Andrew Conry-Murray has an interesting piece on the InformationWeek Security blog about PCI. Here's an excerpt:
council on protecting card data, do whatever the hell you want. Or
follow the minimum practices recommended by the card brands. But
instead of tangling with assessors and trying to game the system to be
compliant, put that energy and money into actually reducing risk. And
understand that if you blow it, the card brands will swoop down with
their penalties.
I think this is an option that warrants serious discussion because it focuses on the intended results. This is particularly beneficial when we have no real evidence about what controls are most valuable to reducing risk; we assume quite a bit about "best practices" that may not help.
The idea is not to try to predict in the aggregate how attackers will attack, but simply to let the enterprise determine for itself what its risk level and security posture should be, given the prospects of potential breach.
Andrew doesn't get too much into exactly what the penalty would be if a breach occurs. I think this is fairly simple – organizations already bear the notification costs. We should simply add the requirement to pay for reissuing credit cards and possibly an annual credit monitoring service for the victims.
Pete, what would people who don’t know what “put that energy and money into actually reducing risk” mean do in this scenario? I read the paper and thought that it is too idealistic.
@Anton -
There are a number of control frameworks that exist in the security profession – and PCI is out there, so that could be used as a guide as well. Heck, how does anyone trying to comply with SOX know what to do? They don’t follow SOX, they ask their auditors and security pros.
Andrew’s “paper” was a blog post, so not a whole lot of details there. I don’t really see what is idealistic about it – it seems fairly straightforward to me, and perhaps more importantly, it is run by private enterprise so they could actually rewrite the rules to rewrite PCI to focus on penalties and not on controls.
Interesting proposal. An essential element which I don’t see mentioned explicitly would be requiring firms to divulge their costs due to breaches. This way, the firms can do as they please, but customers have the data they need to determine where to buy.
Well, it is idealistic since I think under that new system a lot of people will say “OK, risk assessment … Got it – we have no risk! Proceeding to do nothing, as usual”
@Anton -
And they would have that right, to a certain extent. Don’t forget that there are plenty of other restrictions out there for negligence and liability. The idea here, if I understand correctly, is simply to penalize the negative consequences. Some folks might, for example, opt to insure against the risk rather than implementing prescriptive controls which haven’t been validated as being useful.
Pete
Hi Anton,
People who don’t know what “reducing risk” mean can use the PCI standards as a voluntary framework. They can also take other steps available to them–hire consultants, talk to peers, use an MSSP, etc.
Under the current PCI framework, companies have more incentive to become “compliant” than they do to actually manage risk. That’s backwards. My idea is to enforce the intent of PCI–manage the risk–without mandating the path you take to get there.
Pete:
FWIW…too many companies may use the PCI standards as a CYA tactic. Rather than do what’s really needed to minimize the risk of unauthorized access, they can simply follow PCI, and throw up their hands if/when that access occurs and say, “well, we did what PCI asked of us.”
I like Andrew’s approach of simply setting out the objectives, and leaving it to the industry to determine the best way of getting to the finish line. In this cat-and-mouse environment, that “best way” will be consistently changing, which means hard-and-fast regulations that work today may be hopelessly outmoded tomorrow.
But then, I’m just a PR flack…what do I know?