Current Event: International Man of Privacy

Early in August I commented on the implications of a US district court’s judgement that Microsoft had to turn over e-mail from alleged UK nationals who’s e-mail stored in a data center in Ireland. At the time of the judgement the judge stayed the ruling pending Microsoft’s appeal.  This appears to have been a procedural mistake.… Continue reading Current Event: International Man of Privacy

What is Compliance?

I read and hear the term “compliance” used liberally in infosec, often without a clear context. The graphic above is intended to illustrate some business drivers such as statutory laws, regulatory agencies (e.g. GAO’s HIPAA), industry-imposed requirements (e.g. PCI DSS), customers’ and shareholders’ expectations (some of which are legally and contractually required). These plus other… Continue reading What is Compliance?

Compliance versus Security … Coming to Trial?

Compliance is about auditable business processes that are related to meeting legal, regulatory & contractual requirements. Infosec is a confluence of strategic & tactical processes & controls with a goal of ensuring confidentiality, integrity & availability of data & systems.  There is overlap but the two things are effectively different and aimed at different needs… Continue reading Compliance versus Security … Coming to Trial?