Tuesday, February 12, 2008

Secret Love

I have been beating this drum for a long time, about how important it is to make every part of your security and compliance plan workable not just for us geeks, but for every user. Here is another thought about classifying information that has occured to me, but I haven't gotten around to writing about. Now I don't have to:

Chief information officers need to take a leading role in setting up formal information classification schemes to stop them over-engineering them to comply with security regulations, according to a report from the Information Security Forum (ISF).

The ISFsaid that information classification systems were overly complex. "As a result they rarely deliver business benefits and are often simply ignored," it said.

Now me and all my geeky friends just love us some multi-layered processes and classification schemes that look like flow-charts of Merovingian Dynasties, but you know, most people don't. Stange as it may seem, most folks just want to do their jobs, and if you make it too difficult for them, they will bypass your marvelous system, or in the case of data classification, underclassify it to avoid hassling with additional layers of crap. Make it easier for them to do the right thing, will ya?

Secret Meetings

Outsourced Enforcement? We have seen how well outsourcing has worked with things like disaster relief, so why not take a whack at compliance?

But I know how much a good PWC auditor costs, and I know how much the average civil service auditor makes. I guarantee the latter costs less, unless PWC itself is outsourcing this work to India or someplace.

And would it be too much to ask for the public, or at least the industry, to get a gander at that contract? On what basis is PWC being paid? What is their incentive? Is it a fixed price per audit, is it hourly, or is it based on the fines they collect?

The folks at iHealthBeat have another concern. What if PWC has to audit one of its own clients? The government says the company will recuse themselves. Does that mean the audit is then off? Better call PWC, then.

I don't always agree with Dana Blankenhorn, but in this case he is spot on. This raises far too many questions, and simply cannot be cost-efficient.