[IMAGE]

Regulatory Distraction
Regulatory mandates have forever altered how organizations perceive their risks. The Ernst & Young 2006 Global Information Security Survey, which queried 1,200 respondents in 48 countries, found that three years after Sarbanes-Oxley, attaining regulatory compliance is the top focus of IT security groups at 56 percent of those surveyed. and even trumps privacy and personal data protection, at 47 percent, and meeting business objectives, at 38 percent.

"There's definitely a degree of regulatory distraction out there," says John Pescatore, security analyst at research firm Gartner. "And even cases [where] regulatory demands have lowered overall security."

As an example, Pescatore cites that nearly every Sarbanes-Oxley audit requires quarterly password changes.

"That's a guaranteed way to decrease security. The end result is that people choose easier-to-remember passwords, or they're forced to use stupid passwords they're going to forget," he says. T...

Many chief information security officers also argue that aspects of regulatory compliance--such as focusing too heavily on audit controls, procedures, and satisfying auditors' demands--actually can increase risks to the information the regulations purport to protect. Pescatore points to cases in which companies are measuring compliance success by counting their regulatory controls and by increasing their total number of controls. "They'll argue that they're reducing regulatory risks because they now have 1,200 controls in place, whereas a year earlier they only had 800. But that doesn't mean you're doing better. You might actually be doing better if you had 600. People start focusing on satisfying the auditors rather than protecting the business," says Pescatore.

< PREV PAGE   |   1  |   2  |   3  |   4  |   5  |   NEXT PAGE  >