Sister CISA CISSP

Apr 20 2010   3:26PM GMT

The Only Way Out is Through



Posted by: Arian Eigen Heald
Tags:
Admins and Auditors
data security

Nobody “likes” government regulations. But imagine what it would be like to live without them. What if there were no banking regulations – who would check to see if my money was safe? The bank?

I’ve worked in banks. The answer would be “no.” Not without oversight. Banks have internal auditors, but a fresh eye can often see something significant. The external regulators come in and check things periodically.

Nobody likes being audited. Auditors look for what’s wrong, and report on that, rather than what’s right. But I can count on my fingers the number of organizations I’ve audited who are working hard and and have buy-in from the to exceed the “Gentleman’s C” of simply being compliant.

Far more organizations seem to be simply covering their tracks or ignoring the issue of protecting the data they’ve acquired due to “costs of implementation.”

Since we seem, as a country, unable to pass a national law addressing protection of data that has teeth, individual states are now passing them.

Most states are enacting data breach reporting laws; to wit, Mississippi and Washington are the newest. We now have 46 states with such laws. Four to go.

The resulting publicity from frequent data breaches has both good and bad elements: on the one hand it highlights bad company practices; on the other hand, drowning in data breach reports builds in a certain level of public “overkill.”

The far better strategy, in terms of cost and performance, is to acquire best practices and implement them. It’s been proven over and over, but it seems that asking companies to police themselves isn’t working. At all.

Is that good? Not sure, but “It beats snowballs in summer,” as my father-in-law likes to say. Use free tools, make nice with your auditors, use their input to get it out in front of management, don’t resort to FUD (that’s the job the vendors do).

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: