On compliance: sufficiently secure?

Compliance with industry standards may not be enough.

by. Eric English, CISSP

With each breach of security at a major corporation, the finger pointing begins anew.

In the wake of the Target breach, for example, Trustwave was cited in a class-action lawsuit as the vendor entrusted to maintain data security for Target. According to this article in Network World, the lawsuit alleged that Trustwave “failed to live up to its promises or to meet industry standards.” The industry standard referred to is PCI-DSS, which was pushed by Visa and MasterCard to protect customer data. There’s a key lesson here for credit unions. And it’s this: What most people think of as an “industry standard” is not the only means of security you should implement. An industry standard is more of a baseline, not necessarily the best way of responding to a potential problem. PCI-DSS is one of the many compliance guidelines an organization can follow, but by no means is it the only form of security you will ever need.

The Target breach underscores the reliance on such industry standards, but organizations should consider more than one compliance framework and more than one security standard to go by. Most of the compliance frameworks are outdated and are generally based on best practices for IT security.

Federal Financial Institutions Examination Council, for example, was written a decade ago but is still in use by banks today. FFIEC does update its framework, but by no means does it cover every aspect of security.

Target alleges that Trustwave performed a vulnerability scan on Sept. 20, 2013, and no vulnerabilities were found. What is not mentioned is that most vulnerability scanners are scanning for vulnerabilities that are published and well known. Most vulnerability scanners will not pick up on a zero-day threat that exploits a previously unknown vulnerability in a computer application. So who’s fault is that?

continue reading »