In my experience, it is extremely rare to have a security professional suggest that compliance and security go together; they almost always suggest that "compliance does not mean security" or some related idea. I agree with this sentiment, but I am curious then, why we have compliance to begin with...
There must be someone out there who believe that compliance and security ARE related. Maybe I am getting too broad in my interpretation of what people say. I certainly believe that many things you do for compliance can reduce your risk. And it isn't too farfetched to think that folks might mean that compliance doesn't make you absolutely secure (nothing does).
Perhaps even more importantly... don't you think compliance SHOULD equal (some appropriate level of) security? Or is this actually an admission that we don't like to make -- that risk is everywhere and we can reduce it with stronger controls but can't eliminate it?
Compliance is for those who are too lame to do their own security.
How's that? ;-)
Posted by: shrdlu | January 30, 2009 at 04:00 PM
Good question. Compliance is more targeted to ensure that you are following risk standards determined by third parties, usually regulatory bodies. That's mostly to avoid an organization risk apetite increasing the risk to others (like one merchant affecting cardholders and other merchants). It's a way to define a baseline of controls.
What usually makes compliance different from security is that you usually need to be compliant to standards that are target to reduce risk to others, not to you. When you include internal policies as compliance matter, it starts to walk hand in hand with security, as your policies are your proposed posture on security. If you are in compliance with your policies you should be at your desired level of security. Ensuring that your policies really reflect the most effective security for your business can also be seen as compliance with risk management based standards, like ISO27001.
Posted by: Augusto Paes de Barros | January 30, 2009 at 04:34 PM
Trying to be a little more effective than the prevoous comment,
Compliance related to external regulations and to your standards (that reflect your desired security state) equals security.
Compliance to external regulations only is certainly smaller than security, as your security needs may not be addressed by them.
Posted by: Augusto Paes de Barros | January 30, 2009 at 04:38 PM
Where do you think the rules you're being asked to comply with come from? They're created by security professionals, just like all good security rules. They're intended to set a generic baseline of good practice that everyone is expected to follow. There's no harm in having stronger controls than the compliance requirements -- in fact it's usually a very good idea. It's security "un-professionals" who have such runaway egos that they think unless the control was specified by themselves, it's automatically no good.
Posted by: www.google.com/accounts/o8/id?id=AItOawl7U21TVobUkIe4n8TDkiZ1qGmVeaO642s | January 30, 2009 at 09:11 PM
"There must be someone out there who believe that compliance and security ARE related."
Of course they are! Compliance (its infosec-related part) was created to push people who ignored security to do a bit of security
See the link below e.g.
http://chuvakin.blogspot.com/2007/11/risk-vs-risk.html
Posted by: Anton Chuvakin | February 04, 2009 at 02:41 PM
Informative post, this post has created eagerness to go your through upcoming posts.
Keep up good work.
Posted by: victor | April 07, 2010 at 07:22 AM