Just hung up the phone on an interesting call with a potential client that re-enforced the oft misunderstood reality;

Not all compliant systems are secure, but secure systems can easily prove their compliance with regulations.

To fulfill the obligations of a business partner contract the client  needs to “have an annual penetration test conducted by an appropriately qualified entity”.  The discussion centered around whether they should test the application they had deployed under contract, the hosted network infrastructure, or both.

On a relative basis, application penetration testing costs considerably more than network penetration testing – especially for an application that has the complexity and risk profile of the application they had built on their client’s behalf.  The application also generally represents the lion’s share of the risk.  In this case that was even more so because:

• the organization was running monthly Network Vulnerability Assessments on the network and diligently addressing vulnerabilities identified; and,

• the development team got very quiet when I asked about how they integrated security into the development lifecycle (e.g., Open SAMM) and whether they incorporated the OWASP Top 10 into their security objectives/requirements.

As you can likely already surmise – they opted to be compliant, not secure, and are going to just conduct the network penetration test “for now”.  In my humble opinion, this is a short-sighted approach that leaves them and the business partner at great risk.

The business partner is actually most to blame.  This particular system processes and transmits a wealth of Personally Identifiable Information (PII) that is subject to 45+ state and federal regulations.  Failing to identify a more appropriate standard, whether it be the Massachusetts law (likely the most onerous) or ISO 27001 (or similar), put them in the position that their business partner could easily decide to be compliant with the contract rather than secure.

Remember compliance and security are different beasts – you may be compliant with a standard by enabling logging, but unless you are logging the specific events that represent the greatest risk in your environment, you are likely not secure.

Free Whitepaper: Five Best Practices for SIEM

The promise of SIEM is the consolidation of all relevant Security Event Logs from disparate sources into a single unified and normalized data store.

• Simplify compliance monitoring/reporting
• Vastly improve Incident Detection & Incident Response
• Contextualize event information with other business relevant information

Is ISO 27001 Right for (Y)our Organization?

Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

• How to deal with increasing threats
• How to manage multiple regulatory requirements
• How to handle client requests for attestation
• To validate that significant changes did not have unanticipated results

Free Download: ISO 27001 Implementation Roadmap

Have no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Best Practices for Firing A Network Security Administrator

Want to know how to fire a Network Admin? Need to know what precautions to take? Firing any employee can be a stressful event. Firing one who has significant knowledge of and privileged access to your Information Technology/Security infrastructure is even more stressful, as the risks are so notable.

Download: Information Security Attestation Guide

A Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Free Download: A Best Practices Guide to Database Security

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.

Free Whitepaper: Stop Wasting Money on Penetration Testing

Penetration Testing is most frequently performed to:

• Substantiate the net effectiveness of a mature control environment
• Prove to a third party that an environment is secure/trustworthy
• Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
• To validate that significant changes did not have unanticipated results