There’s plenty to be said about these two buzzwords. But in short: compliance is about following the advice of your industry’s experts to meet legal and operational requirements. Security is the practice of keeping what’s secret and valuable out of the hands of those who shouldn’t have it.
How Compliance Officers Think
SAS-70. SSAE-16. PCI-DSS. DFARS and NIST 800-171. It’s these and other acronyms that keep business leaders up at night. They wonder if they are meeting the requirements. How would they know? And what happens if you’re hit with an audit?
The open secret of compliance is that standards organizations and auditors are normal people, and they expect you to be too. What they want to see is progress, not perfection. (Although sure, perfection would be great.) They want your quarterly security scans to have decreasing vulnerabilities. They want your penetration tests to have fewer problems each cycle. They want to see your incident reports and resolutions after things go wrong. They are looking for improvement, because improvement means you’re working on it.
At SineWave, our role in compliance is to help you get better. We’ll generate the third-party report. We’ll run scans that list the CVEs you’re missing. But the real value is in remedation.
And to be clear, that’s never going to be flawless. You’re always going to be growing and expanding, adding new systems as you plug old security holes and retire old systems.
And of course, threats are evolving at the same time. There will be new zero-day exploits and new phishing scams.
What matters is that you’re getting better. And if you need to comply with external requirements, give us a call. We’d love to help you continue to improve—to meet industry standards, and to keep your data (and your customers) safe.
The Levels of Locking
Everyone is familiar with locks. They are on car doors, tool boxes, and backyard fences. A good security exercise is to review the five levels of locking, and identify which you’re using to keep something secure.
Level 0: Warning Lock
The lowest form of a lock isn’t a lock at all: it’s a sign saying “keep out” or “danger” or “authorized personnel only.” The purpose of a Level 0 lock is for guidance and liability. It tells people where they aren’t supposed to go, and makes them liable if they do.
Level 1: Soft Lock
When there is a latch, a release, or a button—but nothing else—that’s a soft lock. The only role of this device is for the operator to be certain they want to move forward. When your computer says “Are you sure Y/N?” that’s a soft lock. The choice is important, and you have to actively make it.
Level 2: Code Lock
Use a combination to gain access? It’s a code lock. These are more secure because you must have the password to gain access, but the password can be easily shared with anyone.
Level 3: Key Lock
As the name states, these locks require keys. You can duplicate the key, but that’s much more work than sharing a password. Only people with the key can get in.
Level 4: Multi-Factor Lock
If you need two or more types of authentication mechanisms to get in, those are factors. These locks are the most secure because it’s the most work to give someone else access.
Need to secure your data and systems? Contact SineWave.