Training and Certification

Rubel Khan's Blog

Should Maintaining The Accuracy Of IT Certification Be Ongoing?

Posted by Rubel Khan on June 29, 2009

By Dan Morrill
Expert Author
Article Date: 2009-06-04

You are only as safe as your expert opinion . But then the question is, what if the expert opinion is followed, and you are certified and you still get a data breach that costs the company millions of dollars.

Wired threat level is running a must read article for anyone who does PCI, PCS-DSS certification for companies. Card Solutions was hacked in 2004, and while they passed their CISP, they still ended up getting hacked. While most information security environments are fluid, and most networks change on a regular basis, CISP auditing is expensive, and not something companies can afford to do every time they slot a new system into place. What is at stake here is the liability that auditors have when they have certified someone compliant, but they still get breached by hackers anyways.

The case, which appears to be among the first of its kind against a security auditing firm, highlights flaws in the standards that were established by the financial industry to protect consumer bank data. It also exposes the ineffectiveness of an auditing system that was supposed to guarantee that card processors and other businesses complied with the standards. Credit card companies have touted the standards and the auditing process as evidence that financial transactions conducted under their purview are secure and trustworthy. Yet Heartland Payment Systems and RBS WorldPay, two processors that recently experienced large breaches, were certified compliant before they were breached. And Hannaford Bros. was certified in February 2008 while an ongoing breach of the company’s system was underway. Source: Wired

While you can purchase information security insurance, and over time this will become something that any company is going to need, this case is in a class of its own as it is trying to settle out by law who is responsible for the opinion of an expert brought in to certify something as secure. The various meanings of the word secure, the various ways to interpret even the most simple check sheet of standards, and the qualifications of the people doing the audit all are being brought into question. This case regardless of who prevails is going to alter how we approach compliance with an information security regulation (even if it does not have the force of law in the case of HIPAA or SOX).

Auditors are just as prone to making errors as security engineers and indeed any person in any role. It is very simple to misconfigure a system and accidentally give a hacker a toe hold into a company network. Not so much by failing to take security into account, but by being rushed or an error of omission. In these cases, who really is liable, and how that liability will result in compensation to the wronged party. This is a case that many people need to be following, as it is going to set precedence, one that will be used repeatedly in the future to help determine liability for hacker breaches, when a system or an organization has been certified compliant.

About the Author:
Dan Morrill has been in the information security field for 18 years, both civilian and military, and is currently working on his Doctor of Management. Dan shares his insights on the important security issues of today through his blog, Managing Intellectual Property & IT Security, and is an active participant in the ITtoolbox blogging community.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: