Welcome to a world full of regulatory and compliance standards, evolving infrastructure and ever-present data disruptions. Every year, fraudulent activity causes $600 billion in losses in the United States. In 2017, more than 1 billion account records were lost in data breaches - equivalent to 15% of the global population. 72% of security and compliance staff said that their work today is harder than two years ago, even if they have acquired all the new tools.
In the security industry, we are always looking for solutions to these convergence issues – while keeping pace with business and regulatory compliance. Because the continued failure of investment means stopping these unfortunate events, many people become cynical and languid. There is no silver bullet, and waving a white flag is also problematic.
The truth is that no one knows what will happen next. One of the steps is to recognize the inherent limitations of our knowledge and predictive capabilities. From there, we can use rational, evidence and positive measures to maintain compliance in a changing world. Abandoning the myth of passive compliance is an important step towards achieving security agility, reducing risk and detecting threats at ultra-high speeds.
Let us expose some myths about IT security and compliance:
Myth 1: The Payment Credit Industry Data Security Standard [PCI DSS] is only for large enterprises
For the safety of your customer data, this myth is most clearly wrong. Regardless of size, organizations must comply with the Payment Card Industry Data Security Standard [PCI DSS]. In fact, small business data is very valuable for data thieves and is often easier to access due to lack of protection. Failure to comply with PCI DSS can result in significant fines and fines, and may even result in the loss of the right to accept credit cards.
Credit cards are not just for simple retail purchases. They are used to register events, pay bills online, and perform countless other operations. The best practice is not to store this data locally, but if your organization's business practices require customers to "store credit card information, additional steps are required to ensure data security. The organization must demonstrate all certificates, certifications, and best practices. Security protocols are in the letter.
Myth 2: I need a firewall and IDS / IPS to be compatible
Some compliance regulations do say that organizations need to perform access control and perform monitoring. Some people have said that they need "peripheral" control devices like VPNs or firewalls. Some do say the word "intrusion detection." However, this does not necessarily mean deploying NIDS or firewalls anywhere.
Access control and monitoring can be performed using many other techniques. There is nothing wrong with using a firewall or NIDS solution to meet any compliance requirements, but centralized authentication, network access control [NAC], network anomaly detection, log analysis, ACLs on peripheral routers, and more?
Myth 3: Compliance is all about rules and access control.
The lesson of this myth is not to become a myopia, but to focus on the security situation [rules and access control]. Compliance and network security are more than just creating rules and access controls for improved posts, but evaluating what's happening in real time. Hiding rules and policies is not an excuse for compliance and security failures.
Organizations can overcome this bias by performing direct and real-time log analysis of what happens at any time. Proof of security and compliance comes from establishing a cross-network access control strategy and ongoing analysis of actual network activity to verify security and compliance measures.
Myth 4: Compliance is only relevant at the time of the audit.
The continuous development of the network remains the most critical challenge for cybersecurity and compliance. Curiously, when compliance and security personnel caught up, the evolution of the network did not wait politically.
Network mutations are not only increasing, but in the context of these new network models, new compliance standards are changing. This discrete and combined challenge adds a new dimension to ongoing compliance mandates, not just during pending audits.
Yes, the latest generation of firewall and logging technologies can take advantage of data flows outside the network, but compliance can be achieved when there are rules for analyzing all data. Compliance and network security personnel can properly adjust and mitigate risk by looking at the data in real time.
Strict network control and access enable auditors to ensure that organizations take proactive steps to coordinate network traffic. But what does the actual network tell us? If you do not perform log analysis on a regular basis, you cannot verify that compliance has been achieved. This periodic analysis does not refer to situations where an audit is about to occur or has recently failed.
Myth 5: Real-time visibility is impossible.
Real-time visibility is a requirement in today's global business environment. As legislative and regulatory changes are so rapid, cybersecurity and compliance teams need access to data across the network.
Often, data has multiple formats and structures. Compliance reports and certifications become an exercise in data splicing. To verify that network activity is in compliance with rules and policies. Security and compliance personnel must be de facto data scientists to get answers from the data ocean. This is a difficult effort.
When implanting new compliance requirements, there is a assurance process in which the criteria are tested for access allowed or denied by the new rules. How do you know if a given rule or policy will produce the desired results [compliance with compliance]? In most organizations, you have no people or time to evaluate network activity in the context of compliance standards. When the new compliance standards were reached, the data splicing process was not completed, making it impossible for us to be more confident that compliance has been achieved. No matter how fast you stitch data, it looks like the standard number will make your wheel spin.
Of course, the other side of this dilemma is that these standards do prevent data breaches. However, while most of your resources are responsible for testing and rolling out standards, another part of the team is implementing more network arrangements. This is what physicists call dynamic systems.
Naturally, "Well, I don't think this can be done." This is wrong. The use of automated data assembly shortens the time it takes to assess compliance standards and resulting policy and rules.
Orignal From: Top topic on IT security and compliance
No comments:
Post a Comment