IT Compliance Institute, October 4, 2005:

Expert Q&A

Learning from CardSystems: Compliance Doesn’t Equal Security

CardSystems blamed a shoddy audit for its 40-million-record data loss. But the auditor claimed the breached systems were beyond its scope. Who was right? Who was to blame? What can be learned from the argument?

By Mathew Schwartz

Compliance doesn’t equal security; security doesn’t equal compliance. Security managers worldwide know this. Based on the number of data-loss incidents this year, however, it appears the message isn't reaching boardrooms.

Organizations—including, recently, CardSystems and Citigroup—have suffered massive data losses, despite clean Sarbanes-Oxley audits. Following a data breach at CardSystems that exposed at least 40 million customer records, the company blamed its auditors. It cited a clean CISP audit 17 months prior to the incident. In defense, the auditor, Cable and Wireless, stated that it had been retained to audit payment systems. Separate systems that housed customer transactional data—of which the compromised system was one—were beyond its purview.

Who was right? Who was culpable? To discuss the gap in perception, ITCi spoke with Phil Hollows, vice president of security products for OpenService, a security information management provider.

Have organizations forgotten that being compliant doesn’t ensure they’re secure, and vice versa?

In the IT security industry, the folks on the front lines don’t make that mistake, but I think the danger these days is in the executive suites. The focus is so much on investing [just] to pass compliance guidelines.

The danger then is that those who are not security experts believe that passing a security compliance audit means they’re secure. The example for that comes from earlier this year, with CardSystems, which put 40 million credit cards at risk. Or Citigroup, which had an issue with one of its backup services, which lost a backup [tape]. Now, Citigroup was compliant; they’re covered by a number of regulations.

Wasn’t CardSystems also compliant with the PCI standard?

The CardSystems CEO stated that he’d passed … a Cable and Wireless audit for PCI, and what they were doing seemed to be okay. But they were storing the credit card information, they hadn’t patched their systems—which is also a requirement of PCI—and I don’t believe they used non-production data [for testing and development]. So the auditor either missed something, or CardSystems instituted bad practices right after the audit.

But do you see where this is going? 'My auditors said it was okay, so we’re okay,' goes the logic. Doesn’t this sound eerily reminiscent of the excuses that showed up during the accounting scandals a few years back?

What should regulated organizations learn from the CardSystems incident?

That the risk is seeing compliance as the end goal rather than just a milestone. Compliance is meant to encourage best practices—not just in IT but all around—and getting compliant only means you satisfy however the auditor interprets the current set of guidelines, which may not be applicable, depending upon when they’re drawn up. They need regular review and to be redone as necessary.

It’s also important from a security perspective for IT security professionals to be an integral part of the compliance processes, and to help focus IT security initiatives. Because you can use compliance to help reduce corporate risk and increase IT security by using it strategically, rather than just as an annual event that has to be gone through.

Do industry standards and audits help improve organizations’ security?

Don’t rely on them. A standard written last year doesn’t necessarily reflect current best practices. … [Similarly,] an audit is a snapshot: it’s a one-off event. There’s plenty of time for things to go badly wrong until the next audit. And compliance standards tend to be written with a backwards look—using current technology to look at previous threats—because you can’t anticipate future risks. …

Standards tend to be static. Whereas. as security experts, we know the exploits used against us are very dynamic, change quickly, take advantage of new vulnerabilities discovered with incredible speed. And that you need to have a very progressive approach to monitoring.

Do standards at least motivate executives?

Motivate is maybe too strong a word. It really depends upon the impact of non-compliance. Sarbanes-Oxley is meaningless unless a company is public, and unless we see enforcement. And the government lost the Scrushy [case]—the former CEO of [HealthSouth]. He walked.

Are private-industry regulations, such as PCI, potentially more effective than government versions?

One of the interesting aspects of private industry compliance initiatives is they have more flexibility with how they enforce them. For the credit-card-compliance-overview organizations, which are interesting because they’re owned by the member banks, their number-one goal is to preserve the brand and the trust that brand has in the mind of the consumer. Because if you don’t trust Brand X, you can just reach into your wallet and grab another card. So they’ve understood and recognized early on that security and transactions are a huge risk … and the last thing they want is people going back to cash.

So here we have capitalism in action: We will protect our brand; therefore, we will have security and standards to ensure people will trust it and its security.

With CardSystems, it’s ironic because MasterCard discovered the problem through an avalanche of fraud reports from member banks, and ultimately Card Systems ended up in front of Congress through the enforcement of the standards and policies of MasterCard. And that’s a good thing. I’m a fan of standards so long as they have teeth, and when you break them, they have teeth. And it is a cost of doing business.

So what kinds of regulations will actually drive organizations to improve their security?

From a compliance standpoint, effective, timely, complete disclosure is the core missing element that will actually drive compliance with existing standards and make security a strategic consideration for organizations instead of a necessary evil. And you can use that as a competitive weapon. I have to believe CardSystems’ competitors are using that as a competitive tool. It’s an easy differentiator.

Mathew Schwartz is a former contributing editor for the IT Compliance Institute. You can contact him about this and other articles at Mat@PenandCamera.com.

This article originally appeared in IT Compliance Insitute and is reprinted by permission of 1105 Media, Inc.