As a start to 2012, I wanted to share my thoughts on a topic of great interest to me - compliance. To start the discussion, I thought it would make sense to lay down a base line. This post covers the “What and Why” of compliance. First question most people ask: What exactly is “Compliance”? Wikipedia says: “In general, compliance means conforming to a rule, such as a specification, policy, standard or law. Regulatory compliance describes the goal that corporations or public agencies aspire to in their efforts to ensure that personnel are aware of and take steps to comply with relevant laws and regulations.” When most people think about compliance, they think about laws or regulations like HIPAA, PCI-DSS, PA-DSS, SOX, GLBA and many of the myriad acronyms out there that make most auditors happy and most business folks delirious. There are also “frameworks” like the Common Security Framework, ISO2700X, CoBIT, ITIL.
What is a (compliance) framework? It’s an architected system of policies, controls and objectives designed to keep your business units out of trouble, operating securely and cost effectively. It should adequately measure risk and measure effectiveness, keep constituents aware and stay up to date, since risk changes. It’s typically called an Information Management System or Information Security Management System in the context we’re using here. I read “compliance” as: Understanding the risk your line of business brings to the market and the company: building reasonable, scalable and extensible policies to educate the constituents and applying appropriate (risk and cost) controls to limit, defer or mitigate said risks. Beyond all, it also means following them! Don’t do the “check box” that breeds more compliance work. Due diligence is required… can your company define the risk, can it reasonably control it, does the control scale, is it enforced? So other items to consider: Industry, State and Country regulations where you do business. You need to be aware, since ignorance is not protection against the laws and requirements; it can be considered negligence and in some areas will increase fines and penalties. Examples: We mentioned PCI-DSS – an industry specific group of requirements that control how credit card data is used and what happens when it’s not used correctly, this is a global industry requirement. California has SB1386, a control that states if you’re breached, you must notify those affected that live in the State of California (although 40+ US States have similar laws) or the Data Protection Act of 1998 in the UK that covers what data can be stored, how it should be protected (read the amendments) and what happens when it’s not followed. Next question most people ask: Why do we have compliance? Well, sadly, I can’t go to Wikipedia to check that one. I can only give the answer that we’ve seen over our careers. Penalties happen when the business units are not adequately measuring or managing risk and the “great unwashed masses” are affected in some way. Compliance should be voluntary, but sadly, this often affects the bottom line and will (but should not) be ignored until the penalties are accrued. I say this, because the first QSA class I attended, the instructor he audited said that most of the level 2-4 merchants typically had no firewalls or IPS protection in place. This was Dec 2006! I found the same to be true for application security testing, user privileges and network segmentation. Example: PCI-DSS came about because smaller businesses (and large ones) were not protecting credit card data and the bad guys decided they were easy targets and got a hold of millions of records, costing 3rd parties billions to create new cards/accounts, track down fraudulent charges and write them off (lots of other costs there, this is not exhaustive). I am sure you can find data breaches that correlate to every compliance issue listed in this blog. Feel free to comment on them or add other “compliance issues” in the comments. To summarize, once understood, “compliance” isn’t scary, overwhelming or a check box. Avoid Fear, Uncertainty and Doubt. Be proactive and educational. Adhering to policy and practicing control should be an enabler to secure business against known risk and understood threats, mitigating, deferring or in some instances accepting risk. It’s a way of doing business that the business sponsors need to be aware of. Happy New Year!