Information Security - Don't Just Check the Box!

Compliance and security at times go hand in hand. In most cases, being compliant does not truly ensure you are being secure. I titled this blog “Don’t just check the box!” because the thinking that if your company can check the compliance box it will be secure enough is just not true.

Compliance is usually a point in time or period of time; a specific set of controls are in place and/or operating effectively. When you go through a PCI Report on Compliance, you are looking at a specific period of time, the last 12 months. When you go through a SOC 2 Type 2 report, you are looking at a specific period of time, usually anywhere from 6 to 18 months. Security, or Cybersecurity as they say, is never a point in time approach. Security is and should be an ongoing process that is constantly being assessed and improved. The subset of true security principals within whatever compliance requirements you have, may not meet the best practices or standards of good security. Your company should take a big picture approach and design its security program to exceed what is within your annual compliance requirements.

One clear example of where compliance and security don’t mix is in PCI DSS 3.2. Requirement 8.2.3 says that Passwords/passphrases require a minimum length of at least seven characters. This has been a PCI requirement for a long time. There are many other systems, frameworks, and compliance requirements that require many more characters than PCI does to be compliant. In our role as assessors and auditors, we always recommend more in this area and is a clear indicator that checking the box for compliance is not necessarily securing your environment well.

Another great example of this is around Security Awareness Training. Most compliance requirements outline that an organization must have their employees take security awareness annually. This is usually an online course that takes 30 minutes to an hour to complete with a short assessment at the end. This is fine for compliance mandates, but is it a security best practice? As assessors and auditors, we recommend to our clients that they make security awareness a continuous process by incorporating things like phishing assessments and social engineering assessments into their overall Security Awareness Program.

Compass takes the approach of being transparent and open with our clients as we move through compliance engagements. We identify where the soft spots within some compliance frameworks are and recommend what is best to exceed and truly beef up those areas, thus making your overall information security program stronger and more robust.

Security and Compliance, as I mentioned at the beginning, often are mentioned together and sometimes confused with each other. A couple of months ago we hosted a webinar on Security vs. Compliance and how by focusing on Security, compliance becomes a little bit easier. To watch a recording of this webinar, click on the button below. As always, if you have any questions, please don’t hesitate to contact us to discuss your specific situation!