Policy <> Compliance

Compliance is just one of those topics that I hate. It's a catch-all word for vendors that can't figure out what they do and what value they provide. We continue to see tons of folks, consultants and vendors alike, that try fervently to latch onto the compliance bandwagon. After 10 years of this, it's pretty nauseating, but it goes with the territory. Most of the people I deal with have become numb.

The best thing I can say about compliance is that it has provided a funding source for many a security project. Projects that would have been hard to fund otherwise, so there is some goodness. But the gloss is coming off that rose and senior execs are asking what they are getting from all that money spent on "compliance."

I figured most people that have been in this business for more than a week or so had an idea about what compliance is and what it's not. But I guess I was wrong. This morning I read this article in Network Computing (here) and almost fell out of my chair. I wasn't laughing, I was shocked. The sub-head of the article is:

The best way to stay out of the regulatory hot seat and keep the compliance police at bay is to develop a comprehensive set of well-written policies.

WHAT? Since when does a policy do anything to get you out of the regulatory hot seat? A policy is a piece of paper. It's not worth the ink it's printed with. Why? Because most policies are documents written by lawyers to cover the collective ass of the organization.

Compliance indicates that you've done something. And that you can prove it to an auditor when they come to make sure. I can assure you that if an auditor shows up and all you show them is a policy document, it will be a LOOOOOOOOOOOOOONG day for you.

So let me quickly make a distinction between a policy, a strategy, and an implementation plan. I've already discussed a policy above. A strategy is how you propose to execute on the policies. And an implementation plan are the tactics, projects and products that will be used to make the strategy a reality.

You are not in compliance with anything until you have successfully implemented your strategy and that you can document the controls in place to meet the spirit of the regulation, whatever that may be.

They only thing a well-written policy gets you is a clear view of the target. That and $4 will get you a coffee at Starbucks.

So the reality is that you DO need to start with a policy, and this article gives you some ideas about where you can find a policy template for what you are trying to do. It even points you towards a set of document management products that can help you assemble the documentation that the auditor may want to check out.

But there is nothing in this article that is going to help you "stay out of the regulatory hot seat or keep the compliance police at bay." Shame on Network Computing for printing such an incomplete discussion of this topic. The editor must have had a lobotomy or something to let this one slip through.

Heaven help the poor administrator that takes this advice to heart. Maybe they'll know better for their next job.