Tell me if this sounds familiar. A major retailer had a system breach which resulted in the loss of credit card data for millions of consumers. A non-profit hospice had a laptop stolen which contained unencrypted records on hundreds of patients. A well-known social media platform had a breach which resulted in the loss of user IDs and passwords for millions of users.
You’ve heard these and similar stories many times over the past few months. What do all of these have in common? They were all considered “compliant” to at least one of the common security frameworks such as the Health Insurance Portability and Accountability Act (HIPAA) or Payment Card Industry Data Security Standard (PCI-DSS).
Organizations place far too much emphasis on the compliance certification and not on the compliance process. The end goal should not be the piece of paper with a stamp of approval. We should be working diligently to identify our risks and working to mitigate the risks which are deemed a serious threat to the confidentiality, integrity or availability of our systems and data.
Proper risk management is an ongoing process. It doesn’t simply follow a check list provided by an outside group. It takes into account the unique nature of each organization. While compliance programs such HIPAA, PCI, FISMA and others are a great starting point, they can’t identify all areas of risk in our organizations. Only we can do that.
Proper risk management will always provide far greater security than any compliance checklist ever will.
Don’t have a risk management program?
If you don’t have a risk management program, start small and use the free resources such as NIST Special Publication 800-30 Guide for Conducting Risk Assessments or Special Publication 800-39 Managing Information Security Risk Organization, Mission, and Information System View available at http://csrc.nist.gov.
This is a guest blog written by Dave Nelson, President of Integrity Technology Systems. Dave is a Certified Information Systems Security Professional (CISSP) with 20 years of experience and a Fellow with the Information Systems Security Association (ISSA). He has lead technology organizations in both the public and private sector.