Thursday, September 13, 2007

Sing, sing, sing

Music to my ears:

"Our software is HIPAA (SOX, etc.) compliant."

No, it's not.

Many security standards, such as the Health Insurance Portability and Accountability Act and the Sarbanes-Oxley Act, include requirements for the implementation and operation of a system. These detail the actual practice of protecting sensitive data, not just the type or design of security controls.

Proper security controls in a piece of software can support compliance with HIPAA, Sarbanes-Oxley or other regulatory requirements, but a direct claim of compliance-in-a-box is laughable. There's no way to box up a proven-compliant life cycle into an unimplemented piece of software without incorporating your data and experience.

This article is golden. Absolutely a must read for anyone lost in the dark forest of regulatory confusion.

No comments: