Double Compliance

  • Comments posted to this topic are about the item Double Compliance

  • Rarely is any endeavour that is worthwhile is without any pain. Of course, most people here (if not all) know that.

    I agree that a single regulation would work. For a start, from a typical non-American viewpoint even the Editorial by a well travelled and rounded individual such as Steve has a whiff of the insular about it. In the UK before we complied with ISO9000 there was BS5750 and there will be numerous different regulations to comply with throughout the world. This would multiply the watering down of regulations not only to be compromised between different industry sectors but also between different countries regulatory bodies.

    Targeted regulation will often mean that the appropriate regulations will only exist where it is deemed necessary. Where more than one set of regulations needs to be applied it is obviously a complex scenario and that is where separation of concerns can be applied.

    We shouldn't be adding complexity where it is not necessary.

    With regards to best practices being practiced or not, I have always though that our industry needs a professional body akin to the legal or medical professions to stop bad practice. It would not have to be heavyweight as I would only want to see it stopping the very worst of practices and practitioners.

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • I work for a company that is bound by HIPPA and PCI as well as several industry specific regulations and I'm not sure there is a one size fits all set of regulations that would be possible without becoming burdensome. From a strictly data based view yes data is data and must be secure but HIPPA requires many more regulations that PCI does and I'd hate to see all the HIPPA rules imposed on PCI audits.

  • To echo the point that has been alluded to...

    As I was reading, there was a growing concern in my mind over the consideration of a 'universal' (I would posit, 'cumbersome') standards set that could apply or be strapped across several industries in common. Rather than a generic form with a great many useful regulations or practices, we may end up with a checklist of 'do this, not this' instead - which seems to be out of scope for what the topic of 'regulation' should really entail.

    Gary mentioned that regulation should embody the enabling of people who operate within best practices and governance to be allowed to continue to do what they are already doing well without substantially-increased operational burden.

    Offenders however, the worst of the worst - security and sanity threats to the user/customer base - should be stopped and corrected: 'No, you are not doing that correctly - here is an industry-standard set of evaluated, tried, tested, and proven methods for how to do it the right way going forward.'

    Regulation, for whatever it's worth, should be imposed with the intention of protection and preservation, not for the purpose of elitism or any ulterior motive, should it not?

  • We're in the healthcare field and bound by HIPAA as well as some other regulatory rules. While they are a pain and somewhat costly to do, ultimately they are helpful in making sure we've got the right policies and practices in place. In some ways, going through the regulations limits others from competing with you given the barriers to entry.

  • The other thing to consider with the compliance space is that it is a profit center for Audting companies. If someone is billing high hourly rates to ensure you are compliant they don't have much incentive to make it quick and easy. No matter how hard you try to be compliant, you will be dealing with a Ninja who wants to and will find any little reason to make the audit a demanding, exacting experience.

  • srmc (4/8/2013)


    We're in the healthcare field and bound by HIPAA as well as some other regulatory rules. While they are a pain and somewhat costly to do, ultimately they are helpful in making sure we've got the right policies and practices in place. In some ways, going through the regulations limits others from competing with you given the barriers to entry.

    This type of regulation (HIPPA,SarBox,etc.) in all industries is quickly becomng a reality. The government sector particularly. You may not like it, but that doesn't mean it is not going affect what you do in the job place in the near future, particularly in the information business. If you don't like regulation, then you are living in the wrong country during the wrong administration. Government regulation is quickly becomng much more involved in all of our lives, period. Whether we like it or not, is really irrelevant, its comng anyway, and competition avoidance isn't the driving factor as you tend to imply. It is primarily litigation avoidance. 😀

    "Technology is a weird thing. It brings you great gifts with one hand, and it stabs you in the back with the other. ...:-D"

Viewing 7 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic. Login to reply