Information Assurance: The Difference between Secure and Compliant
Posted by John Verry on Thu, Jul 30, 2009 @ 12:44 PM
Just hung up the phone on an interesting call with a potential client that re-enforced the oft misunderstood reality;
Not all compliant systems are secure, but secure systems can easily prove their compliance with regulations.
To fulfill the obligations of a business partner contract the client needs to "have an annual penetration test conducted by an appropriately qualified entity". The discussion centered around whether they should test the application they had deployed under contract, the hosted network infrastructure, or both.
On a relative basis, application penetration testing costs considerably more than network penetration testing - especially for an application that has the complexity and risk profile of the application they had built on their client's behalf. The application also generally represents the lion's share of the risk. In this case that was even more so because:
- the organization was running monthly Network Vulnerability Assessments on the network and diligently addressing vulnerabilities identified; and,
- the development team got very quiet when I asked about how they integrated security into the development lifecycle (e.g., Open SAMM) and whether they incorporated the OWASP Top 10 into their security objectives/requirements.
As you can likely already surmise - they opted to be compliant, not secure, and are going to just conduct the network penetration test "for now". In my humble opinion, this is a short-sighted approach that leaves them and the business partner at great risk.
The business partner is actually most to blame. This particular system processes and transmits a wealth of Personally Identifiable Information (PII) that is subject to 45+ state and federal regulations. Failing to identify a more appropriate standard, whether it be the Massachusetts law (likely the most onerous) or ISO 27001 (or similar), put them in the position that their business partner could easily decide to be compliant with the contract rather than secure.
Remember compliance and security are different beasts - you may be compliant with a standard by enabling logging, but unless you are logging the specific events that represent the greatest risk in your environment, you are likely not secure.