Does fulfilling your regulatory compliance requirements actually lead you to be more secure? Will your organization automatically attain compliance by pursuing a strict regimen of security practices?
In short, is the quest to be compliant complementary, unconnected or mutually exclusive with the quest to be secure?
This is the heart of a subject that I have seen discussed rather frequently of late, including in the March 2007 issue of Information Security magazine.
Whether or not it is theoretically possible to fulfill most compliance requirements by improving ones security posture, in practice the effort that most organizations make towards being compliant with one or more set of industry or government regulations detracts from their security posture on a whole — both in funding and in focus.
For one thing, the goals of compliance are radically different from the goals of security. Compliance focuses more on accountability, whereas infosec deals more with prevention and risk mitigation. Yes, auditing is a major part of security (because not everything can be prevented), and there is some risk mitigation in compliance, but they are not the same.
And let’s not forget that compliance is often ascertained by periodic auditing of sample sets. There is nothing inherently wrong with this, of course, but you can infer some interesting — and inaccurate — conclusions about your security posture when you take a sample of, say, 50 logs or reports for 2000 users, and try to extrapolate how secure the environment is by how compliant the sample set is.
Example: Let’s say that your organization has 2000 users, each with his or her own computer system, but only 75% of those systems have antivirus installed. Today, an auditor comes by and does a spot-check of 50 of those systems and finds that 100% of the 50 systems selected have a properly configured AV product. From the auditor’s standpoint, that would make the environment compliant, right? But would that actually make the network secure? Food for thought…
Now, I’m not suggesting that all aspects of compliance auditing is this rudimentary and devoid of cross-checks, but in general, auditing requires a different burden of proof than is warranted by true security. Too often, organizations aim for the least amount of work they can do to be compliant, and this results in a weakened security posture. And it doesn’t help that the costs for compliance are not insubstantial, taking away resources from other infosec initiatives.
In an ideal world, applying consistent security principles within an organization in a systematic and holistic fashion would also tend to bring one into line with regulations which have security and accountability at their foundation. Unfortunately, theory and reality do not find themselves in the same ballpark very often, to the detriment of all.