Ask The Security Policy Expert
Question:
As a newly-minted CISO, I now have to deal extensively with our regulatory group. In meeting with the head of audit, she spoke about the various regulations we have to comply with and how my company interpreted them. I thought the regulations were black and white. How can they interpret them any differently? Isn't this like driving 65 MPH in a 45 MPH zone and telling the judge I interpreted the traffic sign differently?
Answer: From Ben Rothke, CISSP
Your question is a good one. The truth is that most regulations are far from being black and white. Most of them are quite gray. In fact, various shades of gray.
Most regulations, including Sarbanes-Oxley, HIPAA, 21 CFR Part 11 and myriad others apply to the entire spectrum of enterprises - from the largest Fortune 500 firms down to the smallest shops. With that, when the regulatory agencies create the regulations, they have to be written in manner that creates the framework, but leaves the minutia to industry. So interpretation is not an anomaly, it is built into the very fabric of the regulation.
Once a regulation is written, each firm then takes the time to interpret it in a manner they deem appropriate. This interpretation must be signed off by executive management, legal council, auditors and more. So it is imperative that the regulations be interpreted in a manner that supports the regulatory and legal requirements.
Given that interpretation is a must; most of the regulatory agencies offer guidelines on their web site to help companies interpret the regulations.
Unlike the speed limits, regulations are designed to be interpreted by the organizations that fall under the law. Even so, if you told the judge that you were driving a heart attack victim to the hospital, you would likely not get a fine. If you were driving to the video store and you told the judge you had to get there before they ran out of Cars, your interpretation of the speed laws would not find favor in the judge's eyes.
Related Resources and Information
Information Security Policies Made Easy, Version 10.0 contains over 1400 pre-written information security policies, including security awareness and training policies.
