My friend Jesper Jurcenoks, CTO of NetVigilance, a firm that provides network vulnerability testing products, keeps me up to date on all the doings with various PCI (Payment Card Industry) security doings. At a recent PCI conference, JJ (easier than saying Jesper Jurcenoks, and a nickname he provides), heard a line in passing he wishes he came up with. I think I'll steal it from him.
The line goes something like "If you worry about compliance, you won't really be secure. If you worry about security, you'll be compliant." Why? Compliance is a snapshot of negotiated and then mandated security practices, sometimes not best practices but merely good practices.
Since some of companies now under all types of new security regulations have little experience with the type of data security rigor now required, if they only follow the compliance rules they'll be only partially secure. And compliance for smaller companies may only be a self-assessment, and that's never good enough for people inexperienced in security.
Even those companies that undergo external audits aren't necessarily secure. If you aim only for compliance, you won't reach security. And, to pull up an old cliche, security is a process not a place. In today's world, there's no secure place, there are only secure processes you go through constantly to stay as secure as possible.
Aim at security, and you'll pass through compliance on your journey.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
PCI compliance is not equal to acceptable security
Great article.I love venn diagrams and the visual for this article is a big circle called "Being Secure" and a smaller circle completely inside that one called "Being PCI Compliant".
Example: PCI section 6.6 says you can be compliant by running an automated external black box application scan. These won't even find all of the OWASP top ten vulnerabilities, and only about one sixth of the total types (not instances) of exploitable vulnerabilities that may be present.
PCI compliance is a good thing, but no one should believe it equals acceptable levels of security.
I would like to recommend to everyone.
Search-and-destroy Antispyware is an excellent scanner that I would like to recommend to everyone. I simply love it. In the past I have tried many different types of scans. Some of them were free and others cost quite a bit of money but they all seem to pick up the same types of bugs. The antispyware solution from Search-and-destroy is less expensive than most and it will clean your computer and keep it working great just like the more costly scanners. Click on http://www.Search-and-destroy.com to learn more about this scan and how it can help you protect your computer.replica bags
Women like jewelry replica bags as men like cars ,yet ,they are more crazy .They also like cloths ,but don't as much as replica handbags .Jewelry give more confident to them ,that why jewelry industries are so lucrative .