Re: Compliance Is Wasted Money, Study Finds

[Keith Tomler <ktomler () gmail com>]

You say:

"...Enterprises are spending huge amounts of money on compliance
programs related to PCI-DSS, HIPAA and other regulations, but those
funds may be misdirected in light of the priorities of most
information security programs, a new study has found..."

BALONEY

As an Information Systems Auditor, it seems that if you have a valid
finding and a reasonable recommendation, management usually doesn't
act on it.

However, if you have the same finding and recommendation and then cite
a regulation, management is forced to act upon it.

I believe that the regulations were drafted in order to force entities
into doing what they should have done in the first place.

I should not have to cite regulations in order to make sure logs are
being reviewed, business recovery plans are drafted and machines are
disposed of properly.  But people and companies do not do these
things, so laws are made in order to force compliance.

For example:

(D) Information system activity review (Required). Implement
procedures to regularly review records of information system activity,
such as audit logs, access reports, and security incident tracking
reports.

(7)(i) Standard: Contingency plan. Establish (and implement as needed)
policies and procedures for responding to an emergency or other
occurrence (for example, fire, vandalism, system failure, and natural
disaster) that damages systems that contain electronic protected
health information.

(i) Disposal (Required). Implement policies and procedures to address
the final disposition of electronic protected health information,
and/or the hardware or electronic media on which it is stored.

The regulations are a bit dry, but enlightening nonetheless.
http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/index.html



On Tue, Apr 6, 2010 at 2:23 AM, Ivan . <ivanhec () gmail com> wrote:
> For those who don't frequent slashdot.......
>
> "Enterprises are spending huge amounts of money on compliance programs
> related to PCI-DSS, HIPAA and other regulations, but those funds may
> be misdirected in light of the priorities of most information security
> programs, a new study has found. A paper by Forrester Research,
> commissioned by Microsoft and RSA, the security division of EMC, found
> that even though corporate intellectual property comprises 62 percent
> of a given company's data assets, most of the focus of their security
> programs is on compliance with various regulations. The study found
> that enterprise security managers know what their companies' true data
> assets are, but find that their security programs are driven mainly by
> compliance, rather than protection (PDF)."
>
> http://www.rsa.com/products/DLP/ar/10844_5415_The_Value_of_Corporate_Secrets.pdf
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/