Risk // Compliance
6/25/2013
11:18 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Ignoring Compliance Is A Real Option

Security and compliance are commonly deferred by choice

Life is full of choices. Lots of choices. We even have choices we don't recognize as available. Business is the same way.

For instance, did you know that both compliance and security are optional for your business? They are choices. Every day your business makes choices about how much effort, if any, it will make toward meeting compliance requirements or securing its assets, for both the physical facilities and its information assets.

"But wait, Glenn! Compliance is REQUIRED of businesses in my industry." OK, but let's be honest and clear: Compliance to laws and regulation may be legally required, but that does not mean your organization and others in your industry have actually chosen to fully embrace every legal requirement.

I bet you could tell me right now three ways your organization falls short of compliance. And you can probably also tell me how others in your industry, working under the same compliance requirements, fall short in even more ways.

If compliance were an actual requirement, like oxygen is to our bodies, then your organization would quickly fail or be closed for noncompliance. Compliance failure sometimes results in business failure, but more often businesses are noncompliant to some extent and continue to operate. They survive, perhaps even thrive, without meeting all legal requirements. The multitude of ambiguities in many laws and regulations only complicate the matter, and many companies consider themselves compliant only by embracing loose interpretations.

Your organization is probably like most. Compliance as a whole is considered a requirement, but the details of compliance are broken down into many smaller elements that are considered optional. Your company's employees choose some areas to bring into strict compliance and others to skimp on. Most organizations want to follow the rules of law and regulations of their industries, and most make a reasonable effort to do so. While the letter of the law may be subject to interpretation, and penalties have different weights, most businesses generally make choices to keep them within at least the spirit of the rules.

Unfortunately, too many businesses, however good their stated intentions, choose to treat compliance as a series of costly add-on projects, rather than the routine behaviors and processes that create true compliance. This misguided attitude often leads them to attempt to cut corners that are usually more costly in the long run, sometimes even costing them their businesses.

The best companies are those that recognize the choices, evaluate them in advance, and then choose how to most efficiently incorporate actions into their processes that make them as compliant as possible.

Glenn S. Phillips hopes you choose wisely. He is the president of Forte' Incorporated where he works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. Glenn is the author of the book Nerd-to-English and you can find him on twitter at @NerdToEnglish. Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
anon8122448976
50%
50%
anon8122448976,
User Rank: Apprentice
10/9/2013 | 6:17:33 AM
re: Ignoring Compliance Is A Real Option
Management in most companies is sooooo arrogant. Compliance is a luxury
GonzSTL
50%
50%
GonzSTL,
User Rank: Apprentice
6/27/2013 | 4:48:46 PM
re: Ignoring Compliance Is A Real Option
When it really comes down to it, an organization that embraces and enforces well defined security practices as core to their organizational objectives will find that compliance isn't that far out of reach, if they aren't already there.
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Apprentice
6/26/2013 | 4:23:24 PM
re: Ignoring Compliance Is A Real Option
Interesting post Glenn. It's easy to go overboard on compliance yet still miss the mark.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-3154
Published: 2014-04-17
DistUpgrade/DistUpgradeViewKDE.py in Update Manager before 1:0.87.31.1, 1:0.134.x before 1:0.134.11.1, 1:0.142.x before 1:0.142.23.1, 1:0.150.x before 1:0.150.5.1, and 1:0.152.x before 1:0.152.25.5 does not properly create temporary files, which allows local users to obtain the XAUTHORITY file conte...

CVE-2013-2143
Published: 2014-04-17
The users controller in Katello 1.5.0-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote authenticated users to gain privileges by setting a user account to an administrator account.

CVE-2014-0036
Published: 2014-04-17
The rbovirt gem before 0.0.24 for Ruby uses the rest-client gem with SSL verification disabled, which allows remote attackers to conduct man-in-the-middle attacks via unspecified vectors.

CVE-2014-0054
Published: 2014-04-17
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External ...

CVE-2014-0071
Published: 2014-04-17
PackStack in Red Hat OpenStack 4.0 does not enforce the default security groups when deployed to Neutron, which allows remote attackers to bypass intended access restrictions and make unauthorized connections.

Best of the Web