact that the breach-stricken Target appears to have been approved as PCI compliant by the security firm Trustwave, a lawsuit filed against the two organizations claimed that the retailer was not entirely adherent to regulations. Though Target passed compliance testing in September 2012, according to the complaint, the auditors did notice some warning signs at the time, including a lack of network segmentation between card data and the rest of the corporate network. This suggests that, even though Target passed muster, compliance may easily have dropped off in the time before the breach occurred.

Though the lawsuit has now been dropped, the revelations and the fact that the huge breach of cardholder data occurred indicates that PCI compliance is not just a regulatory burden. It's not even a business "must." It's a minimum requirement. Further, it is not a requirement that must be met when the auditors are around; it must be an always-adhered-to standard. Yet two-thirds of IT professionals told us they don't even know if they're meeting those requirements.

Technology is just part of the solution
Like many of the aspects of tackling internal security, achieving compliance with regulations like SOX and PCI can seem insurmountable. Internal security and the related issue of insider threats has to be approached from a cultural perspective, with fundamental changes made to user education and attitudes.

We have seen that the results of failing to meet regulatory standards in examples like the Target case, and we know that the internal security breaches that these regulations are designed to combat are occurring on an astoundingly regular basis. What will it take for security teams to show less indifference toward compliance? Let's chat about that in the comments.

François Amigorena is founder and CEO of IS Decisions, a provider of infrastructure and security management software solutions for Microsoft Windows and Active Directory. IS Decisions offers solutions for user access control, file auditing, server and desktop ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 3 / 3
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
8/28/2014 | 3:19:25 PM
Regulators
I just commented about this in a previous article. As you say in the article, many corporations just strive to be compliant. This is setting the bar very low and definitely doesn't ensure data saftey which has been delineated by the recent breaches. 

What needs to happen is that higher compliance and security measures need to become standards. If this is set as the minimal requirement than organizations will follow shortly behind. Its unfortunate, but unless stringent repercussions are in place. In seems that frivolous corporate America will continue to cut corners.

**Above is a generalized statement. Does not apply to all organizations.
Alison_Diana
100%
0%
Alison_Diana,
User Rank: Moderator
8/28/2014 | 2:28:06 PM
More Details Please
I'd love to know more about who responded to the studies. Focusing as I do on healthcare, many organizations don't have CSOs or CISOs, meaning there's no specific executive responsible for overseeing the overall security realm. That means they don't have a top-level exec partnerhing with chief counsel (inhouse or contract) -- and that means governance and compliance get shunted on to the CEO, COO, or other exec who has a gazillion other things going on. Since compliance involves a whole lot more than technology, it's important that ownership extends to someone who oversees security as a whole, not just tech.
<<   <   Page 3 / 3
Windows 10 Migration: Getting It Right
Kevin Alexandra, Principal Solutions Engineer at BeyondTrust,  5/15/2019
Baltimore Ransomware Attack Takes Strange Twist
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/14/2019
When Older Windows Systems Won't Die
Kelly Sheridan, Staff Editor, Dark Reading,  5/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12184
PUBLISHED: 2019-05-19
There is XSS in browser/components/MarkdownPreview.js in BoostIO Boostnote 0.11.15 via a label named flowchart, sequence, gallery, or chart, as demonstrated by a crafted SRC attribute of an IFRAME element, a different vulnerability than CVE-2019-12136.
CVE-2019-12173
PUBLISHED: 2019-05-18
MacDown 0.7.1 (870) allows remote code execution via a file:\\\ URI, with a .app pathname, in the HREF attribute of an A element. This is different from CVE-2019-12138.
CVE-2019-12172
PUBLISHED: 2019-05-17
Typora 0.9.9.21.1 (1913) allows arbitrary code execution via a modified file: URL syntax in the HREF attribute of an AREA element, as demonstrated by file:\\\ on macOS or Linux, or file://C| on Windows. This is different from CVE-2019-12137.
CVE-2019-12168
PUBLISHED: 2019-05-17
Four-Faith Wireless Mobile Router F3x24 v1.0 devices allow remote code execution via the Command Shell (aka Administration &gt; Commands) screen.
CVE-2019-12170
PUBLISHED: 2019-05-17
ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive. This will allow for PH...