Compliance does not equal security (guest post)

The following is a guest post from Christopher Burgess, Chief Operating Officer and Chief Security Officer at Atigeo, LLC.  Prior to Atigeo, Burgess was senior security advisor to the CSO at Cisco.  He also served for 30 as a senior national security executive for the government of United States and is co-author with Richard Power of Secrets Stolen, Fortunes Lost: Preventing Intellectual Property Theft and Economic Espionage in the 21st Century (ISBN: 978-1-59749-255-3).

“Compliance ≠ Secure (C ≠ S)” 

By Christopher Burgess

Over the past few weeks we have collectively read about multiple situations where an entity having previously declared itself as being “compliant,” demonstrates either through self-inflicted deed or the nefarious efforts of another, that they were not “secure.”  This begs the question.  Does compliance equal secure?  I posit they are two different measurements which are not interchangeable.   You may be secure, yet not compliant.  You may be compliant, yet not secure. 

According to the 2012 Ponemon Institute’s “2011 Annual Study: U.S. Cost of a Data Breach” sponsored by Symantec, ”39 percent of all breaches are caused by individual negligence  of an employee or contractor.”    In mid-February 2012, Union Bank “discovered that a former contractor had kept proprietary bank data in his possession upon departure from the bank on January 31.”  A clear example of a lapse in the security regime then in place which permitted a departing contractor , with no continued need to know, to retain sensitive data.  The bank discovered and investigated.  They sent out breach notification letters to the affected individuals and, as required, to the various states’ Attorney Generals.  In this instance, Union Bank included at no charge, individual credit monitoring and identity theft risk management solutions. 

An example of the latter scenario was played out in March-April 2012 when Global Payments announced they had been breached and approximately 1.5 million accounts had been compromised.  Though the breach was believed to have occurred in early- 2012, it was only after the beans had been spilled by Brian Krebs of Krebs on Security (see:  Mastercard, VISA warn of Processor Breach) that Global Payments stepped up and acknowledged having “self-reported unauthorized access into a portion of its processing system” – fancy speak for breached.    Global Payments Chairman and CEO Paul R. Garcia noted his reassurance that his security was up-to-snuff with his observation, “It is reassuring that our security processes detected an intrusion. It is crucial to understand that this incident does not involve our merchants or their relationships with their customer.”

To better understand what had transpired, I contacted Global Payments and asked some basic question:

1. What was the final number of accounts which were compromised by the unauthorized access to your system? ~1,500,000 per FAQNo AnswerNo Answer ( State Security Breach Notification Laws)Predominately U.S. per FAQNo AnswerNo AnswerNo AnswerContact your bank per FAQ

2. How many banking institutions (Banks, Savings&Loan, Credit Unions, etc) were affected? 

3. In which states were “breach notification laws” germane to the unauthorized access to your system? 

4. Was this event limited to U.S. cardholders or was this international? 

5. Was your system judged to be compliant with the PCI standards? 

A. What was the date of the most recent compliance certification? 

B. Who or what entity conducted the compliance certification inspection? 

6. Are you offering “credit report” monitoring to all of those whose credit cards have been compromised? 

Global Payments forwarded to me a link to their crisis FAQ page they created: Global Payments 2012 Info Security Update

The CEO’s comments notwithstanding, one is left with the feeling that the internal team was relying on their compliance status as being a secure status and once the breach was discovered, the disaster recovery plan took over.  The disaster recovery plan, from this writer’s perspective, seemed to involve obfuscation either on purpose or due to their lack of knowledge of their eco-system. 

Sadly, there isn’t a means (save for going to a cash existence) for individuals to opt-out of having their credit card transaction traverse a given payment processor’s system – those lofty decision as handled by the banks.  The fact that VISA  tagged Global Payments as being out of compliance didn’t stop transactions from going to Global Payments, what it did was cost global payments a premium transaction fee. 

Recommendations:

Compliance:  No doubt the need for compliance based reviews will not leave us, be they SOX, HIPAA, HiTech Act, SSAE16, PCI-DSS, or any other as they allow both partners and customers to have a baseline on your ability to protect their data, their customer’s data and your own data.    One should not step back from obtaining these necessary compliance certificates required be it by government, industry organization or contractually.   Engage and invest – it’s your data, your customer’s data and your company’s livelihood – all worthy of investment.  Be proud of what you’ve achieved and don’t be afraid to let the public know that you’ve taken the step to be compliant with the necessary standards.

Security:  Similarly, security is more than just putting an appliance or “Security Magic Box” on your network and declaring it complete and secure – or- locked-down.  Security encompasses the daily assurance that the aforementioned static compliance reviews/certifications remain valid day-in and day-out.   In addition, processes and policies must be treated as dynamic documents which must be accompanied by dynamic education and training for personnel.  Technology is advancing far faster than compliance documents advance, so those responsible for protecting data must avail themselves to non-stop education; update and patch any equipment as and when the vendor rolls out the updates/patches and constantly engages with their constituency – be they employees or customers on how to maintain a secure environment.  As I have said previously (Social Elements of security Policy & Messaging) policy creation and implementation requires engagement and those who need to follow the rules, must be a party to the creation of the rules.  Whether or not an entity has a security breach will depend largely upon their degree of security preparation and implementation of preferred security practices.

In closing, please remember:  Compliance does not equal Secure (C ≠ S).

Resources:

Payment Card Industry – Data Security Standards (PCI-DSS)

SSAE16 Auditing Standard