Last week I wrote a “Tales from the PCI Crypt” blog article in regard to the findings of iScan Online that many of the merchants they scanned had credit card data contained in their email files. The fallout from that was that many organizations only worry about what is in their “audit zone”. What is the audit zone? It is those devices and those parts of your IT infrastructure that are subject to regulatory compliance or other types of audit. It may also include your policies and process that are subject to audit as well.
A popular strategy for dealing with compliance audits, especially in the mid-market has been to move as much as possible “outside the scope” of the audit. In PCI for instance, if the device is not involved in the recording, storing or transmitting of cardholder data, it is not subject usually to a QSA or other type of PCI audit. But as my friends at iScan Online found out, that is not necessarily the case. While technically, because these devices do have cardholder data they are subject to PCI audit, when asked by the auditor they are usually excluded because they don’t “touch” the cardholder data environment. But in fact they do!
A bigger issue though is that most organizations, especially in the midmarket, seek to do as little as possible to pass compliance. Compliance becomes a substitute for being secure. In the iScan Online case for instance, it was more important to say that sales persons cell phones and tablets are not part of the cardholder data environment so that they were “outside the scope” of PCI. But turns out those devices were vulnerable and had card data. A breach on those devices would not only have PCI consequences, but it could have more dire consequences to the bottom line. For instance according to several breach reports the average cost of a record lost is between 200 and 300 dollars. The average breach has a few thousand records lost. Do the math. That is enough to crater many smaller and midsize companies.
As we are seeing in many IBM Midmarket highlights such as this one on the Huffington Post, small and medium business are moving more and more to mobile, phones and tablets. If anyone thinks moving to mobile moves these devices outside of the audit zone they are mistaken. Even if they are not being audited, they represent security risks that must be addressed. You need a strategy for these devices outside of your audit zone.
A successful strategy has to go outside of the audit zone. You need to look at your real security and risk factors. Don’t be fooled into thinking that minimizing your audit profile, minimizes your risk. In fact it could be just the opposite. Minimizing your audit profile, could be at the expense of increasing your risk.
This dilemma is the result of our compliance at all costs mentality which has ruled in infosec for these past years. Checkbox security for compliance sake alone gives us a false sense of security. It does more harm than good. So next time you are looking at a compliance audit, try to think outside the audit zone and do what is best for the security and risk of your organization.
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions.