Compliant Does Not Equal Secure, Just Ask [Insert Company Name Here]

Tell me if this sounds familiar. A major retailer had a system breach which resulted in the loss of credit card data for millions of consumers. A non-profit hospice had a laptop stolen which contained unencrypted records on hundreds of patients. A well-known social media platform had a breach which resulted in the loss of user IDs and passwords for millions of users.

You’ve heard these and similar stories many times over the past few months. What do all of these have in common? They were all considered “compliant” to at least one of the common security frameworks such as the Health Insurance Portability and Accountability Act (HIPAA) or Payment Card Industry Data Security Standard (PCI-DSS).

Organizations place far too much emphasis on the compliance certification and not on the compliance process. The end goal should not be the piece of paper with a stamp of approval. We should be working diligently to identify our risks and working to mitigate the risks which are deemed a serious threat to the confidentiality, integrity or availability of our systems and data.

Proper risk management is an ongoing process. It doesn’t simply follow a check list provided by an outside group. It takes into account the unique nature of each organization. While compliance programs such HIPAA, PCI, FISMA and others are a great starting point, they can’t identify all areas of risk in our organizations. Only we can do that.

Proper risk management will always provide far greater security than any compliance checklist ever will.

Don’t have a risk management program?

If you don’t have a risk management program, start small and use the free resources such as NIST Special Publication 800-30 Guide for Conducting Risk Assessments or Special Publication 800-39 Managing Information Security Risk Organization, Mission, and Information System View available at http://csrc.nist.gov.

 

 

 

This is a guest blog written by Dave Nelson, President of Integrity Technology Systems. Dave is a Certified Information Systems Security Professional (CISSP) with 20 years of experience and a Fellow with the Information Systems Security Association (ISSA). He has lead technology organizations in both the public and private sector.  

Authors


Marta Stone


Marta Stone


Marta Stone


Marta Stone


Marta Stone


Marta Stone


Marta Stone


Marta Stone


Marta Stone

Try AccelOps FREE for 30 Days

 

Get a Live Product Demo

 

Tags

cloud
security
big data
RSA
analytics
compliance
Q&A
PCI DSS
HIPAA
Sarbanes Oxley (SOX)
Target breach

About Accelops

AccelOps provides analytics-driven IT Operations Management for cloud and virtualized infrastructures. The virtual appliance software manages security, network performance and compliance, all on a single screen. AccelOps automatically discovers, analyzes and automates IT issues in machine and big data across organizations’ data centers and cloud resources, spanning servers, storage, networks, security,applications and users.

Keep Social