[ISN] 10 Symptoms Of Check-Box Compliance

From: InfoSec News <alerts_at_private>
Date: Wed, 9 May 2012 00:24:52 -0500 (CDT)

By Ericka Chickowski
Contributing Writer
Dark Reading
May 07, 2012

Security and risk pundits have long lamented the practice of going 
through the motions just to satisfy security regulations and standards 
like PCI, SOX, and HIPAA. Phoning it in may keep the auditors in check, 
but it won't mitigate the risks of attack. According to security and 
compliance pundits, the following are some of the telltale signs an 
organization is falling into the trap of check-box compliance.

1. Arguing over which standards are best.

Check-box-oriented organizations tend to get caught up in the regulatory 
minutiae so that they can't see the forest for the trees.

"Some organizations claim that they take the best of various policies 
and then go to work on a 'deeper policy,'" says Ron Gula, CEO and CTO of 
Tenable Network Security. "However, if you look closer at these sorts of 
things, they often target the union of various compliance standards and 
not the aggregation of all checks."

2. Losing sleep over an audit.

"If you are losing sleep about passing an upcoming security audit, 
you've got the check-box compliance disease -- and it's probably rampant 
in your organization," says Lamar Bailey, director of security research 
and development for nCircle.

As he puts it, security standards are the point of embarkation for the 
risk-management journey. They're not meant to be the end-all, be-all for 
securing an organization. They just get you started. Organizations that 
have a hard time even satisfying these beginner requirements should lose 
sleep over how insecure their systems are, not whether the auditor will 
break out a rubber stamp.

"These standards are like training missions in video games: They can 
help you acclimate, but they in no way represent the real game," Bailey 
says. "If you can't pass them with two hands tied behind your back, your 
need to quit and find another game."


LayerOne Security Conference
May 26-27, Clarion Hotel, Anaheim, CA
Received on Tue May 08 2012 - 22:24:52 PDT

This archive was generated by hypermail 2.2.0 : Tue May 08 2012 - 22:22:18 PDT