Not the case. The difference between compliance, validation and security is clear. Compliance is a baseline minimum standard. Validation is the point-in-time review of an organization's state of compliance. Security, then, is the goal of preventing the theft of personal or sensitive data. For instance, the Payment Card Industry (PCI) Data Security Standard (DSS) has raised the bar by creating a baseline of best practices for handling card data.
Debate» Compliance requirements have prevented THREAT OF THE MONTH security professionals from stopping advanced threats. Clampi/Ligats FOR Imagine playing chess against AGAINST Not the case. The difference What is it? an opponent who always between compliance, validation Clampi (aka Ligats or opened with the same 12 and security is clear. Compliance Ilomo) is an information moves. After a while, you’d is a baseline minimum standard. theft botnet. The malcode slaughter him. That’s where Validation is the point-in-time is a multicomponent tool we are today. Rule sets are key review of an organization’s state that injects code into to sensible conﬁguration, but of compliance. Security, then, is running processes, alters baselines aren’t security; they Michael Dahn the goal of preventing the theft the PC’s conﬁguration and, Nick Selby co- founder, Cambridge force us to focus on trailing, not payment security evangelist of personal or sensitive data. once established, begins to Infosec Associates leading indicators. CISOs see For instance, the Payment Card harvest and send sensitive compliance as a great way to prop up security Industry (PCI) Data Security information from the PC to budgets. However, confusing security and Standard (DSS) has raised the bar by creating a its handlers. compliance means security departments spend baseline of best practices for handling card data. their resources complying, not enacting pro- A cycle then ensues, with hackers modifying How does it work? active security. This is zero-sum: Time spent their attack methods, and the standard being Clampi is usually distrib- doing one thing cannot be regained. updated. The PCI Security Standards Council uted via exploits in Adobe We advocate a better approach: compliance has consistently advanced the standard to meet client-side code. A user is (verb) is handled by a compliance group, and emerging attacks, with a new focus on web lured into a website that security looks at relevant metrics (including application attacks and wireless security, as well contains exploits against state-of-compliance provided by compliance as plans to include virtualization and end-to-end known vulnerabilities in people) from across logical and physical realms, encryption. PCI DSS incorporates compensat- Flash or PDF extensions in and from places like HR, marketing and other ing controls that enable large organizations the browser,
Pages to are hidden for
"Debate"Please download to view full document