Monday, November 21, 2005

Compliance undermines security

Companies that make regulatory compliance the sole driver of their information security efforts could be weakening their long-term security posture instead of improving it, according to IT managers at the 32nd annual Computer Security Institute conference held this week. Therefore, it’s better to make compliance a by-product of a broader corporate security strategy and not its sole end objective, they said. Those warnings come at a time when regulatory compliance requirements have made information security a topic of board-level discussion. The results of an annual global survey, released earlier this month by Ernst & Young, for instance, showed that compliance issues have replaced worms and viruses for the first time as the biggest driver of information security.

Compliance is a measure of your security posture relative to the specific regulations you are looking at. In one sense, it is of value to the information security community because it does give external validation of the things you’ve been working on. But using compliance with a specific regulation as a measure of overall security is risky and can create a false sense of security. A lot depends on whether companies tend to view compliance as the ceiling of their security efforts or as a minimum set of requirements within a broader security framework.

RELATED TOPICS :Sarbanes Oxley worsens security, Compliance takes top spot, IT Security takes back seat to compliance, InfoSec advisory role in decline, Why Bosses worry about security , InfoSec tops CFO concerns , Impact of regulations on IT Security , Executive guide to compliance and security

CATEGORIES : 1compliance, 1conference, 1trends, 1best practices
Rate this post: (Provided by NewsGator)

0 Comments:

Post a Comment

<< Home