I’m at a bit of loss today.

I have recently discovered a new method of security management at another company. Rule by guess work. There is an overwhelming number of policies and governance documents that we, as an industry, have to contend with such as SOX, BASEL2, HIPAA and PIPEDA. Pick your poison. But, the part that has me gobsmacked is the practice of quoting/invoking/referring to some of the aforementioned documents without ever having read a word of them.

It is something of a marvel.

The party in question quoted liberally, as if an authority, from a certain standard. I sat there with my jaw hanging open in utter confusion. The individual had just laid out in vivid detail the ins and outs of the standard and how it applied to their enterprise. The head nods around the table wagged in concurrence. I could feel the vein in my temple begin to throb and my throat became parched. I feebly raised the coffee to my lips all the while wishing it would spontaneously alter into a more appropriate elixir, say, Scotch perhaps? The sermon that as received by the masses was an absolute work of fiction. And no one at the table seemed to understand that. Except, yours truly.

I wondered if anyone else could hear that grinding noise. “Wait, it’s just me” I thought. It was my teeth.

(Insert Deity) help them if they ever get audited. It would be like watching a train wreck in slow motion.

How often do you (the readers) encounter this sort of co-mingling of affectation and bravado?

Tags: Security Policy, Policy Gaps, Security Policy Affectations, SOX, PIPEDA, HIPAA, Security Standards