I've noticed a trend recently where compliance is being vilified for taking focus and priority away from Information Security for managers and executives. These decision makers see C level executives with personal criminal liability outlined clearly in the 2002 United States Sarbanes-Oxley Act, and suddenly complying to the regulations becomes very important.

So the question of the poll is, does compliance (to any regulatory or industry standard) take a precedence over _actual_ information security, or does compliance actually drive a broader understanding and support of security in your organization?

No, security and compliance are equally important.

My organization is only a dozen members strong, making both issues fairly easy to stay on top of. The issue of compliance vs. actual security standards changes greatly depending upon the size of your outfit.

To subsequent posters: If you don't mind volunteering the size of your entity, please do so for comparison sake. Thanks!

Yes, compliance is more important than security
I am referring to my client, who I spend approx. 80% of my time working with and for. They have a strong security culture in a small focus, but it is not the rule company wide. Security is more of a forced-via-policy idea, rather than encouraged and supported through training.

However, being a Fortune 500 company with 5000~ employees, they are keen on compliance. The compliance officer (party responsible for tracking compliance reporting, and the official 'auditor hand-holder'), is much more interested in the creation of reports for accountability with IA then in actual security.

The issue of compliance vs. actual security standards changes greatly depending upon the size of your outfit.
Not really. Think of a hypothetical where the two are mutually exclusive... which way do you go?

cheers,

catch

I work for a fortune 500 with 100,000 + employees, and I can say without reservation that the company guideline is that compliance (or any kind of written policy) is more important than actual security.

Timmy:

So you are saying that as long as the policy says you need a firewall it's ok not to have one?

I understand that mindset - policy works where actual expenditure can still fail or be circumvented so why bother?

I believe the regulations are there to "encourage and educate" rather than "enforce" though flagrant disregard of the regulations is clearly punishable. Yes, the regulations tend to be written in a form that says "appropriate safeguards" which can mean anything to anyone - though it is appropriate to write them that way because of the diversity of risk that has to be addressed.

But let's face it... they are there... with a little "investigation", (can we say "risk assessment" that most regulations refer to in some way), it's pretty easy to determine how easy it is to far exceed requirements, document them and walk away "scott free" after a "non-comliance issue" occurs.... mainly because your solution was "improperly monitored" which, for the most part, isn't addressed in the regulations.

Frankly, if you spend more than 15 minutes looking at the regulations they are usually pretty clear as to how "little" they require. They are aimed at those who blow them off and think "It'll never happen to me"

As we have seen in the last six months, those that don't properly try to address the regulations are more and more frequently having to publicly admit to thier breaches as a public relations act to try to save face. The damage done to them in soft terms far exceeds the damage done in hard terms - Who's going to use the company that just lost the 40 million CC accounts in the next few years? The company is practically dead..... And the risk assessment told them... what?

My organization is small and requires HIPPA complaince.... I have 50-100,000 SSN's and their associated confidential client/medical/psychological data - I forget the "official" term for it right now - but I manage to far exceed the regulations for a total outlay of less than $7000 in hardware..... The rest is free less my time.... which is no more than an alert organization of my size should/would/could spend.

It's really very simple.... Without security there is no privacy. It can't be done - as Catch alludes to. You may feel that you can have all the requirements "down" without security but how do you know and how can you prove it if you have no auditability and assurance?

Timmy hasn't answered yet, but let me play devil's advocate for a few of these.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=268999#post846998) by Tiger Shark
So you are saying that as long as the policy says you need a firewall it's ok not to have one?
As far as I understand, most will say something like 'a properly configured firewall'. And no, it's not ok to have a policy that isn't being enforced. That's where IA comes in...you have to have the firewall (they will often want to see an active monitor/admin console for the device, "proving" it's in place), and a policy supported by documentation of a routine check of the firewall configuration and ruleset is done.

