A law firm has just suggested that PCI DSS assessors may actually be liable if they give a firm a clean bill of compliance health before a breach. The article calls out similar and complimentary points to those I made in May (that original piece is below this);
“With 12 broad requirements and more than 200 line-item requirements, many assessors are tempted either to check off a box confirming that the requirement has been met when it has not or to suggest a company buy a security device to satisfy the requirement.
Both of those options become problems. In the first scenario, a company has not met the requirement, leaving it vulnerable to compromises. In the second scenario, a company may end up spending thousands of dollars on a security device without the resources to manage and monitor it. So the device may put the company in a secure state for the moment, but over time without management and full-time monitoring, the device ends up not satisfying the requirement it was intended to meet.”
This is relevant to ANY compliance benchmarks (SOx, NIST, HIPAA, Cyber Essentials etc) and if QSAs might be in the frame after a breach, how does that bode for other assessment bodies and internal audit functions?
Why does this look so broken? It is missing a critical ingredient – RISK. Effort needs to be directed at the bigger stores of more valuable data and portions of the estate more at risk due to usage, location, historical insecurity and complexity. Then you need to remove as much assessment from the annual burden as possible by establishing monitoring. Outputs of which need to be meaningfully fed into established governance meetings.
How many of you point and pick at security, switching focus between one budget period and the next (usually directed by the latest incident or media reported FUD)? You may be seeing consistent improvement in baseline security, but I’m willing to bet most of you don’t, despite periodic spend on heinously expensive security tools and consultants. The lack of integrated consideration of risk may well be why.
Should assessors be held legally liable? I would argue not. They are assessing using methods established by precedent in the QSA world and more generally in the world of big consultancies. Part of that is getting the job done within incredibly tight timescales.
In my opinion a finding that hasn’t been validated is a non-finding. But for every uptick in the proof you demand of control design adequacy and operating effectiveness, your assessment effort increases exponentially. Firms seen as gold-plating their work just won’t win contracts. The question is how far the other way has this gone. Exactly how “tick-boxy” and light touch have things got? If it’s gone too far, isn’t it the job of the acquiring banks, to call out and question consistently poor assessment practice?
Not just that. Even the best defined control set in the world, complied to within an inch of your life, will not prevent all breaches.
To get the very best value out of what you do assess it is essential to integrate risk into scoping work. Pointing at the right targets is vital, but it is equally important to have a defensible justification for excluding controls or entities from scope.
This isn’t doing half a job. The acquiring banks have recognised that PCI DSS is floundering as a standard because of the assessment and compliance burden on companies. They have invited selective acceptance of some non-compliance depending on assessed risk.. The question is, are you and your QSAs in a position to take advantage of that?
Original Post: Does compliance equal security?
Here Cryptozone’s blog looks at it from a vendor perspective. Selling the benefits of their AppGate network-wide access platform. Access is an important but small part of the whole compliance picture. More to the point is this (strength of feeling pushed me to exercise my limited artistic skills, so apologies to any skilled graphic designers out there):
Compliance Without Risk Management Is Like Shoes Without Soles….
Having spent over a decade in some way involved with change security assurance, run the SOx system security testing effort for a division of a FTSE 100 firm and built a national supplier security governance service, I have very definite views on this.
True there’s great confidence to be had from a relatively clean bill of health compliance-wise (or at least evidencing robust treatment of discovered non-compliance for the first couple of turns of the handle). The challenge is that all compliance benchmarks are not created equal and in order to run a maintainable, repeatable, credible compliance service it HAS to incorporate risk.
Let’s leave the question of controls scope on one side. People get bored of me talking about the ISO27k certificate that looked great and covered their whole company, but ONLY for physical security controls.
Risk assessments have to be done to understand the potential risk linked to one type of deficiency compared to another e.g. if you’ve got comprehensive joiners, movers leavers processes there’s less risk if you don’t periodically revalidate all access. You also have to risk assess the entities in question (suppliers, sites, systems, processes, projects) to decide scope (who can resource to assess everything?) and to splice the overall risk to the type of deficiencies found. Then there’s the platforms underpinning them, the security and network devices underpinning that and the processes (access, incident, awareness management) that wrap around the whole thing. Risk is a matrix not a straight line and you need to grasp that picture of interactions and dependencies.
I guess I’m saying, compliance, if you make it a flat “tick box” exercise will satisfy some of the people some of the time, but to be credible and foster long term internal and customer confidence (plus get the business to sign off spend for pricey fixes or accept the risk of things that can’t be fixed), you’re always going to have to circle back to good consistent ways to assess associated risks.