Wednesday, 9 September 2009

Compliance does NOT Equal Security

Comodo Vision Video Blog

Responsibility for the notorious Heartland Payment Systems data breach late last year has been debated recently, with Heartland’s CEO suggesting that their PCI auditors let the firm down, while the auditors insist they can’t be responsible for checking absolutely everything. This case brings to light the reality that absolute security is an impossible goal, and that audits are only as good as an organization’s vigilance in following proper security procedures after the audit has been completed.

See my second video blog here.

1 comments:

Andrew Lenaghan said...

In a word I think we are talking 'overconfidence', a tendency that dogs the promotion of most security efforts as they cross from the technical realm to the non-technical. Nobody ever sold a product or promoted a standard to management saying it will make thing a bit less risky. The auditors would probably say compliance means they were just auditing the operations to see the company was doing what it claimed. I don't think they would see it as being within their remit to offer a comment on the adequacy of the PCI standard. PCI is peculiarly concrete in its specification of what must be achieved, reflecting its quite pragmatic origins, but it really only a minimum statement of some good practice – necessary but not sufficient as the mathematicians would say.

Post a Comment

Welcome to the RLR UK Blog

This blog is about network and information security issues primarily, but it does stray into other IT related fields, such as web development and anything else that we find interesting.

Tag Cloud

Twitter Updates

    follow me on Twitter

    Purewire Trust