Compliant Does Not Equal Secure, Just Ask [Insert Company Name Here]

Tell me if this sounds familiar. A major retailer had a system breach which resulted in the loss of credit card data for millions of consumers. A non-profit hospice had a laptop stolen which contained unencrypted records on hundreds of patients. A well-known social media platform had a breach which resulted in the loss of user IDs and passwords for millions of users.

You’ve heard these and similar stories many times over the past few months. What do all of these have in common? They were all considered “compliant” to at least one of the common security frameworks such as the Health Insurance Portability and Accountability Act (HIPAA) or Payment Card Industry Data Security Standard (PCI-DSS).

Organizations place far too much emphasis on the compliance certification and not on the compliance process. The end goal should not be the piece of paper with a stamp of approval. We should be working diligently to identify our risks and working to mitigate the risks which are deemed a serious threat to the confidentiality, integrity or availability of our systems and data.

Proper risk management is an ongoing process. It doesn’t simply follow a check list provided by an outside group. It takes into account the unique nature of each organization. While compliance programs such HIPAA, PCI, FISMA and others are a great starting point, they can’t identify all areas of risk in our organizations. Only we can do that.

Proper risk management will always provide far greater security than any compliance checklist ever will.

Don’t have a risk management program?

If you don’t have a risk management program, start small and use the free resources such as NIST Special Publication 800-30 Guide for Conducting Risk Assessments or Special Publication 800-39 Managing Information Security Risk Organization, Mission, and Information System View available at http://csrc.nist.gov.

 

 

 

This is a guest blog written by Dave Nelson, President of Integrity Technology Systems. Dave is a Certified Information Systems Security Professional (CISSP) with 20 years of experience and a Fellow with the Information Systems Security Association (ISSA). He has lead technology organizations in both the public and private sector.  

Authors

Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone

Try AccelOps FREE for 30 Days

 

Get a Live Product Demo

 

Tags

cloud security big data RSA analytics compliance Q&A PCI DSS HIPAA Sarbanes Oxley (SOX) Target breach

About Accelops

AccelOps provides the leading IT operations analytics platform for the modern data center. The virtual appliance software monitors security, performance and compliance in cloud and virtualized infrastructures – all from a single screen.

 

AccelOps automatically discovers, analyzes and automates IT issues in machine and big data across organizations’ data centers and cloud resources, spanning servers, storage, networks, security, applications and users. AccelOps’ patented analytics engine with cross-correlation and statistical anomaly detection sends real-time alerts when deviations occur that indicate a security or performance-impacting event.

 

The AccelOps platform scales seamlessly and provides unmatched delivery of proactive security and operational intelligence, allowing organizations to be more responsive and competitive as they expand their IT capabilities. 

Keep Social

twitter facebook linkedin