Site Products  
  Sales Support:
 
Request Quote Form | Selected Items | Sitemap | Bookmark
Home Services Products Solutions Industries Support Company Contact Us
 Services
 Products
 Solutions
 Industries
 Company
About Netfast
Partners
Alliance Program
Employment
Case Studies
Industry News/Press
 Security Solutions
 Support
 Site Map
 Contact Us
 
Home »  Company »  Industry News/Press »  

Focus on Compliance Could Weaken Info Security, Execs Warn

IT needs a broader strategy, they say

(Computerworld) November 21, 2005 -- Regulatory compliance should not be the primary driver of corporate information security efforts, said IT managers at the Computer Security Institute conference here last week.

Over time, such a strategy could weaken a company's defenses, the IT executives said. Instead, they recommended that businesses make compliance a by-product of a broader security strategy.

When companies try to manage risks by using a checklist of compliance items, there is "a very real danger'' of overlooking other critical security issues, said Jack Jones, chief information security officer at Nationwide Mutual Insurance Co. in Columbus, Ohio.

"Checklists cast the world in black-and-white terms," Jones said. They're valuable tools, he added. But checklists alone "don't allow organizations to take a good, rational and logical view of all the circumstances" that affect security risks, he said.

Last week's warnings came amid increasing regulatory requirements and a rash of high-profile data breaches that have brought information security issues into corporate boardrooms for debate.

A global survey of IT security managers, released earlier this month by New York-based Ernst & Young International, found that compliance issues have for the first time replaced worms and viruses as the biggest driver of information-security efforts.

Conceptually, regulations can provide a set of guidelines that, in theory, organizations could use to establish good security practices, Jones said. "It's very hard to argue with concepts like 'least privilege,' and 'need to know' and 'defense in depth.' That's in keeping with everybody's strategy for managing risk," he said.

Companies, however, have problems when the sole corporate security strategy is to ensure compliance with regulatory requirements, said Fred Trickey, information security administrator at Yeshiva University in New York. "In one sense, [ensuring regulatory compliance] is of value to the information security community because it does give external validation of the things you've been working on," Trickey said. But focusing an overall security strategy on compliance with a specific regulation can create a false sense of security, he added.

"It's important that you don't lose sight of evolving threats, risks and attack models," Trickey said. "If you're entirely focused on regulations, you'll lose sight of that."

Establishing a successful security strategy can depend on whether compliance is the centerpiece of the effort or just a piece of the puzzle, said Gerhard Eschelbeck, chief technology officer at Redwood Shores, Calif.-based Qualys Inc.

"It all depends on where you set the bar," Eschelbeck said.

Ben Rothke, a senior security consultant at ThruPoint Inc., a management services company in New York, said good security systems should support regulatory requirements in general.

"The problem with compliance is that people tend to take a myopic view of what needs to be done whenever new regulations come out," Rothke said. "The point needs to be made that those organizations with a solid security framework in place could easily handle any regulations thrown at them."

The need to comply with regulations such as the Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act have certainly heightened the discussion around customer privacy and security, according to Greg Framke, CIO at ETrade Financial Corp. in New York.

In an interview separate from the CSI conference, Framke said, "These are things we have been talking about and doing things about for a while." As a result, he said, "I see no particular challenge with compliance."

Testimonials:
 
The reasons I do business with Netfast is simple:
Excellent and timely technical assistance, Responsive and knowledgeable salespeople, Excellent delivery, No DOA's, Very aggressive pricing, Flexibility

R.D. Cadence Design

 
You all have really kept your word and have been nothing but professional and accommodating. I cannot tell you how much that is appreciated! I will be happy to recommend you guys to the Hill or whoever if you need a recommendation.

R. R. General Atomics

  Alcatel-Lucent | Foundry | Juniper | Cisco | HP | F5 | Niksun | Force10 | Top Searches | Solutions | Industry News | Partners
Minority Business Enterprise (State) | Site Map   Digital Warehouse | Small Minority Business | Glossary of Terms | Privacy Policy 		 
Member of: ISACA (www.isaca.org) , CSI (www.gocsi.com) , Carnegie Mellon University's CyLab (www.cylab.cmu.edu) . Netfast is a Registered Trademark of Netfast Communications, Inc. 2006 Netfast Communications Inc.Website Last Updated on 9/2/2010