« One Step Back for the Compliance Bandwagon | Main | Collaboration is the Key to Tackling Cybercrime »

Compliance Demands Are Getting Too Prescriptive

Benjamin Wright’s comments on the ill-fated California AB 7799 Bill raise an important criticism about emerging compliance demands: they’re getting too prescriptive. This was a trend I pointed out last year. It’s because too many inexperienced standards-setters are now driving the agenda. The PCI Security Standard was an early indication of this trend. It's typical of a standard drafted by industry specialists, not experienced regulators or standards professionals.

Experienced regulators and seasoned standards writers tend to avoid solution-focused requirements. Regulators strive to maintain a level playing field, and you can’t do that if you prescribe a solution based on the practices of individual organisations. Standards professionals also recognise that prescriptive solutions restrict innovation and don't stand the test of time. Unfortunately these considerations are not widely appreciated. And we don't have training courses for standards writers. But the stakes are getting higher. We need more standards for standards. Physician heal thyself.

Tags:

Posted by David Lacey on October 17, 2007 11:47 AM | | View blog reactions

TrackBack

TrackBack URL for this entry:
http://www.computerweekly.com/cgi-bin/mt/mt-tb.cgi/13303

Comments (2)

Andrea Simmons:

If people had followed the "best practice" guidance available from early on, and listened to those who did know and had the requisite experience in the first place, then we wouldn't be in a position that appears to require prescription. Invariably, we have ended up with woolly attempts at "compliance" -given that your version of it and mine may be two different things, depending on our perspectives and our business processes. Without at least an element of prescription, it is too risky to simply "trust" and hope that all is well, given the current environment of managing constantly growing values and quantities of information.

Posted by Andrea Simmons | October 19, 2007 12:33 AM

Posted on October 19, 2007 00:33

Duncan:

Being compliant against a perscriptive immature standard does not equate to managing the risk. Moreover, compliance against immature standards may actually be undermining efforts to manage risk and working against the best interests of organisations and their owners.

Posted by Duncan | October 19, 2007 12:32 PM

Posted on October 19, 2007 12:32

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Search


About

This page contains a single entry from the blog posted on October 17, 2007 11:47 AM.

The previous post in this blog was One Step Back for the Compliance Bandwagon.

The next post in this blog is Collaboration is the Key to Tackling Cybercrime.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]
Powered by
Movable Type Enterprise 1.53