Thursday 14 August 2008

Compliance is not security

IT Security professionals want systems that provide strong controls to protect their organization's assetts. They often find that they are competing for budget from compliance demands.

Compliance is tradiationally a procedure based process that does not necessarily tie into a technological control. There are examples of 'compliant' systems not providing security (e.g. PCI compliant Hannafords).

There is now a trend to deploy Data Leakage tools -- not to prevent data leakage -- but rather so that when (not if) a data leak occurs a record of what has been lost can be used to comply with the growing number of Breach Notification Laws, by contacting those whose records have been 'lost'.

Surely implementing controls that prevent data leakage would be a more proactive approach. Strong security also provides compliance.