I’ve always had a problem with compliance, for a very simple reason: compliance is generally a binary state, whereas the real world is not. Nobody wants to hear that you’re a “little bit compliant,” and yet that’s what most of us are.

Compliance surveys generally contain questions like this:

Q. Do you use full disk encryption?

A. Well, that depends. Some of our people are using full disk encryption on their laptops. They probably have that password synched to their Windows password, so I’m not sure how much good encryption would do if the laptops were stolen. We talked about doing full disk encryption on our servers. I think some of the newest ones have it. The rest will be replaced during the next hardware refresh, which I think is scheduled for 2016.

Q. So is that a yes, or a no?

A. Fine, I’ll just say yes.

Or they might ask:

Q. Do you have a process for disabling user access?

A. It depends. We have a process written down in this here filing cabinet, but we don’t know how many of our admins are using it. Then again, it could be a pretty lame process, but if you’re an auditor asking whether we have one, the answer is yes.

Or even:

Q. Do you have a web application firewall?

A. No, I don’t think so. … Oh, we do? That’s news to me. Okay, somewhere we apparently have a WAF. Wait, it’s Palo Alto? Okay, whatever.

Q. Do you test all your applications for vulnerabilities?

A. That depends on what your definitions are of “test,” “applications,” and “vulnerabilities.” Do we test the applications? Yes, using different methods. Does Nessus count? Do we test for all the vulnerabilities? Probably not. How often do we test them? Well, the ones in development get tested before release, unless it’s an emergency fix, in which case we don’t test it. The ones not in development — that we know about — might get tested once every three years. So I’d give that a definite yes.

The state of compliance is both murky and dynamic: anything you say you’re doing right now might change next week. Can you get away with percentages of compliance? Yes, if you have something to count: “83% of our servers are compliant with the patch level requirements.” But for all the rest, you have to decide what the definition of “is” is.

Compliance assessments are really only as good as the assessor and the staff they’re working with, along with the ability to measure objectively, not just answer questions. And I wouldn’t put too much faith in surveys, because whoever is answering them will be motivated to put the best possible spin on the binary answer. It’s easier to say “Yes” with your fingers crossed behind your back, or with a secret caveat, than to have the word “No” out where someone can see it.

In fact, your compliance question could be “Bro, do you even?” and it would probably be as useful.

*** This is a Security Bloggers Network syndicated blog from Idoneous Security authored by Wendy Nather. Read the original post at: