Image via Wikipedia
When companies come to me because they want to draft a security policy, the first question I ask them should be the most obvious: “Why?”
It may seem like a simple question, but more often than not it is met with confusion as if the answer was so obvious that it cannot be articulated. At other times, the answer is that they are simply compelled to have a security policy by law and regulations. But bandwagon mentality or compliance reasons will not generate a successful security policy. Starting with the “why” is the most important step when crafting a security policy, and the answer to “why?” comes from a risk assessment.
Risk assessment is an endeavor to find out why you need this policy and what it hopes to achieve. Risk assessment determines the magnitude of potential loss and the probability that the loss will occur. For security, this means classifying information into separate levels of sensitivity, then, discovering the possible risks, and the probability of those risks, that this information may be compromised.
It is not possible or sensible to protect all information, regardless of sensitivity, with the same maximum level of protection. And there is no cookie-cutter, one-size-fits-all approach to creating a security policy since every business has unique risks and places different values on different kinds of information. This is why an individual risk assessment must be performed. Once this has been determined, a security policy can be crafted based on protecting information based on its value and risk unique to that organization.
The problem is that too much policy work is driven by compliance rather than need. Without first identifying the need (the “why”) a security policy is destined to miss its mark and be nothing more than a symbol of intent rather than a useful procedure.
By relying simply on compliance to dominate a security policy, you may live up to laws and regulations but remain vulnerable. Compliance alone has not saved many companies from data breaches, including the credit card processor Heartland Payment Systems, who suffered an unauthorized disclosure of 100 million credit and debit card transactions while remaining compliant.
Image via Wikipedia
You don’t need a 6th sense to detect when a fellow IT security pro is engaged in a hot project, like implementing a defense in depth strategy, DLP tool or a PenTest project, when for 10 hours a day they can role play as a nefarious, ethical hacker. They spring out of bed without an alarm, their ipod rocks as they think of their project on the way to work, and usually work while others sleep. And as they sense the success of their project is in reach, there is a gleam in their eye like Melvin Purvis knowing Dillinger will be at the Biograph theatre that night. Yes, that’s you. The details are different, but you act with the same focused purpose when you are engaged with a hot project.
Unfortunately, “productive you” has been dulled by the recession. You look at the clock. It’s 9:03- Your hot project lost budget. 9:07- You start to feel like you’re just hanging out at the office, daydreaming about the receptionist or what you’re going to do this weekend. 9:13- “Will I be the next budget cut?” Or maybe you’re forced into endless, mindless, maintenance and you begin to feel like the same worthless, infinite loop that “victim you” is attempting to debug. Maybe you’ve become a cash cow and you’ve lost touch with the leading edge you once steered like a snowboard. If you resent, but resemble this description, STOP. It’s time to wake up the “pro-active you”.
Learn and Grow. It even sounds healthy and positive, like water and sunlight to a plant. I’m not going to try and talk you out of investing in night school, but you don’t need money, homework and someone else’s schedule to learn. There’s a lot of negativity about our current economy. Want a silver lining? There has never been a time when you and I could take advantage of the plethora of free information for educational purposes as we can today. Think about it. “How would you like your free industry knowledge, miss? For here (seminar)? To go (white paper)? or delivered into cyberspace (webinar)?”
Complimentary subject matter expertise and contributing back to the community are key foundational components of the Savid Technologies business model. In my Security Practice Manager role, I am deep into developing an immense library of IT security and compliance literature. It’s already pretty solid. Savid’s Marketing team, in conjunction with our Web Development team, has created an easy and efficient self service system for your convenience. Just check it out at www.savidtech.com. Look for new, relevant and insightful information every month on technology, methodology and industry metrics. On our website, you can also view the upcoming complimentary, educational events, or download our informative whitepapers. If what you are looking for is not there yet, just contact Kelly or Angela in Marketing (877-307-0444). They’ll hook you up with free industry knowledge, for here, to go, or delivered into cyberspace. I will also make time to discuss IT security with you. If I don’t know it, I will connect you with the right resources.
One last note. Consider attending our monthly Chicago IT Security Meetup. Next meeting’s topic and registration can be found at: http://www.meetup.com/The-IT-Security-Group-of-Chicago/. I gotta go now and finish my week’s work; I’ve got a long list of research topics for Saturday morning.
If you’re unhappy with the current Payment Card Industry Data Security Standard (PCI DSS) then now is your chance to complain. The PCI SSC Council has announced a feedback period where you can have the opportunity to “provide detailed and actionable feedback in an effort to revise future editions of the Council’s standards to improve payment data security.”
You may air your grievances during the phase two of the lifecycle process, between July 1 and November 1. The SSC Council is looking to hear from merchants, processors, financial institutions, and other key stakeholders – and I’m sure they are in for an earful. (Like how the only thing you need to be a QSA in North America is 30k, a Highschool education, and 4 days of training)
Many are unsatisfied with the “checklist” format of PCI compliance. They commonly point out how this switches the goal from overall security and risk management to simply compliance. Some of these standards don’t seem to help security at all, such as configuration management. PCI compliance should not be the goal, but it ought to serve as a jumping off point towards promoting better security practices. But too many organizations either have a purely audit-based mentality while others regard the compliance as a frustrating burden.
Does the recent data breach of Heartland Payment Systems prove PCI is useless? Maybe not, but it isn’t 100% effective either. Of course we know nothing can be in security. But does it even provide reasonable security and assurance?
There are some who call PCI DSS “security theatre.” (Like me!) It makes organizations put on a show of security that makes them feel safe, but doesn’t actually do anything. Many organizations even perform their own self-assessments and there is no incentive for them to report anything less than fully compliant.
If you’ve got a bone to pick with the PCI SSC Council over these issues, then you can use their online feedback tool to “proactively propose and discuss revisions to the next iteration of the Council’s standards.” But if you want to complain in person, you can attend their “Community Meetings” in Las Vegas or Prague.
