Comments on: Are Compliance and Security Related?

By: Anton Chuvakin

Anton Chuvakin — Wed, 04 Feb 2009 18:41:40 +0000

"There must be someone out there who believe that compliance and security ARE related." Of course they are! Compliance (its infosec-related part) was created to push people who ignored security to do a bit of security See the link below e.g. http://chuvakin.blogspot.com/2007/11/risk-vs-risk.html

By: www.google.com/accounts/o8/id?id=AItOawl7U21TVobUkIe4n8TDkiZ1qGmVeaO642s

www.google.com/accounts/o8/id?id=AItOawl7U21TVobUkIe4n8TDkiZ1qGmVeaO642s — Sat, 31 Jan 2009 01:11:21 +0000

Where do you think the rules you’re being asked to comply with come from? They’re created by security professionals, just like all good security rules. They’re intended to set a generic baseline of good practice that everyone is expected to follow. There’s no harm in having stronger controls than the compliance requirements — in fact it’s usually a very good idea. It’s security “un-professionals” who have such runaway egos that they think unless the control was specified by themselves, it’s automatically no good.

By: Augusto Paes de Barros

Augusto Paes de Barros — Fri, 30 Jan 2009 20:38:00 +0000

Trying to be a little more effective than the prevoous comment,

Compliance related to external regulations and to your standards (that reflect your desired security state) equals security.

Compliance to external regulations only is certainly smaller than security, as your security needs may not be addressed by them.

By: Augusto Paes de Barros

Augusto Paes de Barros — Fri, 30 Jan 2009 20:34:26 +0000

Good question. Compliance is more targeted to ensure that you are following risk standards determined by third parties, usually regulatory bodies. That’s mostly to avoid an organization risk apetite increasing the risk to others (like one merchant affecting cardholders and other merchants). It’s a way to define a baseline of controls.

What usually makes compliance different from security is that you usually need to be compliant to standards that are target to reduce risk to others, not to you. When you include internal policies as compliance matter, it starts to walk hand in hand with security, as your policies are your proposed posture on security. If you are in compliance with your policies you should be at your desired level of security. Ensuring that your policies really reflect the most effective security for your business can also be seen as compliance with risk management based standards, like ISO27001.

By: shrdlu

shrdlu — Fri, 30 Jan 2009 20:00:22 +0000

Compliance is for those who are too lame to do their own security.

How’s that?