Can a network be defended and secured? Of course, observe the red team / blue team activities that are executed by businesses, governments, and at conferences. There is one catch, these do not reflect reality. Businesses are living networks and under constant change either directly encouraged or indirectly effected by the windows of the market and universe as a whole.
A fine quote that brought this to bear for me was published in an NSA publication stating: “One simply must realize that while the search for the right foundations proceeds, construction will continue.” where the article describes how the Duomo in Florence was built without an understanding of how to build the planned dome at the top. That is akin to information security today – the challenge and task of information security is to build and execute a security program that reflects that the business is in constant development, and we will not always “know” what is effective for where we are going. Think Mobile and Cloud security as the current sources of concern and challenge.
The takeaway is to recognize that the standards organizations build their security programs upon (ISO 27001, NIST) and are regulated / audited against (PCI DSS, NERC/FERC) are in themselves in a constant state of change. This is only matched by the dynamics of the changing foundations of what information security is protecting (mobile, cloud, etc..) and the market demands placed on the organization. Being still is not the answer, but instead iterating rapidly with a conscious focus on the strategy of the organization with an enabling security program will enhance the longevity of the organization and the relative effectiveness of the security compliance program itself.
NSA Article referenced: “Cybersecurity: From engineering to science” by Carl Landwehr
James DeLuccia IV
Posted in information security, Security
Tagged 2012, best practices, Compliance, cybersecurity, fisma, it compliance and controls, IT Controls, james deluccia, jdeluccia, PCI DSS, Security
The recently published, Simplify Cybersecurity With PCI, by Heidi Shey and John Kindervag is an interesting and valuable read. The premise is that the government regulations (any really) are generally obtuse and ideal focused without prescriptive how-to descriptions. While the payment card industry standard (PCI DSS v2.0 in this case) is direct on what and how technology controls should be deployed. The authors present a synergy that exists that can help an organization establish a security program.
I would definitely recommend businesses struggling to establish a security program to review the concept. I would challenge those involved in establishing security programs and enhancing such programs to focus on their core business strategies and focus on an iterative cycle, and not simply a controls exercise. Ultimately I agree there are synergies as described by the authors, and I feel the mappings is quite insightful, but I would pair this with the cyclical nature of an ISMS to round out the edges and make it a more pragmatic and ultimately effective program.
One note also, is that the authors intend that the PCI DSS standard is appropriate for mapping, but I would caution readers and all who utilize PCI DSS. The standard is specifically articulated for a set of risks and typically bounded by scope of the card data environment. When utilizing these standards it is important to eliminate and or address these pre conditional weaknesses first, prior to establishing a proper security, and ultimately compliance program.
Other thoughts? I have personally done many mappings (most recent 134 global regulations and guidances) and can appreciate the value of such alignments, but also with each standard carries assumptions that must be managed at the program level.
Posted in IT Controls, PCI DSS
Tagged 2012, best practices, Compliance, crossmap, cybersecurity, fisma, forrester, it compliance and controls, IT Controls, james deluccia, jdeluccia, nist, pci, PCI DSS, Security
Why should an organization address and comply at least with industry supported practices? A question of compliance versus driving business value, and one often raised in the Payment Card space is important to understand and convey at every level of an organization. The importance is building an organization’s security and compliance program in a manner that cohesively manages the demands of client requirements, government cares, and general competitiveness. In an era where competitiveness includes thwarting attackers focused on poisoning your supply chains with misinformation or directly seeking to “acquire” the Intellectual Property that makes the business competitive. The executive and board of directors within an organization are acutely seeking demonstration of focus and effectiveness.
So what are the risks to an organization not managing the risks of an industry standard?
To answer that below I will speak directly to PCI (to eliminate the obnoxious “it depends” statements) and about a Fortune 500 company that has other intellectual property.
Ultimate risk to an organization out of compliance with PCI is well documented (on the Card Brand sites themselves and breach news sites), but stems from a violation of contractual agreements with the business’ banks and ultimately the card brands. This contractual obligation (and violation) can be determined without a breach. The violation (profiled in a public court case out West) can be identified when a QSA / Forensics team from the Card Brands / or any of their team members conduct an assessment of compliance to the organization. The court case referenced is of a restaurant that had been suspected of a Common Point of Fraud; proven to not have been breached, but in violation of PCI DSS based on forensics report issued to Bank & Card Brands). So, the risk and associated damages can result from a breach (classic) or simply by confirmation that the business violated the contract established with the Card Brands.