I understand that mindset - policy works where actual expenditure can still fail or be circumvented so why bother?
Agreed. Understand it too. But you have to choose your battles, I suppose. *sigh*

I believe the regulations are there to "encourage and educate" rather than "enforce" though flagrant disregard of the regulations is clearly punishable. Yes, the regulations tend to be written in a form that says "appropriate safeguards" which can mean anything to anyone - though it is appropriate to write them that way because of the diversity of risk that has to be addressed.
That depends entirely on the company, their corporate culture, their history...several factors. The more paranoid companies can be so overzealous to achieve the holy grail of "compliance" that they might just get some adequate security measures out of their efforts. ;) But you are right, many will (as I say in option #2) only pay lip service and do the bare minimum to achieve something that vaguely resembles compliance.

But let's face it... they are there... with a little "investigation", (can we say "risk assessment" that most regulations refer to in some way), it's pretty easy to determine how easy it is to far exceed requirements, document them and walk away "scott free" after a "non-comliance issue" occurs.... mainly because your solution was "improperly monitored" which, for the most part, isn't addressed in the regulations.
Monitoring depends on which regulations. SOx is pretty specific about a few points...or at least, my client has auditors that are pretty specific about documenting that monitoring activities are occuring. The thuthfulness of those documentation reports is left to the imagination of the reader...

Frankly, if you spend more than 15 minutes looking at the regulations they are usually pretty clear as to how "little" they require. They are aimed at those who blow them off and think "It'll never happen to me"
I disagree. To see how "little" they require, you have to hav an extremely confident and liberal point of view...or not. It all depends on perspective. That's the great thing about these standards...we have so MANY of them!!! :P Seriously, it will depend a lot on which auditor/assessor you use (internal or external), what you are trying to comply with (S-Oc, GLBA, Visa-Mastercard CISP/SDP/PCI, etc. ad naseum), and how much your managemet is willing to invest (not just monetarily...man hours and training go a long way too.)

My organization is small and requires HIPPA complaince.... I have 50-100,000 SSN's and their associated confidential client/medical/psychological data - I forget the "official" term for it right now - but I manage to far exceed the regulations for a total outlay of less than $7000 in hardware..... The rest is free less my time.... which is no more than an alert organization of my size should/would/could spend.
Sounds very appropriate. This is not a publicly traded organization, I assume? Makes it a little easier on you...HIPAA is by no means a cake walk, but it's easier not having to also worry about SOx and other reg's here in the U.S.

It's really very simple.... Without security there is no privacy. It can't be done - as Catch alludes to. You may feel that you can have all the requirements "down" without security but how do you know and how can you prove it if you have no auditability and assurance?
Well...I'm not sure I can completely agree with you and catch on that. I mean, he has the right idea with his reply, I won't contest that. However, I don't think it is possible to achieve compliance without some degree of security (even if it is not comprehensive). That is the point, at least in this forum it is. :) Compliance to regulations that require certain security activities, practices, and procedures; most of those activities and procedures revolve around accountability and auditing of proper security methodologies. If you pass compliance, you must be to some degree complying with the requirements. It may not be much, but its better than the guy you mentioned with the "won't happen to me" attitude.

If you pass compliance, you must be to some degree complying with the requirements.
I agree passing compliance means that you are at least providing the security that is required. It's funny how you can have a little non-compliance to get the funding to increase or upgrade your security.

Some vague terms, and a timmy being off his rocker seems to have taken this thread to a very ambigious place.

This is where much of the ambiguity comes from:
Compliance = Meeting the requirements as defined by a relevant standard, guideline, procedure, or policy.
Security = Totally vague. Typically "security" is related to the reduction of risk. If risk has been reduced to an acceptable level, something may be said to be "secure" (enough).

Now, by these terms clearly security is more important. How?

An organization is non-compliant to their internal policy, however a resulting loss is considered acceptable. This organization put security first and was lax on their compliance, had they been more strict on their compliance, it is safe to assume that the loss would not have increased, however their expenses would have. Potentially resulting in a situation where safe guards end up costing more than the are justified by the risk.

It isn't always this simple, for some organizations an instance of non-compliance may result in a total loss (no longer able to legally operate/serious lawsuits.)

In these instances although the logic of security being more important still applies, (because the lack of complaince boosts the risk) however complaince gets more direct attention so it could be considered to receive top priority even though it is done for security. ;)

End answer... compliance is a component of security.

cheers,

catch

Timmy: You said how you belong to a large corporation. Could that possibly affect the policies on how your company run's it's security measures/practices?

