[BreachExchange] Compliance is Not Synonymous With Security

Audrey McNeil audrey at riskbasedsecurity.com
Thu May 24 20:03:34 EDT 2018


While the upcoming GDPR compliance deadline will mark an unprecedented
milestone in security, it should also serve as a crucial reminder that
compliance does not equal security. Along with the clear benefits to be
gained from upholding the standards enforced by GDPR, PCI DSS, HIPAA, and
other regulatory bodies often comes a shift toward a more
compliance-centric security approach. But regardless of industry or
regulatory body, achieving and maintaining compliance should never be the
end goal of any security program. Here’s why:

Compliance does not guarantee security

It’s critical to remember that many—if not most—breaches disclosed in
recent years occurred at compliant businesses. This means that PCI
compliance, for example, has been unable to prevent numerous retailers,
financial services institutions, and web hosting providers from being
breached, just as the record-breaking number of healthcare data breaches in
2016 were suffered by HIPAA-compliant organizations.

Compliance standards are not comprehensive

In fact, this trend reinforces how compliance standards should be
operationalized and perceived: as thoughtful standards for security that
can help inform the foundations of a security program but are by no means
sufficient. The most effective security programs view compliance as a
relatively small component of a comprehensive security strategy.

While many compliance standards do provide valuable guidance in areas such
as data storage, user privacy, and breach disclosure, there are many more
critical areas that they do not address. Security awareness, business
continuity and penetration testing, employee education, and technical and
policy controls are only a few of many such examples. This is also why, as
I’ve written previously, it’s imperative to look beyond compliance when
evaluating third-party risk and conducting due diligence on prospective
vendors. Indeed, there’s a great deal that compliance information doesn’t
tell you about a business’s security posture.

For example, not all compliance bodies that enforce data storage standards
mandate encryption. HIPAA in particular recommends, but does not require,
that PHI stored electronically be encrypted. Just because a vendor for
electronic medical record systems (EMRs) is HIPAA compliant does not
automatically mean it encrypts the PHI it stores. The same goes for GDPR;
while it strongly encourages that user data be encrypted and penalizes
organizations that fail to safeguard user data effectively, it does not
enforce encryption. This trend is echoed in the standards enforced by
various other compliance bodies as well.

Threats evolve faster than compliance standards do

Adversaries—whether seeking new ways to identify zero-day vulnerabilities
or bypass the latest anti-fraud controls—are continually changing their
tactics, techniques, and procedures (TTPs) and resulting threats. These
rapid shifts are why getting ahead of the ever-changing threat landscape
requires a dynamic and iterative approach to security.

Such an approach, however, contrasts significantly with the static nature
of compliance standards and, as a result, compliance-centric security
programs. HIPAA hasn’t amended its security requirements since it issued
The Security Rule in 2003, despite the abundance of data breaches and
ransomware attacks that have since struck the healthcare industry and
compromised the PHI of millions of individuals. Updates to PCI standards,
though more frequent, are far outpaced by the speed with which the threat
landscape evolves. Although the implementation of European MasterCard Visa
(EMV) chip technology, for example, has helped reduce the prevalence of
payment card fraud, various other types of fraud—ranging from gift card
fraud to identity theft and tax fraud—have since increased.

Despite the fact that compliance standards should be but one component of a
larger security strategy, achieving and maintaining compliance remains a
burdensome and resource-intensive process. Factors ranging from strict
deadlines and implementation complexities to steep non-compliance penalties
are why, for many organizations, adopting a compliance-centric security
approach can seem like a reasonable and judicious decision. But above all
else, it’s crucial to remember that while many compliance standards do
provide clear and substantial security benefits, they are neither
comprehensive nor flexible enough to serve as the sole focal point of an
effective security program.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180524/d3794e00/attachment.html>

More information about the BreachExchange mailing list