Andrew Conry-Murray has an interesting piece on the InformationWeek Security blog about PCI. Here's an excerpt:
I think this is an option that warrants serious discussion because it focuses on the intended results. This is particularly beneficial when we have no real evidence about what controls are most valuable to reducing risk; we assume quite a bit about "best practices" that may not help.
The idea is not to try to predict in the aggregate how attackers will attack, but simply to let the enterprise determine for itself what its risk level and security posture should be, given the prospects of potential breach.
Andrew doesn't get too much into exactly what the penalty would be if a breach occurs. I think this is fairly simple - organizations already bear the notification costs. We should simply add the requirement to pay for reissuing credit cards and possibly an annual credit monitoring service for the victims.
Pete, what would people who don't know what "put that energy and money into actually reducing risk" mean do in this scenario? I read the paper and thought that it is too idealistic.
Posted by: Anton Chuvakin | January 27, 2009 at 06:30 PM
@Anton -
There are a number of control frameworks that exist in the security profession - and PCI is out there, so that could be used as a guide as well. Heck, how does anyone trying to comply with SOX know what to do? They don't follow SOX, they ask their auditors and security pros.
Andrew's "paper" was a blog post, so not a whole lot of details there. I don't really see what is idealistic about it - it seems fairly straightforward to me, and perhaps more importantly, it is run by private enterprise so they could actually rewrite the rules to rewrite PCI to focus on penalties and not on controls.
Posted by: Pete | January 27, 2009 at 06:39 PM
Interesting proposal. An essential element which I don't see mentioned explicitly would be requiring firms to divulge their costs due to breaches. This way, the firms can do as they please, but customers have the data they need to determine where to buy.
Posted by: Chris | January 27, 2009 at 11:03 PM
Well, it is idealistic since I think under that new system a lot of people will say "OK, risk assessment ... Got it - we have no risk! Proceeding to do nothing, as usual"
Posted by: Anton Chuvakin | January 30, 2009 at 11:00 AM
@Anton -
And they would have that right, to a certain extent. Don't forget that there are plenty of other restrictions out there for negligence and liability. The idea here, if I understand correctly, is simply to penalize the negative consequences. Some folks might, for example, opt to insure against the risk rather than implementing prescriptive controls which haven't been validated as being useful.
Pete
Posted by: Pete | January 30, 2009 at 11:06 AM
Hi Anton,
People who don't know what "reducing risk" mean can use the PCI standards as a voluntary framework. They can also take other steps available to them--hire consultants, talk to peers, use an MSSP, etc.
Under the current PCI framework, companies have more incentive to become "compliant" than they do to actually manage risk. That's backwards. My idea is to enforce the intent of PCI--manage the risk--without mandating the path you take to get there.
Posted by: Andrew Conry-Murray | January 30, 2009 at 11:59 AM
Pete:
FWIW...too many companies may use the PCI standards as a CYA tactic. Rather than do what's really needed to minimize the risk of unauthorized access, they can simply follow PCI, and throw up their hands if/when that access occurs and say, "well, we did what PCI asked of us."
I like Andrew's approach of simply setting out the objectives, and leaving it to the industry to determine the best way of getting to the finish line. In this cat-and-mouse environment, that "best way" will be consistently changing, which means hard-and-fast regulations that work today may be hopelessly outmoded tomorrow.
But then, I'm just a PR flack...what do I know?
Posted by: Steve Friedberg | January 30, 2009 at 01:28 PM