Digging through my e-mail, I came across some analysis by Shavlik that summarized the company’s findings of polls conducted in April at the RSA Conference and Infosecurity Europe.
Shavlik makes security, compliance and update tools aimed primarily at Windows systems, so unsurprisingly, the poll results showed a need for the company’s products. And just because this is so, the conclusions of the analysis coincide with a position that I’ve advocated for some time: that a well-managed network is a foundation of a secure network.
The survey analysis supplied by Mark Shavlik, CEO of Shavlik Technologies, highlighted that “Companies are increasingly recognizing the need to automate operations in order to streamline compliance as an ongoing business process. But too many organizations still don’t have a standard approach, which leaves gaps in their security infrastructure … solutions that simplify, automate, and provide better control over security and compliance management.”
The survey results of 491 conference attendees showed that just over 75 percent indicated that they were either concerned or highly concerned over compliance with specific mandates such as PCI DSS (Payment Card Industry Data Security Standard), ISO 27002, or Sarbanes-Oxley Act.
You can tune in to a Ziff Davis Enterprise security virtual tradeshow on June 24 to hear me talk a little more about compliance and security. You will likely be more interested in my remarks if you are working in IT for an organization that is not highly regulated, for example, retail or a non-financial service. The reason why is because retailers are feeling the pinch of PCI compliance, many for the first time. I’ll provide some pointers on how to approach a PCI compliance project and give suggestions on how to make the process efficient.
Getting back to the survey results, I’m not sure I’d lump PCI DSS in with ISO 27002 and certainly not with SarbOx. PCI DSS is still fairly new, very technically specific and not a real “regulation” in the sense that it has the force of law. (PCI has something better than law, it has the power to deny credit card processing or even better to escalate card processing charges.) SarbOx has been around since 2002, is vaguely defined (from a technology point of view), is highly systematized by the professional auditors and is a true regulation with a legislative mandate. So, I bet the “concern” numbers cited above are a bit skewed by the PCI newbies.
With that said, it is interesting to take a look at the survey results to see if your concerns match up with Shavlik’s findings.