Full Disclosure mailing list archives
Re: Compliance Is Wasted Money, Study Finds
From: Keith Tomler <ktomler () gmail com>
Date: Wed, 7 Apr 2010 10:24:00 -0400
You say: "...Enterprises are spending huge amounts of money on compliance programs related to PCI-DSS, HIPAA and other regulations, but those funds may be misdirected in light of the priorities of most information security programs, a new study has found..." BALONEY As an Information Systems Auditor, it seems that if you have a valid finding and a reasonable recommendation, management usually doesn't act on it. However, if you have the same finding and recommendation and then cite a regulation, management is forced to act upon it. I believe that the regulations were drafted in order to force entities into doing what they should have done in the first place. I should not have to cite regulations in order to make sure logs are being reviewed, business recovery plans are drafted and machines are disposed of properly. But people and companies do not do these things, so laws are made in order to force compliance. For example: (D) Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. (7)(i) Standard: Contingency plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. (i) Disposal (Required). Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored. The regulations are a bit dry, but enlightening nonetheless. http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/index.html On Tue, Apr 6, 2010 at 2:23 AM, Ivan . <ivanhec () gmail com> wrote:
For those who don't frequent slashdot....... "Enterprises are spending huge amounts of money on compliance programs related to PCI-DSS, HIPAA and other regulations, but those funds may be misdirected in light of the priorities of most information security programs, a new study has found. A paper by Forrester Research, commissioned by Microsoft and RSA, the security division of EMC, found that even though corporate intellectual property comprises 62 percent of a given company's data assets, most of the focus of their security programs is on compliance with various regulations. The study found that enterprise security managers know what their companies' true data assets are, but find that their security programs are driven mainly by compliance, rather than protection (PDF)." http://www.rsa.com/products/DLP/ar/10844_5415_The_Value_of_Corporate_Secrets.pdf ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Compliance Is Wasted Money, Study Finds Ivan . (Apr 05)
- Re: Compliance Is Wasted Money, Study Finds Bert Knabe (Apr 07)
- Re: Compliance Is Wasted Money, Study Finds John Morrison (Apr 07)
- Re: Compliance Is Wasted Money, Study Finds Keith Tomler (Apr 07)
- Re: Compliance Is Wasted Money, Study Finds J Roger (Apr 07)
- Re: Compliance Is Wasted Money, Study Finds Valdis . Kletnieks (Apr 07)
- Re: Compliance Is Wasted Money, Study Finds J Roger (Apr 07)
- Re: Compliance Is Wasted Money, Study Finds Valdis . Kletnieks (Apr 07)
- Re: Compliance Is Wasted Money, Study Finds Stephen Mullins (Apr 07)
- Re: Compliance Is Wasted Money, Study Finds Tracy Reed (Apr 07)
- Re: Compliance Is Wasted Money, Study Finds Valdis . Kletnieks (Apr 07)
- Re: Compliance Is Wasted Money, Study Finds Digital X (Apr 08)
- Re: Compliance Is Wasted Money, Study Finds Tracy Reed (Apr 09)
- Re: Compliance Is Wasted Money, Study Finds Nick FitzGerald (Apr 10)