BZZZZZZZZZ! Wrong answer, but thank you for playing! Hehe, sorry, overkill. But as you can guess I disagree.Quote:
Originally posted here by Spyder32
Compliance means that the requirements to the standard thats set is being met (or like catch said, the procedure/policy). Now aslong as those standards, procedures, etc is being met and covers the important aspects of the policy on how things are run, then there shouldn't be much to worry about.
I know (reinforced by painful experience) that 'compliance' does not in and of itself = security. Phil Hollows at OpenService.com tends to state 'complaince != security' ad naseum, and at first I balked when I read that, and wanted to call him some non-conformist hippie! But if you read his arguements, he makes a valid point (the one I am exploring with this Poll.) I don't agree with him 100%, but he has certainly reinforced some of my concerns with the compliance-culture in corporate America (side note: this can't be localized just to the US...what is happening in other countries in this area?!?)
/* Edit follows */
Ok, so to respond to Spyder32 I take issue mostly with the phrase "shouldn't be much to worry about" (I had to clarify that, since catch brought up the whole issue of ambiguity.) Compliance, IMHO, will bring you a certain degree of security. But to stand on the shoulders of 'compliance' and claim "We are Secure!" is foolhardy, at best; dangerous, really, especially in a for-profit organization. Complaince, like Security, is a vehicle, not a destination. Compliance (when properly instituted and followed) should help an organization keep their security efforts in check and in the right direction.
Unfortunately, especially with publicly traded for-profit companies, compliance these days has received a lot more attention then security, particularly because (at least with some US regulations) it makes C-level executives personally and criminally liable. As in, go-to-jail liable. Thank you Enron and Arthur Anderson. Once compliance is achieved and you get that rubber stamp of approval, it gives many executives a reason to cap investment into security resources (financial, knowledge, and human investments).
Alright, who disagrees and want's to tear me a new one? ;)