View
22
Download
0
Category
Preview:
Citation preview
Why Compliance?
• To ensure a certain level of Security.
• To ensure measurable baselines.
• To ensure controlled environments.
• To establish responsibility.
• Complement to existing Security.
Ensuring a certain level of
security for everyone?
• One size fits all
• Great for non-efficient organizations, so it helps the
clueless but is a distraction for the skilled.
Measurable Baselines?
“the responsibility of management for establishing and
maintaining an adequate internal control structure
and procedures for financial reporting.”
Sarbanes Oxley Section 404
Ensure Controlled
Environments?
• Not by you, but by Industry or Government entity.
• Complience is/feels forced.
• Top down = your only choice is to adopt.
• It is someone else’s concept of Security.
• Your Brain is taken out of the equation.
Establish Responsibility?
• A part of compliance that cannot be
overestimated.
• From ”them” to you.
Complements Existing
Security?
• More Documentation and Red Tape.
• Compete for Focus.
• Compete for Budget.
• Often takes presedence.
• Very big distraction to the existing Security work.
• Will give you less control of your own Strategy.
What can we as security
professionals do?
• Question vendors claims.
• “How will vulnerability scanning help me achieve
data encryption mandates?”
• “How can technical tools claim to solve my process
issues?”
What can we as security
professionals do?
• Get involved with standards that you believe in.
• Give feedback to standards that force your
compliance.
Recommended