Posted by Dan Morrill

You are only as safe as your expert opinion . But then the question is, what if the expert opinion is followed, and you are certified and you still get a data breach that costs the company millions of dollars.

Wired threat level is running a must read article for anyone who does PCI, PCS-DSS certification for companies. Card Solutions was hacked in 2004, and while they passed their CISP, they still ended up getting hacked. While most information security environments are fluid, and most networks change on a regular basis, CISP auditing is expensive, and not something companies can afford to do every time they slot a new system into place. What is at stake here is the liability that auditors have when they have certified someone compliant, but they still get breached by hackers anyways.

The case, which appears to be among the first of its kind against a security auditing firm, highlights flaws in the standards that were established by the financial industry to protect consumer bank data. It also exposes the ineffectiveness of an auditing system that was supposed to guarantee that card processors and other businesses complied with the standards. Credit card companies have touted the standards and the auditing process as evidence that financial transactions conducted under their purview are secure and trustworthy. Yet Heartland Payment Systems and RBS WorldPay, two processors that recently experienced large breaches, were certified compliant before they were breached. And Hannaford Bros. was certified in February 2008 while an ongoing breach of the company’s system was underway. Source: Wired

While you can purchase information security insurance, and over time this will become something that any company is going to need, this case is in a class of its own as it is trying to settle out by law who is responsible for the opinion of an expert brought in to certify something as secure. The various meanings of the word secure, the various ways to interpret even the most simple check sheet of standards, and the qualifications of the people doing the audit all are being brought into question. This case regardless of who prevails is going to alter how we approach compliance with an information security regulation (even if it does not have the force of law in the case of HIPAA or SOX).

Auditors are just as prone to making errors as security engineers and indeed any person in any role. It is very simple to misconfigure a system and accidentally give a hacker a toe hold into a company network. Not so much by failing to take security into account, but by being rushed or an error of omission. In these cases, who really is liable, and how that liability will result in compensation to the wronged party. This is a case that many people need to be following, as it is going to set precedence, one that will be used repeatedly in the future to help determine liability for hacker breaches, when a system or an organization has been certified compliant.

Comments

About the Author: Dan Morrill runs Techwag, a site all about his views on social media, education, technology, and some of the more interesting things that happen on the internet. He works at CityU of Seattle as the Program Director for the Computer Science, Information Systems and Information Security educational programs.