//
you're reading...
Information Security, IT & TECHNOLOGY

Security and Compliance – A Relentless Battle


The overall objective for security controls is to support the organization’s services and infrastructure by identifying risks, improving the security level, and enabling rapid detection and response to security attacks.

It is also true that, in practice, no organization can place all the security controls against every cyberattack by itself. Consequently, it is now a growing practice that many organizations leverage a hybrid model for their security controls. For example, organizations put in place onsite or locally deployed security controls in the form of people, process and technology, together with cloud-based security controls.

On the other hand, risks, regulatory and compliance requirements drive business values of highly regulated industries, such as financial services and healthcare. Therefore, using a hybrid model for security controls in highly regulated industries raises compliance implications. Especially for highly regulated industries, the multitude of risk, regulatory and compliance requirements, such as PCI DSS, SOX, HIPAA and many others related to privacy and sensitive data, are increasing. There is more complexity, cost and operational overhead in the infrastructure – consequently, cloud-driven security controls are a natural choice for many organizations to address complexity, cost and operational issues. However, this also leads to new challenges to remain compliant with ever-increasing requirements.

Many compliance regulations cover specific requirements on processing personal information and cloud compliance for sensitive data. Organizations are required to ensure that their security polices, controls and IT systems remain compliant with these requirements. Selecting adequate cloud-based security control for specific data or applications would be a challenge if it is related to personally identifiable information (PII). Organizations must assess if PII needs to be part of the data processed in third-party cloud locations/data centers.

Furthermore, data may be stored and processed across different jurisdictions. It is important that while sharing data for security purposes, organizations remain compliant with pertinent laws. While choosing any particular cloud-based security control, organizations should be aware of related compliance requirements.

Organizations must also analyze technological aspects of particular compliance requirements – for example, how encryption/decryption will be performed inside or outside a particular jurisdiction, and where and how the data (alerts, logs) will be stored and handled. While decrypting traffic externally, who will have access to that decrypted data? More importantly, in the case of a breach or data leakage, how will accountability be established and how will fines be paid that are imposed by regulatory authorities?

Compliance and security are critical when protecting sensitive data and infrastructure. However, organizations often have a false sense of security, and consider their infrastructure secured if they are compliant. Instead, compliance can be considered a snapshot of overall security controls.

Being compliant does not guarantee a secured infrastructure. Many organizations make security more complex by developing separate programs for compliance and security, which leads to overlapping solutions. This adds significant expense to an overall organizational budget. Hence, for strengthened security, security initiatives must not be driven by compliance, and should go beyond particular sets of compliance requirements. Compliance and security initiatives should be tightly coupled. This will reduce cost, minimize overlapping solutions and deliver effective security infrastructure.

Compliance and security complement each other in various aspects. However, being compliant does not necessarily mean that an organization is covering all aspects of security required to protect infrastructure. There have been significant known breaches of many companies that were considered “compliant.” An effective security program integrated with an efficient compliance plan will strengthen overall security infrastructure and ensure compliance.

Muhammad Waheed Qureshi, CISA, CIPP/IT, PCIP-PCIDSS, ITIL V3, Senior IT Security Specialist, MSc (IT Security) – KTH

[ISACA Now Blog]

About @PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Web Stats

  • 121,320 hits
@PhilipHungCao

@PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Personal Links

View Full Profile →

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 2,358 other followers

Twitter Updates

Archives

March 2017
M T W T F S S
« Feb   Apr »
 12345
6789101112
13141516171819
20212223242526
2728293031  
%d bloggers like this: