Thursday, September 20, 2007

The Hen House Has a Fox Guarding It!

I've been seeing these interesting issues crop up lately and it's bugging me, so I've decided to write about it. Well, OK, not so much write but more rant a little bit. Hey - everyone needs to vent sometimes.

What I'm particularly miffed about is this idea of self-assessments for policy policing. Here's a scenario-

Company A is PCI certified (yes, I'm beating the PCI horse again because it's so easy...) and demands that all its partners and vendors be the same. This is fine, and quite honestly very responsible. The problem is in the execution. Normally - when I want to validate something, I go do it, or pay someone to do it for me if I'm too busy. [This is where self-assessments drive me nuts.] Company A now sends a requirement to Partner B to be compliant with whatever PCI regulations exist, and sends along this questionnaire for Partner B to self-assess their company against requirements.

This drives me insane because I've seen time after time requirements be "creatively answered"... let me explain. A requirement may be that all PII (personally identifiable information) is encrypted while at rest. To me that means database encryption, and encryption anywhere data "sits" at rest. Partner B looks at their network and says to themselves, "Gee, we don't encrypt databases 100%, but yea, sure, we encrypt flat files and most of our databases, so sure, check!" Now, if I've got someone auditing Partner B, they fail. If Partner B self-assesses and checks the box, no one is there to call them on it.

But what's the problem, you say? The ownership of a breach lies squarely on Partner B when someone breaks into their systems and steals tons of data, right? This is where you pull out your piece of paper that they self-assessed and say "but they said they were compliant!" That's nice in the legal world - but in the court of public opinion you're no less screwed then you would be if this was a gaff on your own part.

Self-assessments are a joke because there are so many times I've seen (and a few times I've been asked to participate in) "creative answers" to these self-assessment questions. When an auditor shows up it's black or white - you're either compliant or you're not. Of course, the topic of auditor subjectivity is another rant for another day.

My point is this folks, if you're serious about the security of your partners, don't ask them to fill out questionnaires and assume they're being honest with you. People lie. And it gets worse when a company is less-than-prepared to do business on a high-security plane and is presented with a big opportunity. They will lie to you. Don't trust them. Have we lost this mentality? What happened to trust but verify?

Keeping a paranoid mentality, and assuming human nature holds and people lie will save your assets, and just maybe it'll save that nice space on the front and center of the Wall Street Journal for your competitor.

Good luck.

1 comment:

Anonymous said...

Lets not forget a few key issues. Since PCI was brought up, its worth remembering that the PCI process requires all services providers to undergo an audit using third party, accredited audit personnel.
This way, the service provider and potential business partners can use the certification in a level playing field - everyone nows the requirements were the same, and the audit process should be reasonably consistent regardless of provider.

Perhaps its a failing of many compliance processes that few expect such consistency of process, specific requirements and outcome.