Tuesday, March 20, 2007

Again and Again on Compliance vs Security

I am going thru my "backblog" of items :-) to blog about - here is one fun item where Andy weigh in on compliance vs security with "Compliance rarely leads to good security but good security almost always leads to compliance." Indeed, claiming the opposite is silly, just look at all this FISMA stuff.

However, what is missed in the above adage are all those areas of compliance and IT governance that have little to do with security: proper change control (which admittedly helps security immensely), documenting controls, SLAs, and a bunch of other stuff that ITIL, COBIT and others are made of.

So, compliance might not lead to security, but security doesn't lead to [full] compliance as well ...

Dr Anton Chuvakin