COMPLIANCE
VERSUS
SECURITY

by Heather Randall

   Historically, government policy has been driven by crisis. An event occurs. The public reacts to the event. Politicians and legislators act to assuage the constituents. The accounting scandals of recent memory provide ample illustration of this chain of events. Enron stock tumbles sending the company into a financial death spiral resulting in thousands of people being laid off, losing investments, retirement funds and 401k plans. Subsequent investigations unravel a history of criminal financial activities at the highest echelons of the company. The Enron scandal was the first of many scandals involving accounting malfeasance and financial manipulation in some of the most reputable companies in the United States. The resulting financial devastation wrought by these scandals made headlines for months. The public outcry led Congress to enact several new laws, most notably Sarbanes-Oxley, which states that its purpose is to "protect investors by improving the accuracy and reliability of corporate disclosures..."
   The world of information security, particularly with respect to the payment services industry, offers a significant departure from this paradigm. In this arena, industry and government are moving apace of each other in terms of taking steps to protect valuable data, whether that data consists of credit card information or social security numbers. Their goal is to avert crisis, rather than react to it. In fact, the National Cyber Security Partnership released a report on April 1, 2004 National Cyber Security Partnership. (April 2004; "Information Security Governance: A Call to Action." www.cyberpartnership.org/InfoSecGov4_04.pdf) recommending that government enforce security regulations where the market sector fails to do so. An example of such a market sector that the Task Force believed to be in need of government regulation is "the most sensitive networks," such as those transporting financial information. In this acutely sensitive environment, industry and government are straining to ensure that consumer data is protected through the creation and enforcement of security standards.
   In today's hyper-regulatory environment, significant emphasis is placed upon "regulatory compliance." Businesses are faced with a barrage of security requirements that must be met; from industry standards enforced by the major card associations, to state and federal regulations. Compliance projects are often difficult, time-consuming and, depending on the depth of remediation necessary, can be quite expensive. This being the case, the focus on compliance is understandable, even laudable. The issue that arises from this often single-minded focus on compliance however is that many companies are led to believe that "compliant" means "secure."
   In order to understand why this distinction is so critical, it is first necessary to understand the nature of the regulations and the legislation with which businesses must comply. It is true that the foundation of the recently introduced security regulations, irrespective of whether they are industry or government regulations, is the protection of personal data. Most of the regulations, regardless of their source, germinate from that one seed. The main objective of security objectives is to reduce the aggregate risk that exists in a particular market by introducing a minimum standard of security. While both the private and public sectors share a common security concern, they also share a common regulatory dilemma; the breadth and diversity of the businesses they wish to regulate. This diversity means that in order to sufficiently cover the business models in their sphere of influence, the security mandates are necessarily broad.
   It is difficult to mandate that all companies use the exact same controls to secure their data. Differences in business models, network architectures, operating systems, financial resources, and other factors mean that what is appropriate security for one company, may be inadequate for other companies. The security regulations, therefore, often designate a security objective, as opposed to controls, for ensuring the security of data. How that objective is met is generally left up to the company, and their auditor or assessor, to decide. The conclusion one might draw from this statement is that, because companies are meeting a regulatory objective, they would be both compliant and secure. Ostensibly, this would be the case. Upon further examination, however, it can be seen that the terms "compliant" and "secure" are in fact not synonymous.
   The illustration is perhaps better served by breaking down the concepts, "compliance" and "security." Compliance, even stripped of its regulatory context, can be defined as "meeting or adhering to an existing standard, goal or objective". The foundation of compliance is a particular standard or objective. As the standard evolves, the company or organization must make changes in order to maintain its level of compliance. Compliance can be undertaken, though unadvisedly, without necessarily being aware of the risks in the business environment. To maintain compliance with many regulations, an organization must only alter its security policies and procedures in accordance with the regulation, irrespective of the threats the organization may face. The target in achieving compliance remains relatively static. An organization may need to make constant adjustments to maintain compliance, but the target remains stable.
   Contrast that with the notion of "security." Security can be defined as: "a measure or measures taken to guard against a threat or vulnerability". The objective of security is to mitigate risk to an acceptable level. Because the objective of security is to mitigate risk, the basis of an information security program should be a risk analysis. While the need for brevity precludes any detailed discussion of risk in this article, it is important to understand the concept at a high-level. Loosely, risk can be defined as the probability of an event occurring that results in losses to your organization. This is frequently quantified as the product of the likelihood of an event occurring in a given year, (shown as a probability) and the expected loss given that the event occurs. The result is displayed as a 'loss expectancy' or 'annual loss expectancy'. Understanding the financial risk posed to the organization by a threat allows the company to implement controls to mitigate the risk. It is generally accepted that controls should be implemented commensurate with the risk identified.
   An extreme example of this difference might be the encryption of data. If an organization is encrypting all personally identifiable information (nothing is stored or transmitted in the clear) that data may be considered secure, assuming it addresses the risk posed to the data, even without the benefit of a properly configured firewall or intrusion prevention system. A mal-intentioned individual may be able to break into the network, but he or she would not be able to extract any useable information. On the other hand this organization, despite the relative security of its data, would be considered grossly out of compliance with the majority of relevant standards, many of which require properly configured firewalls, file integrity monitoring, intrusion detection or other standard security protocols.
   Similarly, simply complying with regulations does not necessarily mean that an organization is as secure as it could be. For example, Sarbanes-Oxley requires that companies take measure to protect the integrity of the financial data in order to ensure accurate financial reporting. If a company's financial data is isolated to one network segment, then the company may be considered compliant if it has implemented file integrity monitoring and intrusion detection and similar protections around that segment. The company would be compliant, but not necessarily secure, as the rest of its network is vulnerable to exploitation.
   One might draw an analogy to creating a sturdy building. In constructing a sturdy building you must frame the walls. Stopping construction after framing the walls will only give you bare walls. To complete the house, electrical wiring, insulation, fixtures, roofs, and a variety of other components need to be added before the house can be complete. Compliance can be envisioned as the "walls". In complying with the relevant regulations, an organization has constructed the "walls" of its security program. These walls will remain relatively stable, as compliance entails meeting existing standards and those standards will remain comparatively static. The other components, those that complete the security program, can be changed on a more frequent basis as new analysis reveals new or different risks. In the same way that a roof may need to be replaced after a particularly severe storm, an organization's risk analysis may identify new risks in the business environment that requires a modification of the security controls.
   Understanding the above, there are three primary methods of mitigating risk: accepting the risk, transferring the risk and reducing the risk. Based on the risk analysis, a company can decide to employ a combination of the methods to manage the risk to their particular environment. By conducting regular risk assessments, organizations can maintain a relevant security posture and maintain their compliance with regulatory mandates. Coupling regular risk assessments with a real understanding of the relationship between compliance and security will help organizations create, implement and maintain a well-rounded security program.