The highlight here is being compliant means addressing the threat vectors to the business and the assets requiring protection. Failure to achieve those results from either path can result in a number of business and financial negative events. These, in part, are described below:
- Financial punitive fines by the Card Brands ($500k is a number published by the Card Brands)
- Per account # breached associated costs & fines – this number is a hard figure to lock down .. $100-$170 per card in some cases
- Higher interchange fees per card transaction for the entire legal entity – this is very costly and most damaging
- FTC and public government actions, that may include recurring privacy audits (such as 20 years of third party audits)
- Automatic level 1 status for the company (which requires annual onsite attestation)
- If you look at TJX and the other public breaches they have published hose expenses around $130M+
- Civil / class action lawsuits likely
There are also reputation and periphery risks to the business:
- The company possesses additional data protected and considered sensitive by industry and governments around the world, PCI Data is one element but it is likely that these systems share networks, applications, and permissions. The breach of one could inadvertently result in the breach of the other (PII)
- Not at least complying / deploying operational security controls broadly considered baseline practice would be damaging in an era when security of data and confidence is so important
The highlight here is that the risk is not addressed by the issuance of a ROC by a QSA or having run assessments, but that the security and risk programs are operational and effective. These ROC and assessments are simply attestations of a program that is mature and functioning. Compliance is not deemed by a ROC nor does it provide safe-harbor in the common sense of the term. A long standing statement by the PCI SSC is that “no compliant organization has had a breach” <– including TJX, Heartland Payments, and Global Payments all breached with current ROCs signed by TrustWave.
The success of the PCI program is the ultimate reduction of risk and adequate security controls of the organization. The risks addressed through a cohesive integration with the operational elements of the business are the critical success factors.
James DeLuccia IV
Posted in Compliance
Tagged 2012, audit, Compliance, cybersecurity, data breaches, forensics, it compliance and controls, IT Controls, james deluccia, jdeluccia, pci, PCI DSS, Security, visa
A challenge for large businesses is addressing their own information security needs to manage their operations in a manner that allows them to be resilient and adaptable in an ever competitive market place. Each organization is different – the risks and the needs to mitigate. A painful evolution of the past decade has been the mistaken direction organizations have taken to build / address singular compliance instances. Meaning, organizations develop programs to address single compliance requirements – vendors, SEC, industry, etc … Not that these are not important, but a natural effect of this is the perception that the security “controls” (even the word doesn’t lend itself in the right non-audit light) are there to achieve compliance.
The mistake is achieving compliance to compliance requirements alone. There is a gap in the business’ OWN needs. Over the past year I have spoken on this topic publicly at conferences and my book has a huge focus on aligning and establishing business requirements cohesively.
To elaborate on the graphic … the CxO office must be aware and share their strategy – typically easy to find, as I generally begin building these programs from the 10-k reports over last two years. These feed the information security program elements and form the decision framework against all technology, security controls, risk frameworks, sourcing considerations, recovery timelines, etc… In addition, the compliance elements must be addressed – but with the understanding these are risk transfer activities by third parties. Not to be the basis of the enterprise program, but a singular consideration.
The capability of the organization to address market competitive requirements is based upon the proper balance. Here you can see the target is 85% of the program is made up by the business’ own innovative and market driving / supporting activities. 15% of the program to meeting these ‘license to operate’.
The takeaway is to challenge your organization’s singular managed compliance initiatives and a deep dive on budget alignment to business revenue generation. There must be rationalization to the safeguards to make the business efficient and effective – that includes safeguarding and enabling the business to conduct business, everywhere.
Posted in Compliance
Tagged 2012, audit, Compliance, CxO, cybersecurity, fisma, hipaa, hitech, infosec, it compliance and controls, IT Controls, james deluccia, jdeluccia, nist, pci, PCI DSS, regulation, Security, sox