It's holistic, dude: How to dodge the EU's £17m data regulation sting Holistic IT is hard. There are those among us who want to purchase hardware, software, services or so-called turnkey "solutions" – as vendors call them – bearing logos and stickers and otherwise don't require any architect-level thinking. None of us wants to dive deep into compliance regimes to understand what we need to do. …
To read the full text of this article, you will need to purchase the complete ISO framework reference document at a mere £100. To implement the contents of the article, you will need to purchase the compliance toolkit at £656 + VAT. And membership fees. And test booking fees. And sewerage charges. Oh, did I mention the deposit?
Years ago the corporation I then worked for had a massive IT security review put in place owing to the fact that they'd been very publicly embarrassed (I doubt the same cause/effect relationship operates today). As I was being eased out I got lumbered our business's end of it; no problem, I knew where a few of the bodies were buried and managed to find a few more. It was a massive tick-box operation - exactly what you'd expect from an ISO-9000 driven organisation.
The results of the first stage were reviewed by someone from security. We had words on account of my refusing to tick the box to the effect that bought-in software had no undocumented functionality. I pointed out that undocumented functionality would cover bugs* and suggested that if he wasn't happy he go and have a word with procurement to see if they could get statements to that effect from Microsoft etc. A little while later the review was signed off with the box still unticked. I heard later that the reviewer had no IT background, he was from physical security.
And, as far as I know, none of the bodies were ever excavated.
*I'm pretty sure that what was meant was that there were no time-bombs or back doors built in, this having been in the news not long before. They should have been a little more explicit when writing the document.
Apols for AC, normally I don't do that...
About 13yrs ago a well known UK outsourcer, that isn't currently terribly well regarded in the public eye (a little unfair I think) was exposed to a fraud in one of its' financial services bits, dodgy folk ran off with £300k [or thereabouts]. This was in the public domain btw.
I was asked to accompany head of risk/audit to see the Group FD, who's response was [I quote] "I don't f'ing care what it costs, f'ing sort it and then get a proper risk mgmt system in across the whole group, NOW"
Unfortunately he did mean NOW, well, we had the crux of it working in a few months, global rollout with 18 months.
With 4 x n-tier environments, PROPER controls, it was in situ for [I think] 8yrs or so.
It's amazing how snappy IT depts and young/keen ISVs can be, it probably helped that the budget was (we added it up afterwards) about £3.5m
All of which & this article all contribute to me hopefully improving on the IT architecture and system design for my startup (IT budget about £100 a month)
And the GDPR now requires you do it RIGHT. So now you're assailed from ALL THREE corners. Investors want it cheap for RoI, competition forces you to do it fast to avoid being beat, and now the law forces you to do it right or get swamped by legal consequences.
IOW, "Pick any TWO" is not an option anymore. Now it's All or Nothing.
The only thing I'd make explicit is "document, document, document." Document the compliance issues for your firm; document the requirements you derived from your list of issues (because reasons); document steps you've done to meet those requirements. If nothing else, you've covered your backside. Further, you hopefully won't be stuck in that job forever, turnover in IT being what it is, so your replacement will probably be kissing your toes as you go out the door. That and it'll still cover your backside after you've moved on. [Keeping several copies is also a good idea. Off-site!]
When I was younger - I thought it meant I could break "the rules". My father, much wiser (and a law-maker) explained the purpose of a law is to restore balance where there is none, or more likely - status quo is getting out of balance.
So, when a new law comes, or better a law is adjusted - it is like putting a new balance on a tire. Now the tire is balanced and travel is smoother. However, over time: wear and tear changes in unbalanced way. The collective balances, aka law/rule is broken.
Another crucial point is that a law/rule be executable and/or enforceable. That is another story BUT I think it will be the key issue here - weights have been added - but not to the wheel and now we will be defending ourselves that we used the best measures ever - but the vehicle would not go straight when I held the course steady - and would not change course when I tried to take corrective action.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