Compliance = Meeting the requirements as defined by a relevant standard, guideline, procedure, or policy.
Security = Totally vague. Typically "security" is related to the reduction of risk. If risk has been reduced to an acceptable level, something may be said to be "secure" (enough).

Co-sign. Security can mean anything and typically does.. it varies. Compliance means that the requirements to the standard thats set is being met (or like catch said, the procedure/policy). Now aslong as those standards, procedures, etc is being met and covers the important aspects of the policy on how things are run, then there shouldn't be much to worry about.

EDIT: End answer... compliance is a component of security.

Agreed again, that's the bare answer IMHO.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=268999#post847024) by Spyder32
Compliance means that the requirements to the standard thats set is being met (or like catch said, the procedure/policy). Now aslong as those standards, procedures, etc is being met and covers the important aspects of the policy on how things are run, then there shouldn't be much to worry about.

BZZZZZZZZZ! Wrong answer, but thank you for playing! Hehe, sorry, overkill. But as you can guess I disagree.

I know (reinforced by painful experience) that 'compliance' does not in and of itself = security. Phil Hollows at OpenService.com tends to state 'complaince != security' ad naseum, and at first I balked when I read that, and wanted to call him some non-conformist hippie! But if you read his arguements, he makes a valid point (the one I am exploring with this Poll.) I don't agree with him 100%, but he has certainly reinforced some of my concerns with the compliance-culture in corporate America (side note: this can't be localized just to the US...what is happening in other countries in this area?!?)

Phil's article (http://www.openservice.com/blogs/2005/06/40-million-credit-card-hack-shows.jsp).

/* Edit follows */

Ok, so to respond to Spyder32 I take issue mostly with the phrase "shouldn't be much to worry about" (I had to clarify that, since catch brought up the whole issue of ambiguity.) Compliance, IMHO, will bring you a certain degree of security. But to stand on the shoulders of 'compliance' and claim "We are Secure!" is foolhardy, at best; dangerous, really, especially in a for-profit organization. Complaince, like Security, is a vehicle, not a destination. Compliance (when properly instituted and followed) should help an organization keep their security efforts in check and in the right direction.

Unfortunately, especially with publicly traded for-profit companies, compliance these days has received a lot more attention then security, particularly because (at least with some US regulations) it makes C-level executives personally and criminally liable. As in, go-to-jail liable. Thank you Enron and Arthur Anderson. Once compliance is achieved and you get that rubber stamp of approval, it gives many executives a reason to cap investment into security resources (financial, knowledge, and human investments).

Alright, who disagrees and want's to tear me a new one? ;)

To see how "little" they require, you have to hav an extremely confident and liberal point of view...or not.

OK, I probably should have been clearer..... :o

If I am competent and know the tools etc. already then many of the requirements are relatively trivial when it comes to the security issues. If, OTOH, I have never implemented any firewall other than ZoneAlarm on granny's PC then yes, the regulations might, indeed, seem to be a big problem for me. I spoke in terms of my level of knowledge etc. rather than in the broader terms I probably should have done.

Monitoring depends on which regulations.

Monitoring is easy.... Understanding what you see while you monitor is a tad more difficult... ;) One can show an auditor a full time person watching log files go whizzing by and the auditor can assume, (after a couple of basic questions), that the person really is monitoring. But the reality may be that the person can't read English let alone a packet dump..... "Compliance" is there but it won't be long before a non-compliance event occurs....... At that point the company can show that they were in complaince the day before per the independent auditor and that nothing was changed. What then?

HIPAA is by no means a cake walk, but it's easier not having to also worry about SOx and other reg's here in the U.S.

HIPAA was a lot "easier" than I thought it would be. In fact, when I finally got the security regs I simply went down the list writing "exceeded" next to anything that appeared to be a "requirement"... :cool: But I'm a little different. For a start, with me, it's a territory issue aside from the fact that I have items of value in here... I have never wanted trespassers so I have always made attempts to keep them out.

