If IT Policies Could Talk
Friday, May 04, 2007
Posted in: IT
Ask a CIO to tell you about their compliance challenges and he’ll talk in terms of information systems. Ask the CFO or General Counsel they’ll talk in terms that fit their respective business functions. Compliance means different things to different people depending on where you sit in the organization. To date, the IT community has had a lot to say (and do) about compliance because a company’s ability to achieve compliance depends a lot on data flowing into, around, and outside the business. The IT organization manages the automation that helps companies conform to their policies thereby staying within the rules and regulations. If policies could talk, I can imagine a heated conversation where they assert their rightful place at the heart of compliance, and complain about all the attention technology has been getting in the form of security, monitoring, collecting data, and reporting. If the relationship between policies and technology is interesting to you, check out this article by Michael Mullins, an IT security and administration expert with the Defense Information Systems Agency, posted on TechRepublic a few weeks ago. His column “Take technology out of your security policies to maintain compliance” has some useful insights on the subject. His column prompted some interesting comments from readers, one in particular I found interesting from an IT executive who observes that automation prompts the realization that “paper based policy can neither be enforced nor monitored….or audited to meet the compliance requirement.”
Comments
Thanks for the positive comments. I spend a lot of time solving issues ranging from user-based problems to policy make overs, it’s nice to know that I hit the nail on the head every now and then.
Posted by on 10/19 at 07:44 PM