Pro+ Content/Information Security magazine

Thank you for joining!
Access your Pro+ Content below.
November 2009

Standards compliance does not equal sound information security risk management

The question "how much is enough" in regard to security spending has been explored by many researchers. Industry seems to have answered the question simply as "spend just enough to pass the next regulatory examination." Regulatory security standards are intended to provide a generalized baseline for information protection and organizations are failing to recognize their own security requirements do not directly map to any single standard or set of standards. In fact, the very elements within an organization that do not overlap with a standard may present the most challenging risks. Unfortunately, it appears many institutions have settled on the misguided notion that compliance and security are essentially synonymous and as a result have significant unmitigated risks. Simply stated, the checklist security audit approach is easy to understand and budget for, but the result is inadequate security. The Heartland Payment Systems breach demonstrated how an emphasis on compliance may not be reasonable as the company was damaged by a ...

Features in this issue

  • Integrated change management reduces security risks

    by  Diana Kelley and Ed Moyle

    Unmanaged changes to IT systems and networks can recklessly increase risk to enterprises. The key is rolling out an accepted change management process, and sticking to it.

Columns in this issue

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

-ADS BY GOOGLE

Close