By simply purchasing a “Compliant” piece of technology doesn’t make you compliant.  Some companies even advertise their products as PCI or HIPAA compliant.  This is a dishonest statement as it gives the purchaser a false sense of security.   As with all regulations, the legislation or rules do not dictate specific technologies or practices – rather, it states the desired outcome. It is true that we need to have key products in place to meet compliance obligations it is actually what we do to those products that make us secure.   For example I could sell you two top of the line WatchGuard firewalls.  As part of the process I explain that they have web blocking and SPAM filtering built right in which meets your needs, great right?  Yes if your IT department configures them correctly. 

And how should they be configured?  They should be based on your company procedures and guidelines.  These procedures need to be laid out clearly and by someone with experience in the industry.  Too often companies write procedures based on the IT departments recommendations and not with the guidance of a security assessor.

Thank you to WatchGuard for reminding us all of this recently in Seattle.