For those IT security pros out there, a question: has the increase focus on regulatory compliance (SOX, HIPAA, etc.) been an overall positive or negative for you?
I am wondering if your companies/clients are using compliance as a reason to fund projects that they should have been doing all along (e.g., automated user lifecycle management, strong(er) authentication, more effective change management, etc.), or are they focusing on just doing enough to get by (e.g., wrangling tons of reports for the auditors so they can get a signoff, documenting lots of manual processes, etc.)
I really appreciate your feedback on this topic...
the healthcare company I'm working for are doing as little as possible to implement Hipaa, they probably spend more on the legal dept to make sure that they can't be touched for that, rather than spend the money to implement the system right in the first place.
When i worked at a FTSE 500 mortgage company a few years back, we were pushing the implementation of BS7799.
Any IT projects that even remotely touched on compliance related bits were pushed through under the 7799 banner without argument - including ones that had previously been rejected by management as unnecessary.
There has been a significant increase in demand for IT auditors as a result of the compliance issue, both from the Big 6 -> 5 -> 4 and from their clients.
Cynics have been saying for years that nothing much would change on infosec unless organizations were forced by law to do something. Seems they were correct.
PingBack from http://winblogs.security-feed.com/2005/02/22/regulatory-compliance-question/