compliance

Archived Posts from this Category

February 23, 2007

Still shaking my head in confusion

Posted by awillingham under Andy ITGuy, compliance, information security
[4] Comments 

I looked at a product the other day that is designed for a specific compliance need. It requires a web server and a SQL server. Sounds pretty normal, right? That’s pretty much where the “normal” ends.

Files containing user info are sent to the web server via FTP. They are “processed” by the software that is on the web server. All of the processing is done via .bat files. Once the processing is completed the output it sent to the SQL server where is resides and is accessed via the web interface.

What struck me as “odd” about this is the following:

  • BATCH FILES!!!! Is this 1986?
  • All Processing done on the web server! Why do I have to pay for a SQL server? (of course they recommend a dedicated SQL server) WHY? The SQL server does NOTHING other than serve up the data to the web server when requested. No stored procedures run, nothing. I could use Excel for that.
  • This is a compliance product and it stores unencrypted user data on the WEB SERVER. Last time I looked web servers were pretty vulnerable to hacks. And there are NO procedures for removing the data once it was finished being processed (by batch files on the web server). Sorry, that still blows my mind.
  • Since it’s a “Compliance” product it’s not cheap. And they are using batch files.

There were several other “little” things, but I think you get the idea here.

 

February 20, 2007

Basic Security

Posted by awillingham under compliance, information security
1 Comment 

I try to talk to lots of people who are in IT and especially in Security. I like to get a feel for what is going on in various organizations with respect to security. I’m curious about who has a grasp on what security really is and who has no clue. I’ve discovered that there are lots of companies who really have a very limited view of security and who only practice basic security. They do just enough to get by and make the auditors happy. As we all know security is not achieved by being compliant.

I’m often surprised at what companies allow to happen on their networks.

  • Leaving access points open or with minimal security
  • Allowing any consultant, auditor, or “friend” to connect to the network
  • Opening ports in the firewall because the “need” this application.
  • No Acceptable Use Policy for computer and network access
  • Allowing administrator access to local systems
  • No hard drive encryption
  • Etc, etc, etc,…..

It just doesn’t seem to end. They they wonder how they got compromised. After all, their auditor said that they were fine. Auditors, for the most part, are not security professionals. I’ve met a few who really knew security, but most of them just carry around their checklist and take notes.

I’ve also discovered that many Security Professionals who work in these organizations are really frustrated. They work hard to keep things safe only to have Management subvert the process because it makes things easier. I’ve been there myself.

As I talk to people at all levels of IT management and in the field I realize that many people don’t think about security being a key issue in IT. They assume that if they are behind a firewall and have AV installed then they will be OK. They don’t realize that this is not 1998 any more. It often shocks me because I assume that everyone who is in IT thinks security. Even before I started focusing on security in my career I just naturally took security into consideration when doing my networking duties. I thought it was just how things were done. Then I remember the stories I read, the people I talk to and the things that I’ve seen and am reminded that many people don’t realize that security needs to be a natural part of IT. Basic security is often ignored and when it isn’t it is often just enough. Just enough is never enough.

That is why I think that those of us in Security have to keep fighting hard to keep us safe, all the while preaching and teaching real security to all that will listen to or read what we have to say. We have to argue our point with management and give them hard facts as to why what we have to say is worth listening to.

 

December 7, 2006

Compliance is NOT a driving factor

Posted by awillingham under compliance, information security, risk management
1 Comment 

I found a new blog (new for me) today when they linked to my Compliance posting. I know no harm was meant but I took offense to their accusation that I was letting the wrong thing drive my priorities. All that aside their blog looks to be interesting. I have added it to my feeds so I can keep up with what they have to say and learn from them.

Maybe a little clarification is in order. I think they misunderstood me. I’ve mentioned before about the major changes coming down the pike for my company. Part of that involves having to bring compliance issues in house that were being handled by a business partner. That means that like it or not, ready or not I have some catching up to do and I have to do it fast. I have to put some things in place to help me prove my compliance. True there were vendors there selling their hype but they are not what made me feel better. I’ve been doing this too long and dealing with vendors too long to buy into that. I spend roughly 35% of my time dealing with vendors. I know that they play games and I know how to play their games.

