Welcome to Finextra. We use cookies to help us to deliver our services. We'll assume you're ok with this, but you may change your preferences at our Cookie Centre.
Please read our Privacy Policy.

Accept
Channels
Blog article
See all stories »

Channels

Security Regulation & Compliance
External | what does this mean?
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

Do security standards make organizations vulnerable?

Do information security standards expose organizations to shared vulnerabilities?

Why do data breaches occur with such frequency? Recent European Commission announcement on reporting of data security breaches is definitely not the first attempt to enforce security compliance it is more of an assurance to general public in the wake of recent data breaches (Sony) and data theft (BofA).

 I am all for standards; easy to adapt, more traceable, simple to supervise, consistency in compliance and a benchmark.  These very advantages are the weaknesses for standards.  A professional hacker can and normally simulates the standards environment and builds a profile of vulnerabilities for an attack. One attack model is sufficient to target all organizations complying with the standards. This situation is alarming.  In addition globalization has flattened the world. It is so extensible that an attack in northern hemisphere can have repercussions in the southern hemisphere. To put it more in perspective firewall secure rules are standards. This translates to standard set vulnerabilities.  When a hacker cracks into one, the template can work in most cases for any other firewall with similar configuration as imposed by the standards. The latency in flow of information (quite a few reasons from human failures to misalignment in technology across regions) has resulted in damage control.

Information security talks about three different types of controls, preventive, detective and corrective.  Preventive controls are the most expensive to implement and in practice can never be all encompassing, A 80% coverage is deemed to be good. A safe organization will need to be very strong on detective and corrective controls. Sony did detect, bit did not correct; the reason for the second attack. By implementing standards a compliant organization is safe ceteris paribus. The vulnerability is in 'ceteris paribus' Security standards in addition to defining the contours for preventive controls, must define strong guidelines for detection and when detected for corrective action.  This unfortunately is left to the regulators.

I am not too sure if the European Commission has only asked for data breach information and penalities if not provided in time or asked for more important information such as what efforts were made to detect and correct the vulnerabilities, followed by ethical hacking tests to prevent recurrence of the incident.

 

4517

Channels

Security Regulation & Compliance
External | what does this mean?
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
Report abuse

Comments: (0)

Join the discussion

Member since

0

Location

0

More from member

Community
See all blogs »
Fintech 

How innovation in encryption is helping secure the credit card approval process

Ghazi Ben Amor

Ghazi Ben Amor

Operational Risk Management 

DORA – Navigating the EU’s Operational Resilience Landscape

Antony Fung

Antony Fung

Fintech 

The importance of risk management in trading

Kate Leaman

Kate Leaman

Digital Identity Management 

Navigating the digital identity landscape: A blueprint for financial services competitiveness

Adam Preis

Adam Preis

Now hiring

See more