Compliant, but not secure.

October 4, 2008 in security, standards by Daniel Nyström | No comments

jwgreen on Flickr - http://flickr.com/photos/jwgreen/
Photo: jwgreen on Flickr.

Found a great article where Bill Seiglein (on csoonline.com) discusses the differences of being compliant and being secure.

Favourite quote;

I use the analogy that there might be a requirement for a door and so we install a door. Unfortunately the door is pointless without a lock but the requirement did not ask for a lock and so we did not get one

Wonderful analogy, really hits the spot and identifies the problems that appear when you try to use a compliance sheet as a checklist. You might miss things that are quite basic, while over-investing in controls that doesn’t do much to overcome the real problems.

A good example of this, to tie into my previous standards posts, might be companies using WEP in older wireless implementations. Insecure as hell but it is still considered “compliant” when the audit goes down.

Read the full article here!

And remember, being compliant does not mean that you’re secure.

Tags: ,