Quit your whining, you compliance crab
Friday, July 6, 2012 at 12:10PM A couple of months ago, I was asked to pop over to Germany. I had smooth flight over there, sitting next to an opera singer whom I later looked up on Youtube. Traveled through Hamburg on my way to my final destination to discuss the secure (using encryption and the use of protected realms) storage of data pertaining to German nationals. This was on behalf of a wonderful customer who sent me over with beautiful accommodations.
I got picked because of my excellent posture, blazing good looks, brilliant repartee, and a tiny bit because of my knowledge of data security and international regulatory laws. But really, it was the posture.
They bribed me into going with first class seats and a stop in Amsterdam. At Schipol airport, I saw a guy in the first class lounge who was so drunk, they had to call the EMTs.
To satisfy the requirements of the business at hand, I had to visit the local offices of a German ministry, located in a very nice strip mall. No kidding. They served some excellent oversized cookies. Anyway, the argument to be made was that the data could be utterly secured, and accessed only by authorized personnel. Even the DBA’s would not be able to look at personal data. This would be accomplished with a combination of Transparent Data Encryption (TDE) and Database Vault, both Oracle products.
WHY was a German ministry involved in the disposition of data to be processed by a private company, before the data was even collected? Because that’s what they do. They CARE about the disposition of the data. European privacy laws mandate that before you collect data, you need to specify what you’re going to collect, why you’re collecting it, who’s going to see it, how long you’re going to keep it, and then you may collect ONLY that data, and use it ONLY for the documented purpose before you dispose of it.
Outside the USA, compliance is a serious thing. And they don’t horse around. They enact a law, and it’s in effect, NOW. You violate it, you’re in trouble,NOW. In India, they once passed a compliance law that was so stringent, people immediately went to jail.
Meanwhile, in the USA, HIPAA is in year 95 or 96 of rollout. If you violate it, oooh, they’ll make you write a letter and make you stand in the corner. If you appear to step on SOX, you’ll probably go to court to argue that the law’s too vague, and you’ll likely win.
NERC CIP. Now there’s a set of regulations with teeth. If you don’t secure your power grid, and it gets hijacked, people lose electricity while it’s too hot out, and all the meat in their freezers goes bad. This is why CIP has provisions for violators to be beaten with sticks.
But even NERC CIP is open to interpretation, while PCI is fairly specific when it comes to IT security.
But is the U.S. gummint ripping on your security scheme before you’ve even envisioned it? No. They kinda wait until you screw up. Have they passed a law and tossed you in jail for it a day later? Nope. Remember, this is the country where they invented giving you a loan for your own home down payment, in a grand and successful scheme to tank the economy.
So when the auditors are hassling you, stop complaining, prep for your assessment, and sleep well.