Poll: Is compliance a greater priority than actual security in your organization? - Page 2

View Poll Results: What Live-CD toolkit(s) do you use?

Voters
14. You may not vote on this poll
  • Auditor

    6 42.86%
  • Whoppix

    2 14.29%
  • Whax

    3 21.43%
  • Helix

    2 14.29%
  • PHLAK

    2 14.29%
  • Backtrack

    2 14.29%
  • nUbuntu

    1 7.14%
  • F.I.R.E.

    1 7.14%
Multiple Choice Poll.
Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 25

Thread: Poll: Is compliance a greater priority than actual security in your organization?

  1. #11
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Originally posted here by Spyder32
    Compliance means that the requirements to the standard thats set is being met (or like catch said, the procedure/policy). Now aslong as those standards, procedures, etc is being met and covers the important aspects of the policy on how things are run, then there shouldn't be much to worry about.
    BZZZZZZZZZ! Wrong answer, but thank you for playing! Hehe, sorry, overkill. But as you can guess I disagree.

    I know (reinforced by painful experience) that 'compliance' does not in and of itself = security. Phil Hollows at OpenService.com tends to state 'complaince != security' ad naseum, and at first I balked when I read that, and wanted to call him some non-conformist hippie! But if you read his arguements, he makes a valid point (the one I am exploring with this Poll.) I don't agree with him 100%, but he has certainly reinforced some of my concerns with the compliance-culture in corporate America (side note: this can't be localized just to the US...what is happening in other countries in this area?!?)

    Phil's article.

    /* Edit follows */

    Ok, so to respond to Spyder32 I take issue mostly with the phrase "shouldn't be much to worry about" (I had to clarify that, since catch brought up the whole issue of ambiguity.) Compliance, IMHO, will bring you a certain degree of security. But to stand on the shoulders of 'compliance' and claim "We are Secure!" is foolhardy, at best; dangerous, really, especially in a for-profit organization. Complaince, like Security, is a vehicle, not a destination. Compliance (when properly instituted and followed) should help an organization keep their security efforts in check and in the right direction.

    Unfortunately, especially with publicly traded for-profit companies, compliance these days has received a lot more attention then security, particularly because (at least with some US regulations) it makes C-level executives personally and criminally liable. As in, go-to-jail liable. Thank you Enron and Arthur Anderson. Once compliance is achieved and you get that rubber stamp of approval, it gives many executives a reason to cap investment into security resources (financial, knowledge, and human investments).

    Alright, who disagrees and want's to tear me a new one?
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  2. #12
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    To see how "little" they require, you have to hav an extremely confident and liberal point of view...or not.
    OK, I probably should have been clearer.....

    If I am competent and know the tools etc. already then many of the requirements are relatively trivial when it comes to the security issues. If, OTOH, I have never implemented any firewall other than ZoneAlarm on granny's PC then yes, the regulations might, indeed, seem to be a big problem for me. I spoke in terms of my level of knowledge etc. rather than in the broader terms I probably should have done.

    Monitoring depends on which regulations.
    Monitoring is easy.... Understanding what you see while you monitor is a tad more difficult... One can show an auditor a full time person watching log files go whizzing by and the auditor can assume, (after a couple of basic questions), that the person really is monitoring. But the reality may be that the person can't read English let alone a packet dump..... "Compliance" is there but it won't be long before a non-compliance event occurs....... At that point the company can show that they were in complaince the day before per the independent auditor and that nothing was changed. What then?

    HIPAA is by no means a cake walk, but it's easier not having to also worry about SOx and other reg's here in the U.S.
    HIPAA was a lot "easier" than I thought it would be. In fact, when I finally got the security regs I simply went down the list writing "exceeded" next to anything that appeared to be a "requirement"... But I'm a little different. For a start, with me, it's a territory issue aside from the fact that I have items of value in here... I have never wanted trespassers so I have always made attempts to keep them out.

    I think HIPPA, (and maybe my views are this way because I don't have to comply with the more stringent regulations - though I probably am doing by default), is, for a large part, there to educate the "small fry" out there, the organizations with 20-30 employess, (all social workers, medical workers or whatever), with no _real_ IT help or expertise. HIPPA brought things to their attention that they probably didn't understand when they read the regulations. This forced them to either learn about it themselves or to hire in someone to explain it to them and, in many cases, implement the requirements. That's where the benefit comes from and it's also a large part of the reason that the Feds don't audit organizations that require HIPPA compliance.

