Tuesday, January 13, 2009

Titanic Update

Just want to quickly revisit that “Titanic” theme, started here. More people chimed in:

Here is an interesting observation, however. And some more humor, of course.

First, let’s ask why were there boats in the first place (not “why there was NOT enough of them?”)?

Risk decision (to save the passengers in case of a disaster) or compliance decision (to comply with a safety manual)? Personally, I would not be entirely shocked if it was indeed the latter …

So, let’s imagine how different regulations would have handled it:

  • PCI – you MUST have (some)  boats or we pull your coal supply. Also, you must have certain type of a boat, even if you don’t like it (we have evidence that you cannot be trusted with boat selection!)
  • FISMA – you must have documents about boats; they MUST be complete, but can be stored safely ashore (N.B.: said docs thus might not help as a floatation device…)
  • HIPAA – you must have boats, but we promise we will never, ever check. You can pick your favorite type, including a) leaky boat b) paper boat or c) a toy model of “Titanic”
  • SOX – you must have boats at least for the captain, so that he survives and can be jailed later. Please call 1-900-BIG4-BOATS to get our boat selection advice.

Making fun of “Titanic WAS Compliant!” is easy; remembering that many businesses now run WITHOUT ANY life boats is harder… If compliance (and PCI DSS in particular) makes certain risks acceptance decisions impossible or at least ‘very illegal’ (or much more risky by adding another risk – an auditor), then it is a good thing!

Possibly related posts:

Dr Anton Chuvakin