The Detrimental Effects of Compliance Auditing on the Security of Small Business

Many argue that regulatory compliance with PCI, SOX, MA 201 CMR 17.00, and others help establish the minimum baseline for security in organizations. I think the point may be valid in organizations that initially had little to no security but I would argue that it has the opposite effect on a company that has the basics and beyond covered. To be specific, smaller companies which have one or two security professionals running the gambit from configuring Group Policy to writing Policies and Procedures are often already overwhelmed (note I fit into this category). Such professionals may quickly find themselves concentrating on out dated, incomplete regulations and laws rather than concentrating on reducing the risk of data loss by keeping up with current attack vectors, vulnerabilities, patches, and system logs.

I recently had a discussion with some colleagues on the subject of extending the compliance auditing of SAS providers to include data beyond financial or personal identifiable information. Initially it sounds like a valid and justifiable cause. But what is the end game? If it is mountains of one hundred page SAS70's with no regulation or law behind them, then it might be a worthy cause. But stacks of paper may show nothing about the security of the data being stored by the provider and will certainly distract from other effective methods of reducing risk. Honestly, if I could spend some time shooting the shit with the solution providers security team about current security trends and attack vectors, I would probably have a more accurate assessment of their ability to secure the data.

I am not suggesting we ignore current laws or regulations. We have an obligation to follow them. I am also not suggesting we do not review the hosted solutions outside vendors are providing for non-regulated data. I do believe that the review process should not mimic compliance audits, however. The time spent during the review process should match the amount of risk involved and assurance we achieve from the security review. If the security of such data is absolutely crucial, one might consider not storing the data there in the first place.