I think HIPPA, (and maybe my views are this way because I don't have to comply with the more stringent regulations - though I probably am doing by default), is, for a large part, there to educate the "small fry" out there, the organizations with 20-30 employess, (all social workers, medical workers or whatever), with no _real_ IT help or expertise. HIPPA brought things to their attention that they probably didn't understand when they read the regulations. This forced them to either learn about it themselves or to hire in someone to explain it to them and, in many cases, implement the requirements. That's where the benefit comes from and it's also a large part of the reason that the Feds don't audit organizations that require HIPPA compliance.

OTOH, my organization may not be audited by the Feds specifically for HIPAA but we are audited by about 30 funding sources including Medicare, other fed agencies, state agencies, county agencies and independent funding sources every year. Believe me, we have to state or show our HIPAA complaince to them all.....

I _firmly_ lean much further to the equation:-

Security might = Compliance

This is kind of an unfair poll? :D

What if you are a corporate leader group and you can go to jail, be incarcerated for failing to file proper accounting and to protect the integrity of the books. That's a nutshell, simplification of Sarbanes-Oxley Act; but what good is security over compliance when the company has the SEC (Security and Exchange Commission) halting its stock trading or downgrading it to junk status or the company going bankrupt. To comply with the items in the act in effect increases security because you have to do things like provide some accounting oversight at the director level etc. It increases business/financial security?

Now, my particular institution is regulated by several agencies like the SEC, in that they have the power to come in today and shut the door tomorrow. That is a high motivation factor to comply. With the doors closed and no incoming revenue that new firewall seems inconsequential. However having that new firewall could help compliance. It's a catch22 or it’s a relationship model in most cases.

I have been around regulators a LOnG time. I think what people are insulted with (at least me) is the fact that a poorly configured system with good documentation will fair better than a highly effective system with poor documentation, which will nip you in the buttocks every time. So the perception of compliance over security is seen by those implementing solutions. Meaning: compliance as a higher priority than physical/tangible controls. And it might be depending on your position within the organization and how "compliant" you already are in other risk areas.

If the audit checklist has you at a high "compliance" risk then guess what; that will have a higher priority. It HAS too. You don't just toss up the IT security risks but you may be inclined to toss more resources at compliance. That brings up a point. I manage a different approach to risk and assign priorities to projects based on a formula. There has to be some method there. Not just a feeling of "what’s fun to work on" and compliance is a factor.

Pick an issue or task. Compliance Risk has to be its own weighted factor. In some cases it's not related to security we geeks think of at all at all, but many times it is. Therefore you can have a severe risk at compliance and a minimum IT Security risk. Which, arcording to analysis overall, is a risk that is more detrimental to the company as a whole. The big picture along with mitigating factors, controls etc. must be taken into account.

Hehe, you are allowed to disagree mr. zencoder ;) However, with Compliance I firmly feel a little more secure. Fully? Somewhat, not all the way. I never feel 100% safe, however it helps.

EDIT: Shouldn't be much to worry about. Not shouldn't be anything to worry about ;)

You need to add a bullet to the the poll that says something to the effect that Compliance and Security are equally ignored in my organization. That would fit in here best. Until the agency head is dragged off the property in handcuffs by the state gestapo for violation of security regulations and law, that will probably remain the status here.

Sorry for the delay in my response,

but what i'm really saying is that for my money, real security is more important. For my company's money, as long as they have plausible deniability, AKA "we had a policy, but someone didn't follow it," all is well.

They want to be secure, but it costs too much. So, instead, they buy the illusion. To the shareholders, it looks just as good.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=268999#post847156) by Timmy77
For my company's money, as long as they have plausible deniability, AKA "we had a policy, but someone didn't follow it," all is well.

They want to be secure, but it costs too much. So, instead, they buy the illusion. To the shareholders, it looks just as good.

Poignant! That is kind of what I've been getting at here. And yes, I would think that most people here at AO (at least the salary-corporate-official-IT types) would agree which is more imporant to them personally.

..but, of course, when their illusion of protection fails - typically in a manner you told them it would fail - you're still the one who pays the price. It just doesn't pay to be at the bottom of the management food chain.

In the long haul (atleast for YOU as the IT man) it doesn't work out (playing by the scenario you stated, Timmy). It not only doesn't work out but it's wrong and is detracting from the companies sense of security (the meaning of it gets shattered).

