It has been my experience that the primary accomplishment of compliance endeavors is to keep the notion of security and risk management at the forefront of both technology and business management within an organization. I’ve worked in and around HIPAA, FISMA, and PCI, and they’re all too high level and nebulous – making them all but pointless.
To pick on one, just as a for-instance,
PCI DSS 2.2 (v1.2) states, “Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.”
This is an impractical and not overly useful compliance requirement. It’s so over-simplified that it’s all but meaningless. Ensuring that an organization has “a process or architecture” is not the same thing as ensuring that that process or architecture is relevant and effective. That’s the fundamental problem with FISMA,
Do you have an incident response plan or a disaster recovery plan? Yes. Well then you’re solid. Nevermind that your incident response plan consists of running antiquated anti-malware software and calling it a day, or your disaster recovery plan is comprised of user guides and installation manuals from 6 versions back.
Compliance efforts are good, though – even though much of the work is really just spinning wheels to appease some over-arching governing body. Whether it’s the Feds for FISMA, or VISA for PCI, it’s easy to meet the letter of the law of compliance and still have an insufficient and flagrantly deficient security program/posture. Again, to me, the biggest benefit of compliance mandates is that it keeps information security and privacy practices on everybody’s mind. And, if companies take it seriously and don’t merely treat compliancee efforts as a paper drill (as many, or most, do), compliance efforts really can provide benefit.
One last thought.
IMO, the focus of securing information HAS to be on the users and information handlers. So much is made of configuration and policy and procedure. All of which is necessary and valuable. However, you’re only as good as your weakest link. Steve Riley of MS (http://blogs.technet.com/steriley/) made a good point when he wrote, “I don’t know where to direct my ire—at the spammers who litter the Internet with their spew or at the people who still get duped by it. Spam would wither away if everyone just ignored it.”
The point is that if people wised up and understood the risks, threats, and attack vectors, compliance would come naturally, and the organization’s security posture would be greatly enhanced. Until companies understand the value in compliance efforts and take it seriously and don’t just “go through the motions”, resources are better spent by focusing more on users and less on compliance.
