Compliance doesn’t mean security?

A study performed by the Institute of Internal Auditors titled Does Risk Management Curb Security Incidents? which examined the relationship between risk management and information security, shows that businesses that employ information security risk assessment programs and have comprehensive documented security policy are not likely to suffer fewer security incidents.

However, the survey indicated that organizations that conduct risk assessments are more likely to have a documented policy and implement security awareness measures. “This finding suggests that a systematic implementation of security policy measures should include security awareness.”

The study suggests that predominant lack of relationships between security measures and security incidents may be explained in terms outside the scope of the study, i.e. personnel ability (e.g., the skills, knowledge, and abilities of the information technology and security staff), management support of the information security policy, software and hardware equipment, etc.

Well-known security author Richard Bejtlich in his blog considers “this focus on “controls” as more of the “prevention first and foremost” strategy that ignores the importance of detection and response”. At the very least, some attention needs to be paid to the detection and response functions. Otherwise, a lot of money will continue to be spent on prevention, and organizations won’t be any more “secure.”

Phil Hollows also posted his comments on this subject: “monitor and correlate your logs, set up your containment and incident response policies, and don’t let your management team think for one minute that a successful compliance audit means that they’re safe”.

This blog is run by the authors of FindProtected.
Prior to developing security policy, it is essential to analyze your computer or corporate network for valuable resources, sensitive information that should by no means be disclosed. FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files and relocate them if necessary.

Leave a Reply