We are PCI Certified!  How did we get hacked?!?!?

We have a 1 on our FFIEC exam and still had this data breach?

There were no exceptions on their SOC report, but our vendor still had a compromise?

 

At Vala Secure, we have heard these comments and questions time and time again.  You have definitely heard them in the news.  Entities from big box retailers to government agencies to mom and pop shops have received glowing compliance or security audit results, just to be in the news for a data breach next week.  That is because just because you are compliant doesn't mean you are secure.  Here are some examples of what I'm talking about:

 

Bank XYZ has an exam from their regulators and receives a 1 with only minor policy revision recommendations.  The Board and executives pat everyone on the back and we all move on with our days.  Next week a loan officer quits and takes over 4GB of data with him to his new job via USB and emails to himself.  Now the bank is down a staff member, he is taking some of their business AND the bank has a data incident to deal with!  Instead of examiners focusing on policies and procedures, if they would've focused on the actual controls in place (such as restricting USB's and content filtering to restrict personal email) Bank XYZ wouldn't be in this mess. 

 

Vendor 456 has a SOC 2 report and is issued with No Exceptions.  YAY!  The SOC audit firm and vendor staff go have a margarita and call it a day.  The SOC report is distributed to clients as a part of vendor management due diligence packages and none of their clients press them on controls because of such a good review.  

 

Next month, clients receive a letter from their vendor stating they have had a breach and their data has more than likely been compromised.  Surprise!  Unfortunately, the SOC report only covered their Orlando, Florida and Lubbock, Texas data centers not the data center that was compromised in Olympia, Washington.  Yes, the vendor should've had better controls in place AND included all their data centers in the SOC review, but the clients should've read the report to ensure it included all their sites or request to operate out of a site that is included in controls review. 

 

Finally, there is a Company in New York who has the best Business Continuity Plan.  This plan covers hurricanes, floods, power outages, internet downtime and the zombie apocalypse.  It makes a nice big 'thud' on the table when shown off to the Board of Directors and regulators and never gets criticized because of its thoroughness.  Here is the downside, the document says the company can recover from any disaster in 1 week.  Tests are conducted to validate the 7 day RTO.  Well, there is massive flooding and the company fails over to another data center and is fully recovered in 5 days.  Yay!  They beat their RTO by 48 hours.  Woohoo!!!    

 

So, compliance isn't security!  And make sure everyone in your company understands that the next time you hear, 'We are fine, we had a successful Audit and passed our SOC test".