|
GM's Litt explains how the lack of a regulatory guidance baseline adds to the difficulty of achieving compliance.
"The downside of compliance is in the execution. Take three companies: Company A doesn't do anything when it comes to compliance. Company B has deployed some levels of detective controls. And company C is trying not only to detect problems, but also proactively prevent them. The problem is that all three companies can get written up for noncompliance. Company A gets cited for not doing anything, Company B for not being proactive enough, and Company C for pushing the envelope too far with not-yet-matured technology," says Litt. "There is no gold standard. No consistency."
AT&T senior vice president and chief security officer Edward Amoroso likens the need for standardization to the ubiquitous Underwriters Laboratories stickers on products where one sticker signifies some measure of quality.
"Could you imagine if you went and bought a lamp and there were 50 stickers all over it: SAS-70 approved, ISO-this approved, GLBA-approved, Sarbanes-approved? You'd imagine some frenzied lamp safety guy, bleary-eyed and drinking coffee, having completed 50 certifications to make sure the lamp is right. Well, that's us," Amoroso says. "Instead of one stick...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
er we have 50 stickers, and they're all asking for exactly the same thing, but you end up spending time, time, and more time satisfying different auditors and different groups. It could be more effective to have generally accepted security principles, much like the accounting professionals have GAAP."
In many cases, these stickers don't equate to secure. Bruce Brody, former chief information security officer with the Energy Department and the Veterans Affairs Department and currently VP of information assurance at IT services provider CACI International, explains that agencies can follow the FISMA accreditation process 100 percent and remain woefully insecure.
"The first stage of the FISMA process is a risk analysis. And agencies often accept too much risk from the start. They then put the processes and controls in place to certify to that low level of risk. Their systems aren't secure. They haven't considered all of their interconnections, or the risks posed by subcontractors or business associates. They're exposed to too many threats. But they're compliant," Brody says.
That's why Freese says, no matter how crucial compliance is, the focus must remain on keeping systems secure. "Compliance isn't the goal; security needs to be the goal," he says.
|
 |
|
