I am sometimes asked to clarify whether PowerTech is a security company or a compliance company. I also sometimes read comments from industry experts criticizing organizations for wasting time, effort, and money on compliance solutions without ever really becoming secure. Well, before I can weigh in on that argument, we have to discuss the basic difference between “security” and “compliance.”

Security is the act of creating a defense to prevent something from being attacked or injured. In the IT world, this usually pertains to preventing unauthorized access to computer servers, and more importantly, the application data that resides on them. For most businesses, the value of the technology infrastructure is found in the application data as hardware can be replaced relatively easily. Data is usually our primary intellectual property, for example: our customer information, order history, vendor data, employee information, and credit card transactions. Securing the data asset is necessary to prevent damage—both accidental and malicious—and to ensure that the data remains the property of the organization that owns it, and to allow it to add value to the buiness operations.

Although obviously tied to security, compliance is simply the adherence (and proof of aderence) to a set of baseline standards and procedures. While you can be secure without being compliant, and even be compliant without truly being secure, the terms are often used interchangeably. When I consult with PowerTech customers, I am usually asked to help achieve compliance, often with Sarbanes-Oxley, or the payment card industry’s PCI-DSS standards. However, sometimes it is a worthwhile investment of time and money to set the compliance objective aside, and to simply review how secure you actually are.

Unfortunately (or thankfully, depending on your perspective!), it is not difficult to satisfy an auditor during an IBM i audit due to the fact that many of them really are not trained in auditing the i platform. While this sometimes leads to answering questions that don’t really pertain to us, it also means that we can potentially talk our way out of a compliance violation. Getting the auditors off our backs may seem advantageous in the short term, but it may be doing the organization a huge disservice in the long term.

One of the challenges is to educate customers that security is NOT a destination, but more of a journey. You can never really be 100% secure. There are new threats making security a continuously moving target, but regular compliance checks can help the server remain as secure as possible by assessing the risk of threats, and the vulnerability that you could become subjected to it. But in order to do that, we have to accept a valid set of standards as our baseline.

So, back to our original question: Is PowerTech a security or a compliance company? Well, I say that we provide solutions that can align with both security and compliance objectives. Network Security’s access control facility, and Authority Broker’s restriction on powerful users, are both designed to provide tangible value to an organization’s security defenses. Compliance Monitor, a compliance tool per se, provides visibility into the security audit journal to enable security officers to respond in a more timely manner to possible intrusion events. These tools can also help satisfy common compliance criteria. For example, Network Security can satisfy a compliance requirement such as “audit and control access for network initiated activities,” and Compliance Monitor can generate compliance scorecards to compare security policy to current settings.

In summary, I am a proponent of working to secure a system and data from common and known vulnerabilities first. This typically involves an audit of configuration and procedures against best-practices, the creation and maintenance of a detailed security policy. Once you do that, you can work to secure your environment using the policy as your guideline. Then you can “simply” monitor for ongoing compliance to your objectives and standards. PowerTech can help you navigate through the entire project cycle!

Have a wonderful week!

- rt

This entry was posted on Wednesday, April 28th, 2010 at 10:17 am and is filed under Auditing, Other, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.