Security Audit Vs Maintenance, the Gap is large..Verizon Study

Verizon has recently released the 2015 report on PCI Compliance which has provided some key insights into the current practices in industry. Though on the face of it the report indicated that about 80% of the companies were validated as PCI DSS compliant in internal assessments, the reality  the compliance was not sustained over a period of time. The report highlights the fact that only 28.6% of companies actually maintained their compliance status on all the 12 controls they committed to under the PCI DSS audit. It was therefore not surprising that data breaches detected in 9700 sampled companies, indicated over 43 million security incidents in 2014 showing a compounded annual growth of 66% since 2009 and an increase of 29% over the previous year.

On the positive side, the survey indicated that though the sustainability of compliance dropped off soon after the validation, compliance in 11 of the 12 compliance factors actually saw an improvement with the biggest compliance being in authentication access. The compliance drop was noticed in compliance of  testing procedures.

The study indicated that  “Maintenance of policy addressing security awareness building” within the workforce was one of the neglected aspects of compliance with a measly 4% increase in compliance effort.

The report is an eye opener to organizations that it is not enough if an information security assessment is done at a point of time but there is a need to sustain the compliance as an ongoing practice in the organziation. There is therefore a need to assess the controls that specifically address the “Sustainability” of compliance efforts so that the benefits of an assessment and validation is retained for a longer time. Alternatively, organizations can try if  the internal reassessment schedules may have to be undertaken at more frequent intervals in the hope that this will help in the improvement of the sustainability factor.

Naavi

 

Reference: Article in Computerweekly : Article in neirajones blog

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.