Risk // Compliance
6/25/2013
11:18 AM
50%
50%

Ignoring Compliance Is A Real Option

Security and compliance are commonly deferred by choice

Life is full of choices. Lots of choices. We even have choices we don't recognize as available. Business is the same way.

For instance, did you know that both compliance and security are optional for your business? They are choices. Every day your business makes choices about how much effort, if any, it will make toward meeting compliance requirements or securing its assets, for both the physical facilities and its information assets.

"But wait, Glenn! Compliance is REQUIRED of businesses in my industry." OK, but let's be honest and clear: Compliance to laws and regulation may be legally required, but that does not mean your organization and others in your industry have actually chosen to fully embrace every legal requirement.

I bet you could tell me right now three ways your organization falls short of compliance. And you can probably also tell me how others in your industry, working under the same compliance requirements, fall short in even more ways.

If compliance were an actual requirement, like oxygen is to our bodies, then your organization would quickly fail or be closed for noncompliance. Compliance failure sometimes results in business failure, but more often businesses are noncompliant to some extent and continue to operate. They survive, perhaps even thrive, without meeting all legal requirements. The multitude of ambiguities in many laws and regulations only complicate the matter, and many companies consider themselves compliant only by embracing loose interpretations.

Your organization is probably like most. Compliance as a whole is considered a requirement, but the details of compliance are broken down into many smaller elements that are considered optional. Your company's employees choose some areas to bring into strict compliance and others to skimp on. Most organizations want to follow the rules of law and regulations of their industries, and most make a reasonable effort to do so. While the letter of the law may be subject to interpretation, and penalties have different weights, most businesses generally make choices to keep them within at least the spirit of the rules.

Unfortunately, too many businesses, however good their stated intentions, choose to treat compliance as a series of costly add-on projects, rather than the routine behaviors and processes that create true compliance. This misguided attitude often leads them to attempt to cut corners that are usually more costly in the long run, sometimes even costing them their businesses.

The best companies are those that recognize the choices, evaluate them in advance, and then choose how to most efficiently incorporate actions into their processes that make them as compliant as possible.

Glenn S. Phillips hopes you choose wisely. He is the president of Forte' Incorporated where he works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. Glenn is the author of the book Nerd-to-English and you can find him on twitter at @NerdToEnglish. Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
anon8122448976
50%
50%
anon8122448976,
User Rank: Apprentice
10/9/2013 | 6:17:33 AM
re: Ignoring Compliance Is A Real Option
Management in most companies is sooooo arrogant. Compliance is a luxury
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
6/27/2013 | 4:48:46 PM
re: Ignoring Compliance Is A Real Option
When it really comes down to it, an organization that embraces and enforces well defined security practices as core to their organizational objectives will find that compliance isn't that far out of reach, if they aren't already there.
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Apprentice
6/26/2013 | 4:23:24 PM
re: Ignoring Compliance Is A Real Option
Interesting post Glenn. It's easy to go overboard on compliance yet still miss the mark.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-6090
Published: 2015-04-27
Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) DataMappingEditorCommands, (2) DatastoreEditorCommands, and (3) IEGEditorCommands servlets in IBM Curam Social Program Management (SPM) 5.2 SP6 before EP6, 6.0 SP2 before EP26, 6.0.3 before 6.0.3.0 iFix8, 6.0.4 before 6.0.4.5 iFix...

CVE-2014-6092
Published: 2015-04-27
IBM Curam Social Program Management (SPM) 5.2 before SP6 EP6, 6.0 SP2 before EP26, 6.0.4 before 6.0.4.6, and 6.0.5 before 6.0.5.6 requires failed-login handling for web-service accounts to have the same lockout policy as for standard user accounts, which makes it easier for remote attackers to cause...

CVE-2015-0113
Published: 2015-04-27
The Jazz help system in IBM Rational Collaborative Lifecycle Management 4.0 through 5.0.2, Rational Quality Manager 4.0 through 4.0.7 and 5.0 through 5.0.2, Rational Team Concert 4.0 through 4.0.7 and 5.0 through 5.0.2, Rational Requirements Composer 4.0 through 4.0.7, Rational DOORS Next Generation...

CVE-2015-0174
Published: 2015-04-27
The SNMP implementation in IBM WebSphere Application Server (WAS) 8.5 before 8.5.5.5 does not properly handle configuration data, which allows remote authenticated users to obtain sensitive information via unspecified vectors.

CVE-2015-0175
Published: 2015-04-27
IBM WebSphere Application Server (WAS) 8.5 Liberty Profile before 8.5.5.5 does not properly implement authData elements, which allows remote authenticated users to gain privileges via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.