Don't comply. = business != viable business.
ignore security = business != viable business.
Boolian logic.

I'd draw a truth table, put I suck at the philisophical stuff...............Sorry Zen, but thats how I see it.

I guess to answer the question for my case alone it's interesting to look at my supervisor history and make analagy's from that. Thinking about it it might shed some light on the managers others have to deal with.

My first supervisor was the CEO. There was the obvious period of "trust building" that took place on both sides but once the CEO understood 2 things about me I was given more or less free reign and my decisions and my input were carefully considered in the "big picture". The two things were quite simple really..... I have a grasp of my subject and a grasp of their impact on the organization and that I always do what is best for the organization.

Then a decision was made to reorganize the structure of the organization to reflect a more corporate environment. In doing so they hired in a CFO and placed my department under him....

My second supervisor was the CFO and this was a mess. His basic lack of competence was reflected in his distrust of everyone. This manifested itself in the fact that no individual could tell him anything about anything. It all had to go to committee where he made copious notes and the committee made the decision. By managing in this fashion he avoided actually making a decision and if a decision were made that went wrong he would go to the file, pull out the notes and show that the decision was not his but rather that of the committee. This "method" also served to "choke" everything making decisions take weeks or months rather than minutes or days. I cannot imagine the process of HIPAA complaince if he had been there to give "input".... We'd still be reading the regs rather than acting upon them.

After 18 months of this gentleman I went to the CEO and, to all intents and purposes, told her it was him or me..... (Remember: He was still in the "trust building" phase that I passed several years previously.... ;)). After a three way meeting where I demonstrated the harm he had done to the organization in such a way that he could only stare past the CEO's head and say nothing - yes, I can be a formidable opponent if you piss me off and harm my department or organization - he saw the crayon on the wall and resigned.... I believe the resignation wasn't _entirely_ voluntary but that's none of my business.... my job was done.

My third and current supervisor was a director that became the COO in the reorganization. Consequently, I had worked with her for ten years or more so we were familiar with each other, trusted each other and actually have a good personal relationship too.... I call her "Dear", (in the "wifely" sense), when we speak.... ;)

I think the key item in my experience is trust. Management has to trust your subject ability, your business ability and your committment to the organization. In many cases you also have to be able to trust the managers too. You won't always get your way, (hell, even I lose a few), but it's the dialogue between intelligent individuals that results in a "sane" resolution.

There's also got to be the feeling from the manager's POV that when you suggest something that it has been well researched, it will do what you say it will and that it is more cost effective than any other possible solution. Cost effective can be a "moving target" - it may cost less in initial outlay but take 50 man hours a week to manage... Obviously that's not good and your managers will always question the cost effectiveness and ask questions you never thought of.... You have to have the answers right there and show that you have considered _their_ potential reservations... Do it enough and they stop asking the questions... Except those that shouldn't be there in the first place.

With some managers you will have to write a 50 frame powerpoint and spend 3 hours selling the "product". With others you will be able to walk in to their office and say "Boss, for <insert regulatory requirement here> we need to do this costing this" and it will pretty much be accepted. Eventually the "50 frame powerpoint" manager will come around.... or not.... If it's "not" then it is time to move on if you have the skill set and business understanding to do so. Frankly, if you don't, then the manager is right when he over-rides your decisions.

So... Having gone waaaay off topic, (in a way), the point of the whole post is that good managers trust their employees ability in their field and when you "suggest" something regarding the compliance issue it will, (at least), be seriously considered. Bad ones don't. If you find yourself with the ability to make informed decisions yourself with regard to regulatory compliance with a manager that doesn't listen/trust and you might find yourself liable somehow then you have only one choice..... Get Out Now...... Before you find yourself prostrated in front of a jury of your "peers" that can barely check their own email.....

Am I living in a "special" environment? Maybe. Am I competent to give the advice I do for the level/size/potential risk to my environment? Absolutely.....

Actually ... very good, Tiger. Bravo!

You, at least, are surviving in a very dangerous, volatile environment. These are the ekinds of insights the newer folks should read, heed and take to heart.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=268999#post847171) by Timmy77
..but, of course, when their illusion of protection fails - typically in a manner you told them it would fail - you're still the one who pays the price. It just doesn't pay to be at the bottom of the management food chain.

