Despite the multiple regulations, the guidelines completely ignore many best practices that any reasonable person who is more intimately knowledgeable with a particular technology would recommend. Thus, IT shops often spend a lot of resources (time, staff, and money) to meet regulatory requirements and to make senior management happy, all the while knowing it didn't make their environments all that secure.
Many of the regulations are aged, recommending actions that aren't all that secure in today's context. For example, many regulations require complex passwords with a minimum size of six characters. They appear oblivious to the reality that six-character passwords are trivial to break with current advances in cracking technology. Sure, entities are free to use passwords of any size, and the regulations are only a minimum, but many administrators interpret meeting recommendations as creating a secure environment.
Worse yet, many regulations have ambiguous meanings; the interpretation of the various guidelines are essentially left to the organization being regulated or, more importantly, by the auditor. I find my clients sometimes guessing how much action is sufficient to satisfy the coming auditor. If they end up changing auditors, the new ones often end up flagging them on items the previous auditor approved or even lauded. Companies are left feeling like the regulatory guidelines are somewhat arbitrary.
It's a regulatory Tower of Babel. It can drive any IT security person batty, especially in light of the fact that 80 per cent of the computer security regulations are essentially the same or reaching for the same goals. How nice would it be if institutions could apply a single "common criteria" and meet all the regulations?
Sign up for Computerworld eNewsletters.