Access "Standards compliance does not equal sound information security risk management"
This article is part of the November 2009 issue of How to implement a change management that works and reduces security risks
The question "how much is enough" in regard to security spending has been explored by many researchers. Industry seems to have answered the question simply as "spend just enough to pass the next regulatory examination." Regulatory security standards are intended to provide a generalized baseline for information protection and organizations are failing to recognize their own security requirements do not directly map to any single standard or set of standards. In fact, the very elements within an organization that do not overlap with a standard may present the most challenging risks. Unfortunately, it appears many institutions have settled on the misguided notion that compliance and security are essentially synonymous and as a result have significant unmitigated risks. Simply stated, the checklist security audit approach is easy to understand and budget for, but the result is inadequate security. The Heartland Payment Systems breach demonstrated how an emphasis on compliance may not be reasonable as the company was damaged by a huge breach despite apparent ... Access >>>
Access TechTarget
Premium Content for Free.
What's Inside
Features
-
-
Messaging security risks have upper hand on solutions
Spam, phishing and infected attachments continue to plague messaging platforms, despite sophisticated protection. What's the answer?
-
Enterprises must treat Insider risk as they do external threats
Enterprises can no longer differentiate between insiders and external threats. That's such a 2003 paradigm.
-
Messaging security risks have upper hand on solutions
-
-
Metasploit Project acquisition ups ante for penetration testing market
Rapid7's acquisition of the Metasploit Project takes down one of the few remaining open source security projects. But expect a smooth transition; there have been many success stories and mistakes made to learn from.
-
Integrated change management reduces security risks
by Diana Kelley and Ed Moyle
Unmanaged changes to IT systems and networks can recklessly increase risk to enterprises. The key is rolling out an accepted change management process, and sticking to it.
-
Metasploit Project acquisition ups ante for penetration testing market
-
Columns
-
Time is now for pandemic flu planning
Safeguarding your organization against a H1N1 outbreak should be a top priority.
-
Schneier-Ranum Face-Off: Is antivirus dead?
Security experts Bruce Schneier and Marcus Ranum debate the longterm viability of antivirus software.
-
Standards compliance does not equal sound information security risk management
The checklist approach to security is easy, but the result is poor security.
-
Time is now for pandemic flu planning
More Premium Content Accessible For Free
Unlock new pathways to network security architecture
E-Zine
Network security architecture is showing its age at many organizations. With new technology, different data types, and use of multi-generations of ...
Emerging threat detection techniques and products
E-Handbook
Advanced persistent threat (APT) has been a used and abused term in the security industry, but security experts say targeted attacks are a growing ...
The rapid evolution of MDM solutions
E-Zine
Mobile device management (MDM) continues to grow at a feverish pace, both in terms of adoption and mobile security features. BYOD policies, and the ...