Crushed by Compliance Tyrants

Are you beset by compliance regulations that just don't make sense? Cutting back on important security measures to pay for them? You're not alone. These tips can help protect you from compliance junkies--aka auditors.

By Lisa Vaas
Thu, May 29, 2008
. What's this?

CIO — It was a dark and stormy day. Tornadoes had touched down within 100 miles of the bank's data center. The data center was at the top floor of a tall building. Phil Wherry, a consultant currently serving telecom and healthcare clients, had driven over to the bank that day—a few years ago—to do a gig as security auditor. Wherry got to the facility and started asking the IT people about disaster recovery. "I said, 'You've got this nice data center up on top of this building—what do you do if a tornado takes the roof up?' The guy said, 'We have a backup facility in New Jersey. We have all the equipment necessary to failover bank operations,'" Wherry recalled. OK, Wherry thought. Not bad. "We test it annually," the staffer said. OK, Wherry thought, You've done your homework. "One of these years we hope it works," the bank employee concluded.

MORE ON CIO.com
Your Guide To Good-Enough Compliance
Compliance, Convergence and How IT Fits

You can laugh, but you probably won't if you're one of the many security staffers throughout the land who are subject both to the whims of badly written regulatory compliance rules and to the tyrants—a.k.a. auditors—who have the power to enforce them, often at the expense of actually securing anything at all, as well as at the expense of security budgets that could actually secure something. [Also read Your Guide To Good-Enough Compliance.]

In this case, there was an audit requirement that the bank—which Wherry declined to identify—have an annual failover test. Unfortunately, the requirement didn't require the failover to succeed or that it had to be remediated if it failed. So that's what the bank was doing: testing and hoping it would work. . .someday. [Also read Compliance, Convergence and How IT Fits.]

In the security field, these are the people causing the most damage for CIOs: the "security and compliance people who have no real knowledge about what's needed," says Alan Paller, director of the SANS Institute.

The problem isn't limited to failover tests that don't require success. The problem also encompasses, for example, wasting money on purchasing consultants to write reports that collect dust on a shelf or other budget blunders, Paller says. "You take money out of the budget to buy a report that no one will read because some compliance guy says you have to," he says.

The disconnect between regulations and security has even caught the attention of Capitol Hill. One example: Fisma (Federal Information Security Management Act) compliance is up. The Office of Management and Budget reported that in 2007, 92 percent of information systems were certified and accredited, 86 percent of agencies had a tested contingency plan and 95 percent had tested security controls. The appropriate response: something along the lines of "whoopty do."

Continue Reading

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
White Papers »
Planning Security Budgets: Quantify the Financial Risk of DDoS
DDoS attack severity and sophistication are increasing and enterprise data centers are paying the price. IT security managers - learn how to determine your budget priorities based on security threats to your business operations.
From Transaction to Transformation
Recent research reveals that global enterprises are pursuing advanced operating models and integrating external service centers, third-party resources, and cloud technologies-creating a portfolio that not only reduces cost, but also simplifies access to core business services, improves organizational agility, and drives measurable business value. This approach recognizes that service functions don't just support the business, they can advance it. Read this white paper to learn more.
How Are You Elevating Procurement's Role in Your Enterprise? The Tools and Technologies to Help You Make the Leap - SAPinsider
Innovations are changing the role procurement plays within the enterprise. SAP's Chris Salis, Global Vice President of Procurement Solutions, and Emily Rakowski, Senior Director and Head of Procurement Solutions Marketing discuss how SAP Procurement Solutions are the strategic differentiators of innovation.
The CIO's View: Delivering Time to Value Through Automation
In August 2011, Benny Kirsh was named VP and CIO at Infoblox, an industry-leading developer of network infrastructure automation and control solutions. With more than 25 years of experience, Kirsh is responsible for driving strategic advancements via the company's IT infrastructure and applications.
The Challenges of Controlling & Managing Privileged Accounts
In this Quest white paper, gain a deeper understanding of all the dangers involved with privileged account ("super user") management. Learn to mitigate risks by enabling granular access control and accountability for admin or super user accounts. Read it today.
Bring Your Own Device eGuide
As more and more CIOs are beginning to see significant benefits from letting employees choose the device they use to get their jobs done, the Bring Your Own Device (BYOD) trend is spreading. According to the Computerworld Consumerization of IT Study, about half of the 604 respondents said their organizations allow employees to do work using their own devices either away from the office or at work. Whether these devices are smart phones, tablets, or laptops that are used in the office or while working remotely, companies that embrace this trend are finding their employees are more productive and experience greater job satisfaction. What's more, enterprises can significantly reduce up front costs and allow for flexible work hours by letting employees use their device of choice anytime, from anywhere.
Webcasts »
Introduction to Virtualization
Have you been thinking about what it would take to start using virtualization? Or do you know the basics and want to find out more? No problem. This webcast is designed for anyone with little to no knowledge of virtualization technology. Attend this webcast to learn:

