I have never thought of this. After a breach, just blame the auditors. Wait. The reason I hadn’t thought of it is because passing a compliance audit IS NOT ASSURANCE OF SECURITY. But some still don’t get it.
In an interview with CSO’s Bill Brenner, Heartland Payment Systems’ CEO, Robert Carr, blamed his QSA auditors for a recent (huge) breach. Because they said his organization was PCI compliant, he felt secure. Wow. Security by checklist once again.
Rich Mogull, in an open letter to Carr, makes several excellent points about reliance on compliance instead of solid security practices. He concludes his letter with,
But, based on your prior public statements and this interview, you appear to be shifting the blame to the card companies, your QSA, and the PCI Council. From what’s been released, your organization was breached using known attack techniques that were preventable using well-understood security controls.
As the senior corporate officer for Heartland, that responsibility was yours.
Source: An Open Letter to Robert Carr, CEO or Heartland Payment Systems, Rich Mogull, 12 August 2009
Rich’s letter is a good read, and it should be circulated widely among security professionals and senior executives.
Among other things, this is another case where an organization is falling back on a completed checklist representing compliance with the PCI standard, a bare minimum set of security requirements. But whether you are HIPAA, GLBA, or PCI compliant, checking off on recommended practices doesn’t equal security.
Each of us is responsible for placing compliance activities within the proper context: guidelines within a broader security program. No regulatory or industry standards can protect our critical infrastructure or sensitive data. Only an aware, thinking human who actually cares about security—and understands how standards apply within his or her unique environment—can do that.
Original URL: http://olzak.wordpress.com/2009/08/13/blame-the-auditors/
PRINTER FRIENDLY VERSION
