Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Your Guide to Good-Enough Compliance

Legislative requirements are mandatory, but going the extra step is a business decision based on what makes business sense. When it comes to compliance, you can, in fact, be a little bit pregnant
Page:

In November 2005, Jason Spaltro, executive director of information security at US-based Sony Pictures Entertainment, sat down in a conference room with an auditor who had just completed a review of his security practices. The auditor told Spaltro that Sony had several security weaknesses, including insufficiently strong access controls, which is a key Sarbanes-Oxley requirement.

Furthermore, the auditor told Spaltro, the passwords Sony employees were using did not meet best practice standards that called for combinations of random letters, numbers and symbols. Sony employees were using proper nouns. (Sox does not dictate how secure passwords need to be, but it does insist that public companies protect and monitor access to networks, which many auditors and consultants interpret as requiring complex password-naming conventions.)

Summing up, the auditor told Spaltro: "If you were a bank, you'd be out of business."

Frustrated, Spaltro responded, "If a bank was a Hollywood studio, it would be out of business."

Spaltro argued that if his people had to remember those non-intuitive passwords, they'd most likely write them down on sticky notes and post them on their monitors. And how secure would that be?

After some debate, the auditor agreed not to note "weak passwords" as a Sox failure.

Doing the Right Thing

Spaltro's experience illuminates a transaction that's rarely discussed outside corporate walls. Compliance with federal, state, and international privacy and security laws and regulations often is more an interpretive art than an empirical science — and it is frequently a matter for negotiation.

How to (or, for some CIOs, even whether to) follow regulations is neither a simple question with a simple answer nor a straightforward issue of following instructions. This makes it more an exercise in risk management than governance. Often, doing the right thing means doing what's right for the bottom line, not necessarily what's right in terms of the regulation or even what's right for the customer.

"There are decisions that have to be made," Spaltro explains. "We're trying to remain profitable for our shareholders, and we literally could go broke trying to cover for everything. So, you make risk-based decisions: What're the most important things that are absolutely required by law?" Spaltro does those, noting that "Sony is over-compliant in many areas", and he says that Sony takes "the protection of personal information very seriously and invests heavily in controls to protect it".

He adds that "legislative requirements are mandatory, but going the extra step is a business decision" based on what makes business sense. So you adjust, you decide, you weigh the issues. It's not black and white, yes or no.

When it comes to compliance, you can, in fact, be a little bit pregnant.

Page:

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: ACT, CPA, Ecora, Empirical, Federal Trade Commission, FTC, Gartner, Paul, Hastings, Janofsky & Walker, Playstation, PricewaterhouseCoopers, PriceWaterHouseCoopers, Sony

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
Latest Blog Posts
Whitepapers
  • Sun Blade 6000 Modular System: Power and Cooling Efficiency
    Most IT organizations are struggling with the need to deploy ever more applications in the fixed space, power, and cooling envelope of their data centers, the ability to save even a hundred watts per system quickly turns into more breathing room for future applications and the servers to run them. Read on.
    Learn more »
  • Implementing, Serving, and Using Cloud Storage
    Organisations of all types are trying to control costs and satisfy increasing demands at the same time— demands created by explosive data growth and ever-changing regulations. To address these challenges, storage industry professionals are turning to cloud computing and cloud storage solutions.
    Learn more »
  • Selecting an Application Lifecycle Management Vendor: An Ovum Report
    Leading industry analyst firms across the world include IBM Rational in their research efforts and provide opinions on our ALM solutions. Find out how Ovum confirmed IBM Rational as the clear leader on both axes of the assessment; Market Impact and Technology, along with a clear leadership in market presence.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments

HP and IDG news, product videos and resources