As an executive responsible for many aspects of running your business, it can be difficult and downright confusing trying to understand the balance between Web security and compliance. Your IT, information security, and internal audit teams may be telling you completely different things based on how they see compliance fitting into the business – and especially their job roles. One of the best things you can do is to educate yourself on the basics of compliance. There are numerous laws and regulations around the globe that involve Web security in some capacity that need to be on your radar:

  • Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)
  • European Union’s Data Protection Directive
  • Health Information Technology for Economic and Clinical Health (HITECH) Act
  • Health Insurance Portability and Accountability Act (HIPAA) – including the latest Omnibus Rule updates that impact all healthcare industry business associates and their subcontractors
  • Payment Card Industry Data Security Standard (PCI DSS)
  • Sarbanes-Oxley Act (SOX)

There’s also the U.S. Federal Trade Commission (FTC), which you may have heard about recently in the case of Wyndham Worldwide, that apparently has complete regulatory authority over any U.S. business for any data breach involving consumer information.

You can’t stop with what the bureaucrats believe is best. You need to know the real truth about compliance. You may have heard the term compliance doesn’t equal security. Well, it’s true. Executives running the organizations that end up in the breach statistics were undoubtedly giddy over how “compliant” they were – until they found out otherwise.

Compliance is one of those things that sounds good in theory but it’s rarely implemented in the right ways in the proper spirit. In the case of Web security, rather than truly managing the risks, many people just want to “check that box” and show that they’ve met some auditor’s or regulator’s base requirements:

  • Documented policies? Check.
  • Disaster recovery plan? Check.
  • Access controls? Check.
  • Encryption? Check.
  • User awareness training? Check.

Everything’s in check with Web security!

The executives who get reports that these minimum standards have been met end up going about their business assuming all is well with Web security and even IT in general. Little do they know that, in so many cases, a true information risk assessment has never been performed, reasonable technologies are not in place to enforce the documented policies, and proper Web security testing is not taking place on a periodic and consistent basis. This is a recipe for a breach and it’s happening with businesses, both large and small, all around the world. Here’s the secret to success with Web security: ensure the right people in your business truly know what Web systems and sensitive information are where, 2) how they’re at risk, 3) are working to minimize those risks, and 4) are repeating this process consistently throughout the year.  Don’t try to force your Web environment to be compliant and then expect good security. Instead, address Web security first. When executed properly, compliance with all of the regulations being thrown your way will emerge as a result. The bottom line: you need to focus on minimizing your business risks and everything will work itself out.

Kevin Beaver

Kevin Beaver, CISSP is an independent information security consultant, writer, and professional speaker with Atlanta, GA-based Principle Logic, LLC. With over 32 years in IT and 26 years in security, Kevin specializes in vulnerability and penetration testing, security program reviews, and virtual CISO consulting work to help businesses uncheck the boxes that keep creating a false sense of security.