Infrastructure // Networking
News
5/8/2012
11:36 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

10 Symptoms Of Check-Box Compliance

These telltale signs show you care more about what the auditors think than what the attackers do

Security and risk pundits have long lamented the practice of going through the motions just to satisfy security regulations and standards like PCI, SOX, and HIPAA. Phoning it in may keep the auditors in check, but it won't mitigate the risks of attack. According to security and compliance pundits, the following are some of the telltale signs an organization is falling into the trap of check-box compliance.

1. Arguing over which standards are best.
Check-box-oriented organizations tend to get caught up in the regulatory minutiae so that they can't see the forest for the trees.

"Some organizations claim that they take the best of various policies and then go to work on a 'deeper policy,'" said Ron Gula, CEO and CTO of Tenable Network Security. "However, if you look closer at these sorts of things, they often target the union of various compliance standards and not the aggregation of all checks."

2. Losing sleep over an audit.
"If you are losing sleep about passing an upcoming security audit, you've got the check-box compliance disease--and it's probably rampant in your organization," said Lamar Bailey, director of security research and development for nCircle.

As he put it, security standards are the point of embarkation for the risk-management journey. They're not meant to be the end-all, be-all for securing an organization. They just get you started. Organizations that have a hard time satisfying even these beginner requirements should lose sleep over how insecure their systems are, not whether the auditor will break out a rubber stamp.

"These standards are like training missions in video games: They can help you acclimate, but they in no way represent the real game," Bailey said. "If you can't pass them with two hands tied behind your back, you need to quit and find another game."

3. Putting line-of-business managers through spreadsheet hell.
If you make line-of-business managers fill in voluminous review forms, your organization is probably on the compliance-for-compliance-sake bandwagon, said Jason Garbis, VP of marketing for Aveksa.

"Many times, enterprises approach access compliance by manually creating and emailing large, complex, and unwieldy spreadsheets," Garbis said. "If you're asking line-of-business managers to review a jargon-filled spreadsheet with hundreds of rows, chances are that this is a check-box review."

4. Viewing penetration testing as a panacea.
With so many compliance regulations requiring a penetration test, unsophisticated organizations seeking to cover only their bases view pen testing as an all-purpose security curative. If you're an organization that seeks to use pen testing instead of monitoring or vulnerability management, odds are you suffer from check-box compliance.

"If a company wanted to do the bare minimum, they could hire unsophisticated penetration testers and, when they don't break in, claim 100% security," Gula said. "Of course, this type of penetration test is not a substitute for a full audit."

Read the rest of this article on Dark Reading.

InformationWeek is conducting a survey to get a baseline look at where enterprises stand on their IPv6 deployments, with a focus on problem areas, including security, training, budget, and readiness. Upon completion of our survey, you will be eligible to enter a drawing to receive an 16-GB Apple iPad. Take our InformationWeek IPv6 Survey now. Survey ends May 11.

Comment  | 
Print  | 
More Insights
2014 Private Cloud Survey
2014 Private Cloud Survey
Respondents are on a roll: 53% brought their private clouds from concept to production in less than one year, and 60% ­extend their clouds across multiple datacenters. But expertise is scarce, with 51% saying acquiring skilled employees is a roadblock.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.