Sure it does! Tiger, myself, and the likes of us call that job security. You just have to dot your i's, cross your t's, and DOCUMENT EVERYTHING.

Jinxy don't be sorry. Your input is actually helping form my official position, and you have made valid points. I don't HAVE any good answers. I think that if one thing has been made clear in this discussion, it is that sometimes compliance will take a higher priority to security, sometimes not, they can and should often be mutually exclusive (thanks catch), and no one scenario is always right. A difficult truth for us professonals is, sometimes, compliance with 'less' security is the better overall business decision. We call that risk management (at least in one sense it is.)

As a died in the wool Unix SA-turned Security Engineer, I want to stuff the auditor's in a cramped wiring closet and go home for the weekend. My personal preference would be technical and operational security over some regulatory statement everytime. But I don't have to answer to the same stake holders that my boss does...at least not directly. ;)

Could it also be that because this forum is security focused that we tend to have a hypercritical view of the shortcomings within our organizations? Or is everyone else out there in the corporate world just blind to the threat that is out there? Perhaps the truth lies somewhere in the middle?

In the end I'd put my vote down for placing more emphasis on actual security rather than enforcement. Human behavior has a long-term history of disobedience when dealing even with the simplest of requests. (Why do we speed on the freeway even though we know it is dangerous)?

There is no substitute for real-time, proactive security measures. Ignore this cold, hard fact and you'll have to play damage control soon after. Perhaps this viewpoint is rather cynical, but better safe than sorry when protecting your infrastructure.

We live in a parallel universe Tiger. Organizational change is necessary, but I have survived and continue to work for the CEO. Although due to compliance pressure, get this - we are FORCED to have committees make the decision. In the view of those overseers, 5 people making a decision versus 1 person assumes less of a risk should it fail to pan out. HUH? I see the logic if one could fill the room with technical minds and when it comes to hardcore software development I would agree. But participating in a room filled with minds that get bored with the mere mention of "internet filter" is problematic to another topic... the faulty and often illogical mindset of auditors running off the "trends" of circa 1998. That is when most of our compliance regulations were drafted.

So until my power is removed, I drive IT business strategy and bring the decision to a committee after money is spent and implementation is complete. They happily sign off because they are not forced to undergo the cost benefit analysis or detailed technical diagrams which I can happily display for hours at a time. Having this committee has definitely relieved some compliance pressure though. They like to see some internal "oversight" for IT regardless if the substance in beneficial. In that respect compliance is just fluff to toss at a bean counter.

So to share some internal rambling... compliance and security collate into risk management as many have introduced. In fact the mere presence of a good risk management strategy will guide compliance. In my opinion it is the heart and shoul of compliance both external and internal to your companies own policies. In fact IT Risk is one small category that fall under the umbrella of Business Risk. That is risk to the organization regardless of the origination. Once we understand that, and shift focus away from our IT closets (we love our closets) new doors open up and IT becomes a critical process in management.

RC's Copyrighted Business Risk Factors:

Financial Risk
Operational Risk
Strategic Risk
Regulatory/Legal Risk

I am leaving out a lot of the scoring formula but you can get a picture of the overal business risk process. Lets pick a task and assign a level of impact on a scale of 0 to 3, 3 being being highest impact and 0 being no impact...

IT Risk Factor: Desktop Management and Support

Financial Risk: 2
Operational Risk: 2
Strategic Risk: 0
Legal/Compliance Risk: 0

Business Risk Factor: 4 (add ‘em up)
Potential For Change: 1.25 (hey things change, add it in. Items with a high potential of change have a higher number that increases the risk weight)


As you can see, if we took a task risk like Compliance it could have a higher risk rating than a specific IT Security risk item. It could effect the overall business strategy and legal risk. Ok Let's pick one:

IT Risk Factor: Business Continuity Planning (not security at all!)

Financial Risk: 3
Operational Risk: 3
Strategic Risk: 0
Legal/Compliance Risk: 2

Business Risk Factor: 8
Potential Change Factor: 1

Now would I spend money on desktop support or business continuity planning? Security or Compliance?