There are many reasons people invest in security. The best reason is having the desire to avoid being breached however sometimes wanting the best security doesn’t justify the investment. Many decision makers have to juggle improving the infrastructure, investing in the latest flashy technology such as high end video, etc. along with keeping things secure. Usually the flashy stuff outshines security until something with teeth forces the focus back on security. A prime example is meeting mandated regulatory compliance. Being out of compliant to many regulations could mean pricy fines as well as possibly litigation actions. This is good news for the IT guy that wants to get his security budget requests placed at the top of the stack.
To help meet regulatory compliance, Cisco has released validated design guides for general security as well as specific market verticals FOUND HERE.These guides include best practice to meet PCI DSS 3.0, HIPAA and FISMA, which all are required by law. For those unfamiliar with these three, PCI focuses on retail meaning anything that touches financial transactions (I posted about PCI HERE). HIPAA focuses on security for patient data in the healthcare market segment. FISMA is a a security standard mandated for federal government networks. Typically customers are audited to meet specific baselines, which these validated designs can help provide guidance on how to exceed those expectations.
My personal thought on regulatory compliance is it should be considered a minimal baseline and not your end goal. The reason why is compliance regulations are usually dated due to the time and effort needed to publish and edit things. Technology changes at a rapid pace and the techniques used by attackers are continuously adapting to defense measures so the expectation should be that being compliant for any mandated regulation is good enough for old attacks. Leverage compliancy as a way to justify budget to invest in security as well as avoiding legal ramifications however focus on going beyond such requirements for your security standards. Don’t get a false sense of safety from meeting regulatory compliance or you will get compromised.
Hopefully these reference architectures will help!
Related posts:
Splunk Cisco Security App – Expanding Cisco Security With Centralized Reporting and Multi-Vendor Alerting
Defending Against Google Hacking : Know What Can Be Found On Search Engines
Cisco ISE helps achieve at least half of SANS 20 Critical Security Controls
Cisco Anyconnect 4.0 – Whats New – Why Consider – Free Migrations