Let me start out by saying that I have a bias against regulatory compliance standards; especially those that are non-specific, not prescriptive, require voluntary cooperation for information gathering, and allow auditors to pass judgment on adequacy with little oversight or discussion.
My passion has always been for implementing real security and to always be aware of the latest threats and mitigations. There is a definite place in the business world for operational standards such as segregation of duty, four eyes transactions, and workflow approvals, as well as attestation of privilege.
I have also believed that the government has a place in setting standards for many things including appropriate national security and financial standards. But, for a standard to be effective, it must be specific, easy to measure, and have clear penalties for failing to comply. Some Federal and State standards are good, others seem to be a concerted plan to mow down large swaths of forests to print paper documents of little to no value for the citizenship.
Showing posts with label security framework. Show all posts
Showing posts with label security framework. Show all posts
Tuesday, March 4, 2014
Subscribe to:
Posts (Atom)