The overall objective for security controls is to support the organization’s services and infrastructure by identifying risks, improving the security level, and enabling rapid detection and response to security attacks.
It is also true that, in practice, no organization can place all the security controls against every cyberattack by itself. Consequently, it is now a growing practice that many organizations leverage a hybrid model for their security controls. For example, organizations put in place onsite or locally deployed security controls in the form of people, process and technology, together with cloud-based security controls.
On the other hand, risks, regulatory and compliance requirements drive business values of highly regulated industries, such as financial services and healthcare. Therefore, using a hybrid model for security controls in highly regulated industries raises compliance implications. Especially for highly regulated industries, the multitude of risk, regulatory and compliance requirements, such as PCI DSS, SOX, HIPAA and many others related to privacy and sensitive data, are increasing. There is more complexity, cost and operational overhead in the infrastructure – consequently, cloud-driven security controls are a natural choice for many organizations to address complexity, cost and operational issues. However, this also leads to new challenges to remain compliant with ever-increasing requirements.
Many compliance regulations cover specific requirements on processing personal information and cloud compliance for sensitive data. Organizations are required to ensure that their security polices, controls and IT systems remain compliant with these requirements. Selecting adequate cloud-based security control for specific data or applications would be a challenge if it is related to personally identifiable information (PII). Organizations must assess if PII needs to be part of the data processed in third-party cloud locations/data centers.
Furthermore, data may be stored and processed across different jurisdictions. It is important that while sharing data for security purposes, organizations remain compliant with pertinent laws. While choosing any particular cloud-based security control, organizations should be aware of related compliance requirements.
Organizations must also analyze technological aspects of particular compliance requirements – for example, how encryption/decryption will be performed inside or outside a particular jurisdiction, and where and how the data (alerts, logs) will be stored and handled. While decrypting traffic externally, who will have access to that decrypted data? More importantly, in the case of a breach or data leakage, how will accountability be established and how will fines be paid that are imposed by regulatory authorities?
Compliance and security are critical when protecting sensitive data and infrastructure. However, organizations often have a false sense of security, and consider their infrastructure secured if they are compliant. Instead, compliance can be considered a snapshot of overall security controls.
Being compliant does not guarantee a secured infrastructure. Many organizations make security more complex by developing separate programs for compliance and security, which leads to overlapping solutions. This adds significant expense to an overall organizational budget. Hence, for strengthened security, security initiatives must not be driven by compliance, and should go beyond particular sets of compliance requirements. Compliance and security initiatives should be tightly coupled. This will reduce cost, minimize overlapping solutions and deliver effective security infrastructure.
Compliance and security complement each other in various aspects. However, being compliant does not necessarily mean that an organization is covering all aspects of security required to protect infrastructure. There have been significant known breaches of many companies that were considered “compliant.” An effective security program integrated with an efficient compliance plan will strengthen overall security infrastructure and ensure compliance.
Muhammad Waheed Qureshi, CISA, CIPP/IT, PCIP-PCIDSS, ITIL V3, Senior IT Security Specialist, MSc (IT Security) – KTH
[ISACA Now Blog]