Re: Compliance Is Wasted Money, Study Finds

[John Morrison <john.morrison101 () googlemail com>]

That is not really surprising. Regulations are (fairly) clearly
defined 'tick box' exercises. They avoid three difficult requirements:
identifying what is important and should be protected; identifying
what is an acceptable response; and persuading the executive it is
worthwhile.

If you have a regulation (like PCI and HIPAA, for example) it defines
what should be protected and what is expected as a reasonable
response. The weight of the law, or a regulatory authority, that
defines fines and even makes CXOs personally responsible quickly gets
attention.

The best hope is that with a bit of innovative thinking infosec
professionals can implement a programme that covers various
regulations, finds synergy between them and properly protects valuable
assets. It should then be possible to cover other information assets
that are important to the organisation, but not covered by
regulations, at only incremental costs.

Personally I think the values created by Forrester are a bit suspect.
They don't give any information about the mix of industries and sizes
of the enterprises represented in the survey. My assumption is that
they are all Forrester customers. This means they are large and they
are extremely reliant on information and technology to run their
businesses.

On 6 April 2010 07:23, Ivan . <ivanhec () gmail com> wrote:
> For those who don't frequent slashdot.......
>
> "Enterprises are spending huge amounts of money on compliance programs
> related to PCI-DSS, HIPAA and other regulations, but those funds may
> be misdirected in light of the priorities of most information security
> programs, a new study has found. A paper by Forrester Research,
> commissioned by Microsoft and RSA, the security division of EMC, found
> that even though corporate intellectual property comprises 62 percent
> of a given company's data assets, most of the focus of their security
> programs is on compliance with various regulations. The study found
> that enterprise security managers know what their companies' true data
> assets are, but find that their security programs are driven mainly by
> compliance, rather than protection (PDF)."
>
> http://www.rsa.com/products/DLP/ar/10844_5415_The_Value_of_Corporate_Secrets.pdf
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/