The "maintaining compliance" issue

There’s an interesting discussion over on PCI Compliance Demystified about maintaining compliance after you have initially achieved the “tick in the box”. The discussion is primarily about PCI DSS compliance but could be had about any compliance requirement.

To paraphrase, the question was raised: “how is compliance maintained?” which has developed into a “what’s being done about maintaining compliance?” question.

I find this interesting because when we first started looking at PCI DSS Compliance at my company I made more emphasis of the “maintaining compliance” requirement than the “achieving compliance” requirement. It was a hard sell, and not fully accepted as yet.

PCI DSS requires that you achieve compliance and continue to remain compliant from then on. If your company suffers a security breach and the investigators are sent in by the card schemes, they will not just assess your compliance when they turn up. What they will do is investigate the state of compliance for as long as the security breach occurred and even prior to that to identify whether a failure in maintaining compliance contributed to the breach. If it did, big money fines are on their way.

Take the TJX situation for example. Initially TJX reported that the security breach happened “over a period of a few months at the end of 2006”. After the investigators went in they found that the hack had been on going for a period of a couple of years. This being the case, the investigators will be assessing whether TJX was compliant for the whole of that time. From reports it appears they were not.

My company has accepted the “maintaining compliance” requirement to the extent where they have agreed to completely redesign the payment processing platform from the old legacy system (which was difficult to support and maintain) to a nice shiny new compliant and maintainable platform. Good news. However, the question of compliance management thereafter is still being discussed.

Without the compliance management process existing, the initial achievement of compliance is fairly pointless. 2 days after you tick the box, a new member of staff joins and unwittingly blows your achievements away by introducing a new business practice that ignores some fundamental PCI DSS requirement. Worse still are the creeping changes which in isolation are perfectly fine and compliant. However, over time, one thing leads to another and bang, a vulnerability slides in which “no one could possibly have foreseen….”

Compliance management is a functional process and requires not only resources but also an agreed corporate approach. Perhaps this is the issue, no one wants the responsibility monkey on their back.

Why, oh why, oh wireless…..

OK, so enough of bleating about how bad things are, on to some more topical issues.

This news item on Security Focus amused me. Basically, if true, it appears that a wireless network secured with WEP only encryption was the access channel for the TJX hackers.

The thing is, I have had a discussion with people here about wireless and the levels of protection used and suffice to say, I think they could be improved. The arguments against it have ranged from the “it’s good enough as it is” and “we haven’t got enough resources to change it” through to “well, even if they crack the code they can’t do anything anyway”.

From my previous posts, you will see a theme developing here.

OK, so, how do I use the TJX case to convince the naysayers that improvements are necessary? Well, in the past I would have sent the link with a summary and expected them to understand. That doesn’t work.

So, after a few more days to allow for any further information to come out on this particular aspect I will send the link, but with a far more descriptive summary and also liken it to our own situation. I will also then schedule a meeting with relevant parties to discuss.

I also need to have my arguments ready for the “yes but if they get in, they still can’t log on” response which will inevitably come.

As I said, it’s hard to work at this level where absolutely everything needs to be explained but if it’s necessary to make progress, so be it.

I'll let you know how it goes.