Secure Information Exchange - Whether It’s Data in Motion or at Rest

Point-in-Time Compliance? Whose Fault Is It When Your Data’s Compromised

February 16, 2010 at 12:36 pm · Filed under Compliance, Risk Management

By Greg Hoffer

In a recent interview with CNET, Bob Russo, general manager of the PCI Security Standards Council noted, “Becoming compliant with the standard is pretty much a snapshot in time. An assessment company would come in and go through all those requirements and check that this stuff is in place. If everything is in place they issue a report on compliance. It is then your responsibility as a merchant to maintain that compliance.”

Russo’s point about continuous versus point-in-time compliance is interesting on many levels. As a respectable business or IT leader, you can’t argue with the fact that companies must not only meet government and industry standards at a single point in time, but that they must also update processes, tools and systems to maintain their compliance as regulations shift and change. In order to ensure information security (that you’ve mitigated risk to an acceptable level), you must treat the policies, processes and tools that you use to protect sensitive data as an evolving, imperfect set of entities.

However, it’s somewhat of a cop-out by Russo and the council to imply that because companies are not completely in compliance all the time, their information and systems are any more vulnerable than those who might be in complete compliance all of the time. To take it one step further, he also seems to be saying that a company’s lack of compliance explains why a breach occurred. Might it be possible that the standards really only provide a false sense of security for consumers?

Yes, standards are necessary to help protect consumers and ensure industry baseline security measures. However, they can also be a crutch that is leaned on by overworked or under prepared security folks, providing the lowest common denominator for security so that the work can be checked off the list of things that must be done. Real security evaluation of asset valuation, risk assessment, and threat analysis must be applied not only from the perspective of a generic standard, but also through the lens of a specific business’ processes, procedures, and strategy.

Not only must security measures evolve and move quickly, but so too must standards — lest we rely upon outdated measures that offer insufficient protection for our valuable assets.

4 Comments »

  Greg Newman wrote @ February 17th, 2010 at 1:15 pm

Yes, standards are necessary to help protect consumers and ensure industry baseline security measures. However, they can also be a crutch that is leaned on by overworked or under prepared security folks, providing the lowest common denominator for security … Real security evaluation of asset valuation, risk assessment, and threat analysis must be applied not only from the perspective of a generic standard, but also through the lens of a specific business’ processes, procedures, and strategy. [Indeed true, the lens must be timely applied to evolve with the specific and pertinent 'battlefield conditions', if you will, that arise in the cybersecurity arena.]

  Mark wrote @ May 22nd, 2010 at 3:14 am

We should engage in less blaming of others and take action instead.

  PCBA Assembly wrote @ August 30th, 2010 at 1:55 am

Not only must security measures evolve and move quickly, but so too must standards ,Yes,it’s right,sometimes,the thing nees a stands to inspect.isn’t it?

  Pandora wrote @ December 9th, 2010 at 1:03 am

In fact, the recurring revenue business model (upon which many security vendors are now based) has become dependent on this “whack-a-mole” reactive cycle.

Your comment