Entries tagged with “compliance”.

Did you find what you wanted?

Fri 21 May 2010

Why compliance is chosen over security

Posted by andyitguy under compliance, information security
[4] Comments

Kevin Beaver writes about how the business continues to choose compliance over true security even though we (the security people) know that it’s a bad idea. He makes the following comment

Those of us in infosec circles know these dangers haven’t changed but management keeps on chugging along as if it doesn’t really matter in the grand scheme of things.

Maybe it doesn’t…?

Well, I don’t think that Kevin believes that it doesn’t matter. He just seems to be at a point where he just doesn’t understand why this continues to happen.

I have a few theories that I want to share with you.

  1. Those who do understand still are not doing a good job translating the danger into a language that the business understands.
  2. We don’t understand the business enough to realize that the cost/benefit trade-off is not enough for management to buy. They would rather accept the risk, take the chance and deal with the consequences.
  3. There is no guarantee that Security X will prevent a breach but you can be sure that it will quiet possibly break something and/or cause lots of user issues.
  4. Compliance still makes the Auditor happy and we all know that when  Audit isn’t happy nobody is happy.

There are other theories and reasons for this phenomenon and I invite you to share yours in the comments. To answer the question as to whether or not it matters I think that it does. It matters because just doing enough to get by is wrong in lots of ways.

  1. It’s putting short term benefits over long term ones.
  2. It’s telling the world that our standards aren’t really that high and that we only care about what looks good.
  3. It’s creating issues that go way beyond us and the here and now.
  4. It affects  lots of “innocent” people.

This is the kind of attitude that has gotten us into the mess that we are in with the economy, housing and even the BP Oil spill in the Gulf. It’s this type of attitude that has brought down companies such as Enron, Aurthur Anderson, MCI, and is going to bring down many more.  I’ll stop here before I get on a soap box.

Tags: ,

 

Tue 18 May 2010

The message has to be the message

Posted by andyitguy under information security
No Comments

One of the problems with policy is that the intended message and the delivered message are often not the same. The business develops policy based on lots of different factors. Regulation, business needs, company culture, security, usability, etc…. In a perfect world they are crafted with input from many different LoBs and run through legal, HR, and user groups. They then get approved and put into practice at work. That is where the problem often begins. Once they are approved they are ignored. Not always purposefully but inadvertently. Someone sends out a notice to let everyone know that a new or updated policy in now in place and that they should read and become familiar with it.

Then everyone goes on their merry way and no one outside the group that wrote the policy knows what it says. Sure they have an idea because of the summary given in the announcement but that is about it for most people. Then something happens and someone is allowed to ignore the policy or maybe just to “alter”  or “reinterpret” it. Like the situation that occurred when police officers were allowed to get around a policy that said that they were not to use their department issued communication devices for personal use. Instead of enforcing the policy their supervisor (or someone) said that they could use them for personal use as long as they paid for any overages occurred. This happened for a while until someone reviewed some messages that was sent and an officer was disciplined for what was in the message. This is where another part of the policy comes into play. You see officers were also told that policy stated that there should be no expectation of privacy when using department supplied equipment. Yet the officer felt that since he was paying for his personal messages that they should be private.

You may think that this is pretty clear cut. The officer is wrong, policy was clear and his discipline should stand. The problem is that the enforcement of the policy was not consistent with the intent of the policy and officers were allowed to ignore policy. In other words the message was not the message. What was intended and what was enforced were not the same and therefore the policy is weakened and possibly useless. There was no consistency in the intent and the implementation of the policy.

The team at Information Nation have a quick write up on this that is worth the read if for no other reason than it reminds us of the importance of consistency in how we apply policy. I think the bigger message is that there has to be a more concerted effort on part of the company to ensure that policies are understood, applied and enforced. The cycle of creating, announcing and forgetting has to end or we might as well quit creating them. We can use or time deploying firewalls and AV. All we really need. :)

Tags: , ,