Incident response and compliance: A case study of the recent attacks

Recent security related events, including attacks have highlighted the need for a complete Information Security strategy, beyond simply focusing on compliance. Compliance is the minimum set of requirements that an organization should use for measuring security. Because compliance standards such as PCI-DSS (Payment Card Industry-Data Security Standard) focus solely upon credit card data, maintaining only to this minimum standard may cause an organization to lose focus on the big picture. What other sensitive and critical data and systems are you responsible for? This article focuses on the following: PCI standard and reasons to not use a “check-box QSA” to obtain more value during the compliance review; the costs of non-compliance and a data breach; and outlines the lessons learned from the recent attacks starting in December 2010.