• United States




Toppling the regulatory Tower of Babel

Dec 11, 20094 mins
Data and Information SecurityRegulationSecurity

The business world needs a common set of criteria to deal with conflicting, confusing, or obsolete regulatory guidelines

I commonly consult with businesses that are saddled with two, three, even all of the major regulatory guidelines, such as SOX, GLBA, HIPAA, and PCI. And that’s on top of complying with their industry guidelines, company security policy, and internal audit recommendations.

Beyond absorbing the inherent costs of simultaneously complying with multiple regulatory guidelines, companies struggle with the conflicting or contradictory information they contain. I’ve seen IT managers have to speculate, along with legal counsel, which course of action will result in the least detrimental consequence — and guess when their companies and they themselves can be held accountable for failure.

[ Will the U.S. Supreme Court overhaul Sarbanes-Oxley ? | Learn why compliance as security is the root of insanity. ]

Despite the multiple regulations, the guidelines completely ignore many best practices that any reasonable person who is more intimately knowledgeable with a particular technology would recommend. Thus, IT shops often spend a lot of resources (time, staff, and money) to meet regulatory requirements and to make senior management happy, all the while knowing it didn’t make their environments all that secure.

Many of the regulations are aged, recommending actions that aren’t all that secure in today’s context. For example, many regulations require complex passwords with a minimum size of six characters. They appear oblivious to the reality that six-character passwords are trivial to break with current advances in cracking technology. Sure, entities are free to use passwords of any size, and the regulations are only a minimum, but many administrators interpret meeting recommendations as creating a secure environment.

Worse yet, many regulations have ambiguous meanings; the interpretation of the various guidelines are essentially left to the organization being regulated or, more importantly, by the auditor. I find my clients sometimes guessing how much action is sufficient to satisfy the coming auditor. If they end up changing auditors, the new ones often end up flagging them on items the previous auditor approved or even lauded. Companies are left feeling like the regulatory guidelines are somewhat arbitrary.

It’s a regulatory Tower of Babel. It can drive any IT security person batty, especially in light of the fact that 80 percent of the computer security regulations are essentially the same or reaching for the same goals. How nice would it be if institutions could apply a single “common criteria” and meet all the regulations?

I know it would be near impossible to accomplish such a task. Heck, just getting the committee members of those regulatory bodies to agree upon a single set of regulations is an immense undertaking. Getting global agreement would probably be impossible. Still, I dare to dream.

A common regulatory set of guidelines would significantly decrease the expense of compliance and auditing for any organization that must meet more than one regulation. I have to believe that the cost savings for all entities as a whole would be in the hundreds of millions of dollars. The savings in unproductive labor alone would immeasurably add to each company’s productivity, especially in recessionary times.

Imagine my surprise to find out that a bunch of other people had the same idea and decided to do something about it. If you’re tasked with meeting multiple regulatory guidelines, you should visit the Unified Compliance Framework (UCF) Web site.

The UCF’s major goal is to “map IT controls across international regulations, standards, and best practices. The UCF accomplishes its goal by harmonizing terms and controls against the backdrop of a master hierarchical list. In simple terms this means that we can present the complex rules, standards, and policies you must follow in a simple spreadsheet format with in-depth links for you to drill down for as much information as you need.”

Make no mistake: The UCF is a commercial entity out to make a profit. Still, the group’s tools, documents, spreadsheets, XML formats, and other resources are aimed at helping followers to simplify, to whatever extent possible, the effort to comply with multiple regulatory guidelines. And to whatever extent the UCF (or other entities, if they exist) can help you reduce duplicate effort across commonalities, it’s a win.

Even if you can’t participate or use UCF’s tools and products, consider revamping your own internal procedures to reduce effort where possible. It’s clear that simply implementing multiple efforts as if they didn’t have huge commonalities is wasted resources. You can make your life (and those of others that participate with you in meeting multiple regulatory guidelines) easier.

This story, “Toppling the regulatory Tower of Babel,” was originally published at Follow the latest developments in security at


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author