Thursday, May 18, 2006
PCI and SOX changes? Less security?
I've recently heard about changes in two security compliance drivers that I deal with, SOX and PCI. There are discussions about changes in SOX to avoid the confusion of which controls are needed (and how they should be implemented), as well as how the audit firms should assess risk in their clients.PCI Data Standard Requirements will also be subject of changes. There is information about reducing the encryption requirements and increasing application security controls.In both cases I've seen myself in discussions with peers regarding the changes, if they're good or bad. Man, I did it again! I caught myself advocating less security!Well, in fact, I'm not defending that companies need less security. I believe that they need the right amount of security to their business. SOX and PCI try to define the minimum requirements (SOX, of course, is much broader, but I'm focusing on the aspects that result in security requirements), but I understand that in some points they push too hard.SOX, in fact, does not push anything, but it leaves to auditors the decision of which controls are needed. I think it's a bad idea, because auditors usually don't have the sense of "how much of control is enough", but I'll try to comment it again in another time. Let's talk about PCI.My main concern about PCI is that it seems to have been written to avoid card data to be stolen by "Internet Hackers". When reading PCI requirements you'll notice that it is always trying to protect your "internal network" from "public networks". Ok, we know that this is necessary. But didn't these guys read anything about internal threats?When you're aiming at online merchants, like Amazon, it probably makes sense to focus on external threats. PCI, however, is also being pushed to issuers, who have thousands of employees that have direct contact with cards and cardholder information. I really think that PCI does not give the same treatment for these threats that it gives to the "threats of the moment", like hackers and viruses.As a security professional I'm constantly worried about building a holistic security strategy. PCI, as other security standards, should try to push minimum requirements in all directions of information security. As an example, we are always discussing about how companies respond to their incidents. What they should do to reduce damage, communicate people affected, protect evidence and so on. Why PCI doesn't have anything about it? (same for security monitoring, security staff, etc)And when it tries to help, like when defining firewall policy requirements, it usually dives too much in detail, like defining which protocols should be accepted. I could be more flexible there, just by defining that the organization need to have proper procedures to assess and deploy rules in its firewalls.Despite the different points of view, I'm happy that discussions about laws and standards are happening. These discussions will help us to improve those documents, allowing us to reach better cost/benefit equations. Too insecure systems do not grow because people don't trust them. Too secure system will also not grow, as they are too inflexible, expensive and hard to use.