The title of this article is odd "...Good Enough Compliance". Is there such a thing? Most would admit that there are several laws, regulations, etc. without much clarity. Part of the problem is that law makers don't understand enough about each and every piece of technology in use today. Therefore, they pass general legislation, and expect companies to make their systems and employees comply; not realizing that the cost to make these "sweeping" changes will vary by size and complexity of a company.

There are several IT Control Frameworks (e.g., COBIT, ITIL, ISO) that can be utilized to control IT processes, and assist in making an organization compliant with these laws. The problem lies in the fact that there are various technological components (i.e., Operating Systems, Hardware, Software, etc.) to running a business. The implmentation of these technologies varies by what a Company needs to run their business, and what they can afford. To that end, most control frameworks are also written in a general sense to allow the framework to fit into any organization, (regardless of the hardware/software in use).

Having good password controls, which includes the use of complex passwords, just makes good sense. Most control frameworks won't define that, and they shouldn't. It's a guide...not a step-by-step instruction manual.

IT compliance is easy if an IT organization follows a basic control framework, and develops good business practices around their processes. PwC is right, you don't need high tech solutions...but you need to prove that the controls are working.

Fine article but for one thing: Gartner has zero credibility as far as I am concerned. Pay attention to their commentary on virtually any topic. It follows a consistent pattern: 1) "X" activity is really hard. 2) You better get someone who knows what they're doing to help you 3) Hey! Whaddya know. It just so happens we have people who can help you (at $200/hour). Gartner will never get another nickel out of me.

Fine article but for one thing: Gartner has zero credibility as far as I am concerned. Pay attention to their commentary on virtually any topic. It follows a consistent pattern: 1) "X" activity is really hard. 2) You better get someone who knows what they're doing to help you 3) Hey! Whaddya know. It just so happens we have people who can help you (at $200/hour). Gartner will never get another nickel out of me.

I happen to agree with this article whole heartedly! No one will ever be 100% compliant and still in business. Not only is it not cost effective, it can't even be defined!

I'm surprised that The Payment Card Industry Data Security Standard was not included in this discussion. Non-compliance with this "commercial" regulation will soon result in significant fines for credit card aquirer institutions and the merchants using their credit card processing services. Take a look at VISA's December 2006 announcement of incentives to becoming PCI compliant on their CISP website.

Interesting... the problem and I mean problem is that articles like this and so many others are telling CIO's they need to be compliant.

Don't set out to be compliant with . Make security part of your DNA and do good security, put in appropriate controls and protections and you will be compliant, regardless of the regulation.

Security like brakes on a car is not optional. Like brakes allow your car to go fast, who would step on the gas if you couldn’t stop? Security can help your organization to safely conduct business, without adequate controls you and your organization are at risk.

The regulations and compliance requirements are there only because organizations were not voluntarily making security part of their organizations DNA. Good security in today’s world must be an expense of doing business. If it were not seen as an option or add on it would not appear so expensive. You don't see brakes on the options list when buying a car.

Real organizations are finding improved controls making their business more efficient more appealing to their customer. Take the sanity check, security must be reasonable to your industry, but don't look to just do enough to be compliant or you will find your brakes are already out of date and you will need the anti-lock variety to remain safe.

Implement controls because it is the right thing to do when handling your customer’s information, not because some regulation had to be created to tell you to do so.

Ken

I appreciate the complexity of the IT implementations and the compliance requirements that must be maintained. As a senior CIO, I have deployed a myriad of systems, followed Best Practice CISSP methodologies but what really determines a firm meeting a compliance action is what the users are willing to support in their daily work activities. I particularly appreciated Glen Damiani's comments regarding a healthcare institution. His insight created a win-win and isn't that what were all trying to accomplish?