-A basic overview of the business value of the technology and some key capabilities that make virtualization so valuable to IT and the businesses you serve.
-The basics for creating virtual machines and the key choices that can be made along the route to deployment.
Cloud-based Contact Center: Is it Right for Your Business?
View this on demand webcast to learn if moving business communications to the cloud is right for your business. Featured industry experts DMG Consulting LLC president, Donna Fluss, Frost & Sullivan principal analyst, Michael DeSalles, and Interactive Intelligence senior vice president, Joe Staples discuss this topic and help you answer your pressing questions at the conclusion of this web event.
Must have Tools and Techniques to Optimize the Sales Pipeline and Win more Deals
In this webcast, Vantage Point Performance's Michelle Vazzana will reveal how to coach your reps to better performing pipelines.
Sales Effectiveness in the New Sales Paradigm - A Webcast Featuring the Latest Forrester Research Study
In this webcast produced by the Sales Management Association (SMA), Forrester's Scott Santucci will explore the new sales paradigm and discuss how businesses must transform their selling models into dynamic, communications-intensive systems, empowering individual sellers to define, create and deliver value to customers.
SAP Sales OnDemand Demo: Quick Overview
SAP Sales OnDemand is intuitive, leveraging social collaboration capabilities you already know how to use. It enables fast, effective team collaboration and account management to help you sell more effectively. Watch the video to see how!
How To Build A World Class Records Management System With SharePoint Records Center
Many organizations are using SharePoint Records Center as their records solution, but with minor tweaks it can be turned into a world class records management system.
Join this webinar and learn:

-How SharePoint can be used for effective records management
-The limitations of basic SharePoint Records Management
-How to work around the limitations effectively
-How a federal agency deployed SharePoint Records management to manage its records
Newsletter Sign-Up »

Receive the latest news test, reviews and trends on your favorite technology topics

Choose a newsletter
  11. View all Newsletters | Privacy Policy
White Papers » All White Papers

Planning Security Budgets: Quantify the Financial Risk of DDoS

From Transaction to Transformation

How Are You Elevating Procurement's Role in Your Enterprise? The Tools and Technologies to Help You Make the Leap - SAPinsider

The CIO's View: Delivering Time to Value Through Automation

The Challenges of Controlling & Managing Privileged Accounts

Bring Your Own Device eGuide

Measuring the Business Value of CI in the Data Center

The CFO Guide to Budgeting Software

Better Cash Flow Management: Recession-Proof Your Business

Centage/IOMA Budgeting Survey: Benchmarks and Issues

Case Study: Audi-Volkswagen Improves Procurement Control

AIIM Market Intelligence: The paper-free office, dream or reality?

Discover Options for Improving Supplier and Customer Integration

How much security do you really need?

How to Justify the Cost of a TMS by Automating Freight Audit & Payment

Message Maps: Blueprints for Pandemic Preparedness

Broker-Dealer Case Study: Reduced Compliance Burden with Perimeter's Message Archive

Comparing Free Trial and Freemium Models

CSO Insights: Improving Sales Effectiveness In a Buyer's Market

Creating New Business Models Where Digital Meets Physical
Sponsored Links

High performance. Delivered. Click to see Accenture's client successes

Choose New and manage one device instead of 170

Choose New for 8x the firewall and NAT performance

Check out a smart way of mobilizing your business with enterprise-ready Samsung Mobile.

Redefine your data center with HP servers.

Enhance your business with Windstream IT Solutions. Speak to someone local.

BlackBerry® Mobile Fusion. Different mobile devices. One platform.

Akamai Kona Security. Web security so you can innovate fearlessly

CYBERMARYLAND | Learn Why Maryland is the Epicenter for Cybersecurity

Get Ethernet speeds from 1 Mbps to 10 Gbps - Comcast Business Class

Cognizant. Leading in Business, Application & Technology Services

Collaboration: driving better business outcomes

Managed Hosting Buyer's Guide - Benefits to key considerations

Click to see how Accenture has delivered high performance to clients

Learn how Accenture helps clients become high-performing businesses.

Click to see how Accenture has delivered high performance to clients

Choose New and slash the number of devices you manage

Customized information views & Twitter events at New Fulcrum Point

Splunk translates machine data into "aha" moments for IT and the business.

ManageEngine Desktop Central - Automate and Audit Your Desktop Management! Learn More...

Cloud Readiness Starts with Intel® Technology

Visit the Virtually There Learning Page to learn how to use virtualization to your competitive advantage.

Learn how Accenture helps clients become high-performing businesses

Free: Hunter Muller's "The Transformational CIO."

Join us for an upcoming Microsoft 365 live online demo event.

Discover your easiest path to unified communications

Virtualizing Your Infrastructure Just Got Easier

Gain cutting-edge insights at MIT in 2-5 day executive programs.

See how Accenture helps clients perform at the highest levels

Connect with global CIOs now at Enterprise CIO Forum

Resource Center
buy a link »
Ads by TechWords