Sep 29 2008
I really liked Bill Sieglein’s article IT Security: Can We Be Compliant and Yet Insecure? Of course we can, it happens all the time. If you’re just looking at your compliance measures as check boxes, then there’s always going to be the potential for something unique to your environment to be overlooked. There might be something the assessor/auditor didn’t uderstand. The list of ways you could be compliant and yet still insecure goes on, but it’s some of the answers that Bill comes up with that are important. He lays out 5 simple steps towards getting your company compliant through security rather than the other way around. Of course, if it was that simple, wouldn’t we all be doing this already?
I like to think of PCI as a baseline for security, not the ultimate goal.