This page is powered by Blogger. Isn't yours?

 Feedblitz email:
 RSS: http://linkingintegrity.blogspot.com/atom.xml



Integrity - use of values or principles to guide action in the situation at hand.

Below are links and discussion related to the values of freedom, hope, trust, privacy, responsibility, safety, and well-being, within business and government situations arising in the areas of security, privacy, technology, corporate governance, sustainability, and CSR.

Compliance shouldn't be a primary security driver, 7.6.05


Trying to be compliant or pass an audit doesn't make you more secure and doesn't protect you from attacks; conversely though, a common sense approach in security may equal regulatory compliance.

So said a Gartner analyst yesterday at the Gartner Security Summit. Amrit Williams, research director of the Information Security & Risk Group, believes that a focus on compliance is to the detriment of security overall. In particular, it may not address some threats that are increasing in scope.

'The greatest threat to us right now is the role of money as a motivator for cybercrime,' Williams said. 'The big threats aren't new, but they are changing and the reason is money.'

Those threats include identity theft; blackmail schemes, such as data for ransom and denial-of-service threats; spam relays [70% of spam is generated by compromised machines]; and espionage.

"If there's money to be made, [attackers will] do anything they can to get it," Williams added. "These attackers will be stealthier and more difficult to prevent." He said true numbers on such attacks are difficult to determine because they often go unreported.

"Through 2007, 80% of damage-causing events will have been preventable by effective implementations of network access control, intrusion prevention, identity and access management, and vulnerability management," according to a report released in December by Stamford, Conn.-based Gartner.

And while many of these issues are also addressed indirectly through regulatory compliance, some may fall off an enterprise's radar while resources instead go toward creating the kind of paper trails now required to show a company's data is secure.

However, Williams said focusing on these elements will go far in mitigating most network security threats. When looking at intrusion prevention, he suggests securing the network as best you can, then focusing on mobile users. For example, buy personal firewalls for all mobile clients because they are a much higher risk for bringing problems into the network. Then focus on servers and desktops.

Williams said better security is about prioritization and planning. Successful vulnerability management relies heavily on determining asset classification and threat posture, while identity and access management depends on predefined roles, controls and accountability. As for network access control, he's a proponent of "quarantine, limit, deny" for systems that may not be current with patches and antivirus signatures.

Concluded Williams: "Doing these four things will make your organization more efficient, protect against current, emerging and future threats, and help you meet regulatory compliance."


  "Trying to be compliant or pass an audit doesn't make you more secure and doesn't protect you from attacks; conversely though, a common sense approach in security may equal regulatory compliance."

Yes. However, failing to be compliant can be a security problem. And it is clearly a business and possibly legal problem.

Post a Comment



Integrity Incorporated

Site Feed

 Feedblitz email:

 RSS: http://linkingintegrity.blogspot.com/atom.xml

"We shall need compromises in the days ahead, to be sure. But these will be, or should be, compromises of issues, not principles. We can compromise our political positions, but not ourselves. We can resolve the clash of interests without conceding our ideals. And even the necessity for the right kind of compromise does not eliminate the need for those idealists and reformers who keep our compromises moving ahead, who prevent all political situations from meeting the description supplied by Shaw: "smirched with compromise, rotted with opportunism, mildewed by expedience, stretched out of shape with wirepulling and putrefied with permeation.
Compromise need not mean cowardice. .."

John Fitzgerald Kennedy, "Profiles in Courage"


07.03   08.03   09.03   10.03   11.03   12.03   01.04   02.04   03.04   04.04   05.04   06.04   07.04   08.04   09.04   10.04   11.04   12.04   01.05   02.05   03.05   04.05   05.05   06.05   07.05   08.05   09.05   10.05   11.05   12.05   01.06   02.06   03.06   04.06   05.06   06.06   08.06   09.06   10.06   11.06   01.07   02.07   03.07   04.07   07.07   08.07   09.07   10.07   05.08   06.08