    OTOH, my organization may not be audited by the Feds specifically for HIPAA but we are audited by about 30 funding sources including Medicare, other fed agencies, state agencies, county agencies and independent funding sources every year. Believe me, we have to state or show our HIPAA complaince to them all.....

    I _firmly_ lean much further to the equation:-

    Security might = Compliance
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #13
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    This is kind of an unfair poll?

    What if you are a corporate leader group and you can go to jail, be incarcerated for failing to file proper accounting and to protect the integrity of the books. That's a nutshell, simplification of Sarbanes-Oxley Act; but what good is security over compliance when the company has the SEC (Security and Exchange Commission) halting its stock trading or downgrading it to junk status or the company going bankrupt. To comply with the items in the act in effect increases security because you have to do things like provide some accounting oversight at the director level etc. It increases business/financial security?

    Now, my particular institution is regulated by several agencies like the SEC, in that they have the power to come in today and shut the door tomorrow. That is a high motivation factor to comply. With the doors closed and no incoming revenue that new firewall seems inconsequential. However having that new firewall could help compliance. It's a catch22 or itís a relationship model in most cases.

    I have been around regulators a LOnG time. I think what people are insulted with (at least me) is the fact that a poorly configured system with good documentation will fair better than a highly effective system with poor documentation, which will nip you in the buttocks every time. So the perception of compliance over security is seen by those implementing solutions. Meaning: compliance as a higher priority than physical/tangible controls. And it might be depending on your position within the organization and how "compliant" you already are in other risk areas.

    If the audit checklist has you at a high "compliance" risk then guess what; that will have a higher priority. It HAS too. You don't just toss up the IT security risks but you may be inclined to toss more resources at compliance. That brings up a point. I manage a different approach to risk and assign priorities to projects based on a formula. There has to be some method there. Not just a feeling of "whatís fun to work on" and compliance is a factor.

    Pick an issue or task. Compliance Risk has to be its own weighted factor. In some cases it's not related to security we geeks think of at all at all, but many times it is. Therefore you can have a severe risk at compliance and a minimum IT Security risk. Which, arcording to analysis overall, is a risk that is more detrimental to the company as a whole. The big picture along with mitigating factors, controls etc. must be taken into account.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  4. #14
    King Arana: Super Moderator
    Join Date
    Oct 2002
    Posts
    4,055
    Hehe, you are allowed to disagree mr. zencoder However, with Compliance I firmly feel a little more secure. Fully? Somewhat, not all the way. I never feel 100% safe, however it helps.

    EDIT: Shouldn't be much to worry about. Not shouldn't be anything to worry about
    Space For Rent.. =]

  5. #15
    Banned
    Join Date
    Apr 2003
    Posts
    1,147
    You need to add a bullet to the the poll that says something to the effect that Compliance and Security are equally ignored in my organization. That would fit in here best. Until the agency head is dragged off the property in handcuffs by the state gestapo for violation of security regulations and law, that will probably remain the status here.

  6. #16
    Member
    Join Date
    Dec 2003
    Posts
    97
    Sorry for the delay in my response,

    but what i'm really saying is that for my money, real security is more important. For my company's money, as long as they have plausible deniability, AKA "we had a policy, but someone didn't follow it," all is well.

    They want to be secure, but it costs too much. So, instead, they buy the illusion. To the shareholders, it looks just as good.

  7. #17
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Originally posted here by Timmy77
    For my company's money, as long as they have plausible deniability, AKA "we had a policy, but someone didn't follow it," all is well.

    They want to be secure, but it costs too much. So, instead, they buy the illusion. To the shareholders, it looks just as good.
    Poignant! That is kind of what I've been getting at here. And yes, I would think that most people here at AO (at least the salary-corporate-official-IT types) would agree which is more imporant to them personally.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  8. #18
    Member
    Join Date
    Dec 2003
    Posts
    97
    ..but, of course, when their illusion of protection fails - typically in a manner you told them it would fail - you're still the one who pays the price. It just doesn't pay to be at the bottom of the management food chain.

  9. #19
    King Arana: Super Moderator
    Join Date
    Oct 2002
    Posts
    4,055
    In the long haul (atleast for YOU as the IT man) it doesn't work out (playing by the scenario you stated, Timmy). It not only doesn't work out but it's wrong and is detracting from the companies sense of security (the meaning of it gets shattered).
    Space For Rent.. =]

  10. #20
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    Don't comply. = business != viable business.
    ignore security = business != viable business.
    Boolian logic.

    I'd draw a truth table, put I suck at the philisophical stuff...............Sorry Zen, but thats how I see it.
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •