Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds



That is not really surprising. Regulations are (fairly) clearly
defined 'tick box' exercises. They avoid three difficult requirements:
identifying what is important and should be protected; identifying
what is an acceptable response; and persuading the executive it is
worthwhile.

If you have a regulation (like PCI and HIPAA, for example) it defines
what should be protected and what is expected as a reasonable
response. The weight of the law, or a regulatory authority, that
defines fines and even makes CXOs personally responsible quickly gets
attention.

The best hope is that with a bit of innovative thinking infosec
professionals can implement a programme that covers various
regulations, finds synergy between them and properly protects valuable
assets. It should then be possible to cover other information assets
that are important to the organisation, but not covered by
regulations, at only incremental costs.

Personally I think the values created by Forrester are a bit suspect.
They don't give any information about the mix of industries and sizes
of the enterprises represented in the survey. My assumption is that
they are all Forrester customers. This means they are large and they
are extremely reliant on information and technology to run their
businesses.

On 6 April 2010 07:23, Ivan . <ivanhec@xxxxxxxxx> wrote:
For those who don't frequent slashdot.......

"Enterprises are spending huge amounts of money on compliance programs
related to PCI-DSS, HIPAA and other regulations, but those funds may
be misdirected in light of the priorities of most information security
programs, a new study has found. A paper by Forrester Research,
commissioned by Microsoft and RSA, the security division of EMC, found
that even though corporate intellectual property comprises 62 percent
of a given company's data assets, most of the focus of their security
programs is on compliance with various regulations. The study found
that enterprise security managers know what their companies' true data
assets are, but find that their security programs are driven mainly by
compliance, rather than protection (PDF)."

http://www.rsa.com/products/DLP/ar/10844_5415_The_Value_of_Corporate_Secrets.pdf

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
    ... "Enterprises are spending huge amounts of money on compliance programs ... be misdirected in light of the priorities of most information security ... programs is on compliance with various regulations. ...
    (Full-Disclosure)
  • Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
    ... "...Enterprises are spending huge amounts of money on compliance ... I believe that the regulations were drafted in order to force entities ... Information system activity review. ... such as audit logs, access reports, and security incident tracking ...
    (Full-Disclosure)
  • Re: you must be a terrorist if...
    ... regulations to travel from city to city and have to go through and put up ... with the regulations they crafted... ... What, exactly, does the 3 oz restriction do to prevent terrorists from ... having security DOES NOT make me feel safe, it makes me feel INSECURE as I ...
    (rec.travel.air)
  • Re: Compliance Is Wasted Money, Study Finds
    ... "Enterprises are spending huge amounts of money on compliance programs ... be misdirected in light of the priorities of most information security ... programs is on compliance with various regulations. ...
    (Security-Basics)
  • RE: How former HP support staff needs to form a new US support center!
    ... There are certain emails that should be archived but archiving everything ... longer than is necessary for that purpose or purposes. ... required by the new regulations is beyond the capability of most current ... not get 5-20 security patches per month? ...
    (comp.os.vms)