Regulation Frustration

Take this quiz to find out if it's time for a risk assessment.
The concept of "malicious compliance" refers to IT groups that comply, to the letter, with one or more standards while knowing that limiting their efforts in this way may have a negative impact on the business. Of course, few security professionals are setting out to sabotage their employers. But being tasked with multiple regulations, many of them with nebulous guidelines, brings significant stress--especially when the cost of failure ranges from bad press to fines to your CEO doing the perp walk on national television.

To see whether you're simply doing the minimum required to fill in various compliance checklists and hoping for the best, take our quiz. If you answer "yes" to any of these questions, it's time for a risk assessment.

  • Is compliance your primary driver for security?

  • Do external or internal auditors influence your daily security objectives?

  • Is a regulation the framework for your overall security program?

  • Do you add ad hoc security controls based on customer/partner requests?

  • Are you using a regulatory checklist to gauge your security level?

  • Are you reactive, adding controls in response to failings rather than current threats, vulnerabilities, and risks?

  • Do you ask your auditor what the fines are before deciding whether to implement a control?

Return to the main story:
Compliance Is Just The Beginning

Editor's Choice
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing
John Edwards, Technology Journalist & Author
John Edwards, Technology Journalist & Author
James M. Connolly, Contributing Editor and Writer