What made me feel better was talking to people who have been dealing with compliance issues for several years. They are the ones who gave me tips, hints and ideas that give me some hope in what looked to be an overwhelming task. I still have lots to do and will still have to spend lots of money. Not because spending money makes me compliant, but getting the pieces in place is not a cheap venture when you are starting from scratch.

Compliance is not driving my priorities. Security is driving my priorities. Compliance is just a piece of the puzzle that I have to put together. My priorities have always been a secure network and infrastructure whether or not I had to prove compliance. I practice the mantra “A secure network will almost always be compliant, but a compliant network will not always be secure”.

 

December 7, 2006

Feeling better about compliance

Posted by awillingham under compliance, information security, PCI, risk management
Leave a Comment 

On Tuesday I attended a day long seminar on Compliance the focused on Risk Management. It was put on by the guys at Tech Target and SearchSecurity.com. I wasn’t expecting much for several reasons. Primarily it was free (vendor sponsored) and it was only a day. What can they tell you in a day that you probably don’t already know? Actually more than I expected. It was a very well done seminar. There were 4 main speakers, a vendor Q&A session and of course the vendor arena.

With everything that is going on at work I almost decided not to go, but at the last minute decided that it may be worth it if for nothing else it would get me out of the office for a while so I didn’t have to think too much about all that I have to do. Also compliance is coming at me hard and fast and I wanted a “refresher” and hopefully a new perspective on what is coming. I was not disappointed in the least. The speakers were informational and entertaining. If you have done much in the field of compliance or risk management you know that they can be boring if left to themselves. Of course the best part of it was the peer networking that goes on at events such as this. The value of a good network can’t be overlooked.

What I brought away from the day was actually encouraging. Compliance is still looming over my head, but I actually feel pretty good about getting a handle on it. It will take a lot of work and a fair amount of money, but I don’t think it’s going to be the bear that I had imagined (knock on wood). I also found out that I am NOT subject to PCI!!!!!! I spoke with the Risk Manager and Information Security Officer for a large Financial Institution who is very well versed on PCI and it’s implications for various institutions. This was a difficult question to get a straight answer to. Every person that I talked to gave me different answers, but most of them qualified their answer with “I think” or “I believe”. The guy I spoke with is doing things the same way that we will be doing them and he said that they don’t even look at PCI except for the framework of it and the benefit that can be gained by that.

Well, it’s back to the grind. I’ve got to place my Cisco order today or I won’t have routers and switches to have my WAN in place in time. Not a good thought.

 

October 2, 2006

Pretexting and compliance

Posted by awillingham under compliance, information security
Leave a Comment 

With the HP scandal being front page news there is a lot of talk about what they did, what was legal and what was ethical. It should make all of us think about our situations and where we are security professionals and our companies stand on similar issues. It should also lead us to look at where exactly we stand in regards to compliance on these and other issues. How many of us really knew if pretexting was legal and what regulations cover it.

How about other compliance issues? Often compliance and security are handled by different groups but they can directly affect each other and if the left hand doesn’t know what the right hand is doing then we can bring trouble on ourselves. Compliance is tricky ground and depending on what industry your company is in, is it public or private, who our customers are, what data we have, etc.. we may be subject to several different regulations. They may be industry specific, state or federal. Here is a good blog post on the pretexting issue specifically, but it points out that not knowing can get you in trouble. Ignorance is certainly not bliss.

I know in the financial industry we come under scrutiny from a long list of agencies and regulations. I don’t claim to know all the why and wherefores of what may bite me, but I have to have a good idea as to what they are so that I can reccommend and impelement the proper controls and technologies to keep us out of hot water. It my not be my job technically, but I’m not going to take a chance that I will implement something that another department says is OK and then find out later that it doesn’t do the job or that it actually put us out of compliance. I won’t go around (to quote the bloggers phrase of the week) “with my head stuck in the sand”.

This is very similar to what I wrote about a few weeks back regarding HIPAA. I was astonished to find out who had no idea that they were subject to HIPAA and even more astonished to find out that many didn’t care. Instead of security by obscurity they were going to claim compliance by ignorance.

 

« Previous Page

Follow

Get every new post delivered to your Inbox.